[Openswan Users] Inquiry: Best practices for road warriors w/ virtual IPs?

Michael Herrmann michael.herrmann at cs.tum.edu
Sat Oct 30 16:11:38 CEST 2004 

Hi folks, Hi Jacco,

I'm currently investigating how to meet some of my requirements
for an VPN gateway I'm currently building.  I want

- to support road warriors and give them virtual IPs (best would
  be, every person the same personal IP every time)
- using Linux, Windows XP (2k and 98 not decided), MacOS X

If at all possible I'd like to

- use Linux as the server platform, and use native 26 ipsec
- use our already existing DHCP Servers to give out IPs. Every
  bigger shop has these kind of servers, so it's really everyone
  wants that.
- use X.509 certificates for authentication purposes exclusively,
  which each and every one of our users already has.

Most interesting problem here is the virtual IP. How do I pick it
and how to get it to the client? There seem to be two obvious
choices:

1. DHCP-over-IPSEC (RFC 3456)

IMHO it's a great solution from a technical standpoint.
There even is Linux freeswan server support for this
(http://www.strongsec.com/freeswan/dhcprelay/), but is seems to
depend on KLIPS for its ipsec virtual devices. And worse: There
doesn't seem to be any Linux or MacOS client support for this at
all. Fixing this appears to be a lot of work.

Am I right here or am I missing something?

2. L2TP-over-IPSEC (RFC 3193)

Pro: + working Linux server support
     + good documentation thanks to Jacco de Leeuw
       (http://www.jacco2.dds.nl/networking/freeswan-l2tp.html)
     + great client support in Windows and MacOS
     + can get IPs via DHCP thanks to ppp-dhcp
       (http://netservers.co.uk/gpl/)
Con: - performance due to double tunnel
     - bad Linux client support
     - fiddling w/ pppd required

What I really dislike here is the second authentication via
ppp/l2tp. Since I'm using X.509 certificates anyways this is
absolutely superfluous, isn't it? Now it seems that you can
configure pppd to accept every username/password so this isn't so
bad at first, but this is no use, since ppp-dhcp uses the ppp
authentification username as a client identifier for dhcp, so you
need something meaningful here. I suspect if you use radius to
give out IPs instead of dhcp-ppp you have the same problem.

So it appears to me, as long as we talk about existing software,
there is no way to give out virtual IPs with L2TP-over-IPSEC if
you don't want sepparate ppp authentication.

Am I right here or am I missing something?

Now, if I'm right, I'd be willing to work on this. The best route
to address is to find some way to get information from pluto to
pppd/dhcp-ppp to get some per-user dhcp-client-identifier. This
shouldn't be so difficult.

Regards,

Michael Herrmann

More information about the Users mailing list