[Openswan Users] FreeSWAN, Wireless Windows 98/ME/2K/XP RoadWarriors, DHCP overIPsec - overview

Trevor Benson tbenson at a-1networks.com
Mon Jun 7 22:12:15 CEST 2004


> -----Original Message-----
> From: users-bounces at lists.openswan.org [mailto:users-
> bounces at lists.openswan.org] On Behalf Of Jeannot Langlois
> Sent: Monday, June 07, 2004 6:27 AM
>
<SNIP>
>
> an untrusted wireless 802.11b network.  The LINUX gateway running
> FreeSWAN MUST be able to take the tunnels up/down automatically as
WIFI
> clients requests IP address leases are issued/revoked using DHCP over
> IPsec.

Are you saying you want the 10.1.1.0/24 subnet to be served to the
machines after they establish an IPSec tunnel?  I assume you know that
they would have to have an IP address prior to connecting an 'IPSec'
connetion.

> The setup would look like this:
> 
> 
>    (ethernet interface)
>       [INTERNET SIDE]
>     ==================
>          FREESWAN
>           LINUX
>          GATEWAY
>     ==================
>         [LAN SIDE]
>      (wifi interface)
>          / | | | \
>         /  | | |  \
>        /   | | |   \
>       /    | | |    \
> 
>      A     B C D     E
> 
> 
> A, B, C, D and E are all Windows-based clients (running either 98, ME,
> 2K or XP) using 802.11b wireless cards (actually there will be more
> clients, but this is just a basic example).
> 
> Let's suppose the LAN uses the 10.1.1.0/24 subnet address space.
> There would be NO NAT, as everything would happen within the same
> 10.1.1.0/24 subnet.
> I'd like the RoadWarriors NOT to be able to see each other, but just
the
> gateway, so they can access the internet using secure tunnels.  In
this
> case, we consider the INTERNET side to be trusted (I know this might
> sound funny but... :)), so the tunnel ends on the FREESWAN GATEWAY's
LAN
> SIDE, and firewall rules on the FREESWAN GATEWAY should not interfere
> with FREESWAN.

If your machines have IP addresses in the same subnet, and wireless
cards, they are likely to be able to talk to eachother unless the
wireless driver would allow you to limit communication to the AP.  

If anyone else is more familiar with limiting communications for a local
subnet over 802.11 let me know, good food for thought.


> A DNS server listening on the wifi interface on the FREESWAN GATEWAY
> will be offering DNS services to the Windows RoadWarriors.

Take a look at www.ipcop.org if you are looking for something prebuilt
that does quite a bit of what your asking for without having to figure
out the rules or not, then this might be something for you.  They are
about to release the final beta of 1.4.0.  I have been using it since
alphas and am right now logged into an IPSec connection over my Wifi.

> So far I have only established SUBNET-to-SUBNET tunnels in all the
> FreeSWAN experiments I have been attempting to this day.
> 
> As this is the first time I am attempting such a RoadWarrior-SUBNET
> setup with FreeSWAN (and I am just starting to read basic/advanced
tips
> on the freeswan.ca documentation), I was wondering about the Windows
> side's configuration, and feasability.

Almost the same, checkout http://vpn.ebootis.de for the ipsec.exe
program, and then you just make an ipsec.conf file.


> According to the interoperability summary I've seen on the freeswan.ca
> site, I believe that RSA keys are NOT possible in the Windows 2K/XP
case
> and ONLY the same Pre-Shared Key can be used by all the Windows
> clients?  Is this right?  What about Windows 98 and ME ?

I am currently using X.509 certificates from my Windows XP Pro system,
so it works. Just have to import them through an MMC.

 
> As the windows clients have to emulate some kind of IPsec router, I
> believe that they have to be running some sort of IPsec VPN client
> software (the Nortel IPsec VPN client comes to mind, or would any
other
> IPsec-style client do the job)?  Is this assumption correct?
>
> Is this VPN client software required on ALL the different RoadWarriors
> Windows platforms:  98, ME, 2K, XP ?
> 
> Most importantly, are there any OpenSource versions of these client
> software available for these Windows versions?  We wouldn't like to
buy
> licenses just for experiments...
> 
> I've heard that Windows 2K and XP do NOT need such client software, as
> they integrate IPsec functionality already.  Is that true?

Check the vpn.ebootis.de site, that's the command line vpn client
software, otherwise there are other GUI Windows clients available.
There was one I was using for a bit, but I was more comfortable
modifying the file by hand for all my needs, cant remember if it was
just PSK as well.  Ipsec.exe and the gui client are open source.  I cant
remember its name, Jacco De Leeuw or Nate Carlson I think has it in
their howto.


> The IP addresses will be allocated dynamically to the Windows
> RoadWarriors using a DHCP daemon listening on the FREESWAN GATEWAY's
LAN
> interface.  I've seen many people asking for advices about DHCP over
> IPsec.  Is that really a problem?  If yes, what can be done about it ?
>

I think in most cases that people are talking about using DHCP over a
subnet to subnet connections.  Trying to attain the same type of remote
DHCP addressing as from RFC 3046 relaying DHCP (I may have the RFC #
wrong).  

I have not heard of any option for routing DHCP through IPSec without
subnets, unless you are just looking to get a local LAN address AFTER
you establish an IPSec tunnel, and then I would suggest looking into
L2TP instead of DHCP relay.

> Thanks in advance for your help.
> 
> Answers and/or pointers to pertinent FreeSWAN documentation will be
> greatly appreciated,


Do you have a domain behind the Freeswan that the Windows machines will
be connecting to? Or just internet access?  If you have a domain, use
the Windows Server to enable Routing and Remote Access, and then have it
pass L2TP VPN connections to your IPSec tunnels.  

Trevor



More information about the Users mailing list