[Openswan Users] Re: Inquiry: Best practices for road warriors w/ virtual IPs?

[Jacco de Leeuw]

Michael Herrmann wrote:

> I want
> - to support road warriors and give them virtual IPs (best would
>   be, every person the same personal IP every time)
> - using Linux, Windows XP (2k and 98 not decided), MacOS X
> 
> If at all possible I'd like to
> 
> - use Linux as the server platform, and use native 26 ipsec
> - use our already existing DHCP Servers to give out IPs.

Is DHCP really a requirement for road warriors? Especially since you
prefer to assign every user the same IP address every time. Wouldn't
reserving a range of addresses be enough?

> Most interesting problem here is the virtual IP. How do I pick it
> and how to get it to the client? There seem to be two obvious
> choices:
> 
> 1. DHCP-over-IPSEC (RFC 3456)
> 2. L2TP-over-IPSEC (RFC 3193)

SSH Sentinel can assign fixed virtual IP addresses. The problem is that
it is a drag to configure and even worse, Sentinel is End Of Life. Perhaps
other Windows/Mac clients can do virtual addresses, I haven't checked.
Expect to pay per client, though.

OpenVPN could be another option but I haven't looked if it supports
virtual addresses. And, of course, you have PPTP...

> So it appears to me, as long as we talk about existing software,
> there is no way to give out virtual IPs with L2TP-over-IPSEC if
> you don't want sepparate ppp authentication.
> 
> Am I right here or am I missing something?

What do you mean with existing software? I agree that PPP authentication
does not add much to the overall security. However, I'm not sure if your
suggestion of hooking pppd into pluto is a good idea. It kind of violates
the principle of abstraction and OSI network layering.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl