[Openswan Users] Best practises

Thomas Heidemann thomas.heidemann at gmx.net
Sat Feb 12 11:31:10 CET 2005


Hello.

I'm quite familiar with IPSec because I do manage a FreeSWAN gateway
for some roadwarriors for more than one year now.
My next step is to upgrade my distribution and to use OpenSWAN 2.3.

During this year I recognized a lack of knowledge concerning best 
practices
in implementing and managing a VPN gateway. What is 'the best' approach 
to
implement VPN?
I would like to share my thoughts with you and discuss some basics in
managing IPSec.

Ok, now the facts:
Server: FreeS/WAN 1.99
Clients: Windows XP (some natted some not)
I do use certificates for authorizing the clients. Therefore I build up 
a certificate authority.

For each connecting client and each subnet behind the gateway and each
possible situation (natted and not) I created a connection with the 
needed specifications to get the connection to work.

This looks like this: (excerpt)
conn rw1-net1
     leftsubnet=192.168.11.0/24

conn rw1-net2
     leftsubnet=192.168.12.0/24

conn rw1-nat-net1
     leftsubnet=192.168.11.0/24
     rightsubnetwithin=0.0.0.0/0

conn rw1-nat-net2
     leftsubnet=192.168.12.0/24
     rightsubnetwithin=0.0.0.0/24
...

I do have to use 0.0.0.0/0 because I do not know, from which private 
natted network, the client connects.
Is this the (only) way it works or am I on the wrong path?

The clients do use Marcus Müller's ipsec.exe tool, which is quite nice. 
Well I personally love this solution, because it does not require a 
password to type in when connecting. But my customers not - it has no 
nice to handle GUI!

Because of this, I consider to use XAUTH with Openswan. There are some 
free Windows Clients (such as Cisco VPN Client I think) which support 
XAUTH.
Some other Windows clients are really nice (like the one from NCP) but 
very expensive, too.

An other approach is to implement l2tpd and to use the internal Windows 
connections.

So, my problem is, I don't know which strategy to use. My main 
requirements are:
* security
* stability
* ease of use for the clients


How do you implement Openswan? Any thoughts are welcome.

Thanks
Thomas

-- 
Thomas Heidemann
thomas.heidemann at gmx.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050212/d588b3f3/attachment.bin


More information about the Users mailing list