[Openswan Users] Best practises
Thomas Heidemann
thomas.heidemann at gmx.net
Sat Feb 12 11:31:10 CET 2005
Hello.
I'm quite familiar with IPSec because I do manage a FreeSWAN gateway
for some roadwarriors for more than one year now.
My next step is to upgrade my distribution and to use OpenSWAN 2.3.
During this year I recognized a lack of knowledge concerning best
practices
in implementing and managing a VPN gateway. What is 'the best' approach
to
implement VPN?
I would like to share my thoughts with you and discuss some basics in
managing IPSec.
Ok, now the facts:
Server: FreeS/WAN 1.99
Clients: Windows XP (some natted some not)
I do use certificates for authorizing the clients. Therefore I build up
a certificate authority.
For each connecting client and each subnet behind the gateway and each
possible situation (natted and not) I created a connection with the
needed specifications to get the connection to work.
This looks like this: (excerpt)
conn rw1-net1
leftsubnet=192.168.11.0/24
conn rw1-net2
leftsubnet=192.168.12.0/24
conn rw1-nat-net1
leftsubnet=192.168.11.0/24
rightsubnetwithin=0.0.0.0/0
conn rw1-nat-net2
leftsubnet=192.168.12.0/24
rightsubnetwithin=0.0.0.0/24
...
I do have to use 0.0.0.0/0 because I do not know, from which private
natted network, the client connects.
Is this the (only) way it works or am I on the wrong path?
The clients do use Marcus Müller's ipsec.exe tool, which is quite nice.
Well I personally love this solution, because it does not require a
password to type in when connecting. But my customers not - it has no
nice to handle GUI!
Because of this, I consider to use XAUTH with Openswan. There are some
free Windows Clients (such as Cisco VPN Client I think) which support
XAUTH.
Some other Windows clients are really nice (like the one from NCP) but
very expensive, too.
An other approach is to implement l2tpd and to use the internal Windows
connections.
So, my problem is, I don't know which strategy to use. My main
requirements are:
* security
* stability
* ease of use for the clients
How do you implement Openswan? Any thoughts are welcome.
Thanks
Thomas
--
Thomas Heidemann
thomas.heidemann at gmx.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050212/d588b3f3/attachment.bin
More information about the Users
mailing list