[Openswan Users] Best practises
Ken Bantoft
ken at xelerance.com
Sat Feb 12 17:52:55 CET 2005
Thomas Heidemann wrote:
>Hello.
>
>I'm quite familiar with IPSec because I do manage a FreeSWAN gateway
>for some roadwarriors for more than one year now.
>My next step is to upgrade my distribution and to use OpenSWAN 2.3.
>
>During this year I recognized a lack of knowledge concerning best
>practices
>in implementing and managing a VPN gateway. What is 'the best' approach
>to
>implement VPN?
>I would like to share my thoughts with you and discuss some basics in
>managing IPSec.
>
>Ok, now the facts:
>Server: FreeS/WAN 1.99
>
>
Stock FreeS/WAN does not have NAT-T support, and will probably not work
with WinXP clients using the built in IPsec. Recommended to upgrade to
Openswan 1.0.9, or preferably 2.3.0/2.3.1 (2.3.1 out in a few days)
>Clients: Windows XP (some natted some not)
>I do use certificates for authorizing the clients. Therefore I build up
>a certificate authority.
>
>For each connecting client and each subnet behind the gateway and each
>possible situation (natted and not) I created a connection with the
>needed specifications to get the connection to work.
>
>This looks like this: (excerpt)
>conn rw1-net1
> leftsubnet=192.168.11.0/24
>
>conn rw1-net2
> leftsubnet=192.168.12.0/24
>
>conn rw1-nat-net1
> leftsubnet=192.168.11.0/24
> rightsubnetwithin=0.0.0.0/0
>
>conn rw1-nat-net2
> leftsubnet=192.168.12.0/24
> rightsubnetwithin=0.0.0.0/24
>...
>
>I do have to use 0.0.0.0/0 because I do not know, from which private
>natted network, the client connects.
>Is this the (only) way it works or am I on the wrong path?
>
>
With NAT-T, this shouldn't be the case. You use virtual_private to
control from which NAT ranges you permit.
>The clients do use Marcus Müller's ipsec.exe tool, which is quite nice.
>Well I personally love this solution, because it does not require a
>password to type in when connecting. But my customers not - it has no
>nice to handle GUI!
>
>
There is a GUI to some of this on some Windows platforms - see iVPN.
>Because of this, I consider to use XAUTH with Openswan. There are some
>free Windows Clients (such as Cisco VPN Client I think) which support
>XAUTH.
>
>
Cisco client is only free if you own licenses to use it, which only come
with Cisco PIX and/or Cisco 3000 series VPN concentrators.
>Some other Windows clients are really nice (like the one from NCP) but
>very expensive, too.
>
>An other approach is to implement l2tpd and to use the internal Windows
>connections.
>
>
Yes, this is quite common now. Nate Carlson's site does a good job of
explaining this.
>So, my problem is, I don't know which strategy to use. My main
>requirements are:
>* security
>* stability
>* ease of use for the clients
>
>
>How do you implement Openswan? Any thoughts are welcome.
>
>
You missed the important bit - how many clients? If it's a few,
spending a few hundred bucks on NCP might save you a few days of
fiddling around with l2tpd and friends. But for > 15 or so clients, it
might be worth it.
Ken
More information about the Users
mailing list