[Openswan Users] Best practises

Ken Bantoft ken at xelerance.com
Sat Feb 12 17:52:55 CET 2005


Thomas Heidemann wrote:

>Hello.
>
>I'm quite familiar with IPSec because I do manage a FreeSWAN gateway
>for some roadwarriors for more than one year now.
>My next step is to upgrade my distribution and to use OpenSWAN 2.3.
>
>During this year I recognized a lack of knowledge concerning best 
>practices
>in implementing and managing a VPN gateway. What is 'the best' approach 
>to
>implement VPN?
>I would like to share my thoughts with you and discuss some basics in
>managing IPSec.
>
>Ok, now the facts:
>Server: FreeS/WAN 1.99
>  
>
Stock FreeS/WAN does not have NAT-T support, and will probably not work 
with WinXP clients using the built in IPsec.  Recommended to upgrade to 
Openswan 1.0.9, or preferably 2.3.0/2.3.1 (2.3.1 out in a few days)

>Clients: Windows XP (some natted some not)
>I do use certificates for authorizing the clients. Therefore I build up 
>a certificate authority.
>
>For each connecting client and each subnet behind the gateway and each
>possible situation (natted and not) I created a connection with the 
>needed specifications to get the connection to work.
>
>This looks like this: (excerpt)
>conn rw1-net1
>     leftsubnet=192.168.11.0/24
>
>conn rw1-net2
>     leftsubnet=192.168.12.0/24
>
>conn rw1-nat-net1
>     leftsubnet=192.168.11.0/24
>     rightsubnetwithin=0.0.0.0/0
>
>conn rw1-nat-net2
>     leftsubnet=192.168.12.0/24
>     rightsubnetwithin=0.0.0.0/24
>...
>
>I do have to use 0.0.0.0/0 because I do not know, from which private 
>natted network, the client connects.
>Is this the (only) way it works or am I on the wrong path?
>  
>
With NAT-T, this shouldn't be the case.  You use virtual_private to 
control from which NAT ranges you permit.

>The clients do use Marcus Müller's ipsec.exe tool, which is quite nice. 
>Well I personally love this solution, because it does not require a 
>password to type in when connecting. But my customers not - it has no 
>nice to handle GUI!
>  
>
There is a GUI to some of this on some Windows platforms - see iVPN.

>Because of this, I consider to use XAUTH with Openswan. There are some 
>free Windows Clients (such as Cisco VPN Client I think) which support 
>XAUTH.
>  
>
Cisco client is only free if you own licenses to use it, which only come 
with Cisco PIX and/or Cisco 3000 series VPN concentrators.

>Some other Windows clients are really nice (like the one from NCP) but 
>very expensive, too.
>
>An other approach is to implement l2tpd and to use the internal Windows 
>connections.
>  
>
Yes, this is quite common now.  Nate Carlson's site does a good job of 
explaining this.

>So, my problem is, I don't know which strategy to use. My main 
>requirements are:
>* security
>* stability
>* ease of use for the clients
>
>
>How do you implement Openswan? Any thoughts are welcome.
>  
>
You missed the important bit - how many clients?  If it's a few, 
spending a few hundred bucks on NCP might save you a few days of 
fiddling around with l2tpd and friends.  But for > 15 or so clients, it 
might be worth it.

Ken



More information about the Users mailing list