[Openswan Users] Best practises

Thomas Heidemann thomas.heidemann at gmx.net
Sun Feb 13 10:28:38 CET 2005


Hi Ken,

On Saturday 12 February 2005 23:52, Ken Bantoft wrote:
> Thomas Heidemann wrote:
> >Hello.
> >
> >I'm quite familiar with IPSec because I do manage a FreeSWAN gateway
> >for some roadwarriors for more than one year now.
> >My next step is to upgrade my distribution and to use OpenSWAN 2.3.
> >
> >During this year I recognized a lack of knowledge concerning best
> >practices
> >in implementing and managing a VPN gateway. What is 'the best'
> > approach to
> >implement VPN?
> >I would like to share my thoughts with you and discuss some basics
> > in managing IPSec.
> >
> >Ok, now the facts:
> >Server: FreeS/WAN 1.99
>
> Stock FreeS/WAN does not have NAT-T support, and will probably not
> work with WinXP clients using the built in IPsec.  Recommended to
> upgrade to Openswan 1.0.9, or preferably 2.3.0/2.3.1 (2.3.1 out in a
> few days)

Well, it works with the specified rightsubnetwithin=... parameter.

> >Clients: Windows XP (some natted some not)
> >I do use certificates for authorizing the clients. Therefore I build
> > up a certificate authority.
> >
> >For each connecting client and each subnet behind the gateway and
> > each possible situation (natted and not) I created a connection
> > with the needed specifications to get the connection to work.
> >
> >This looks like this: (excerpt)
> >conn rw1-net1
> >     leftsubnet=192.168.11.0/24
> >
> >conn rw1-net2
> >     leftsubnet=192.168.12.0/24
> >
> >conn rw1-nat-net1
> >     leftsubnet=192.168.11.0/24
> >     rightsubnetwithin=0.0.0.0/0
> >
> >conn rw1-nat-net2
> >     leftsubnet=192.168.12.0/24
> >     rightsubnetwithin=0.0.0.0/24
> >...
> >
> >I do have to use 0.0.0.0/0 because I do not know, from which private
> >natted network, the client connects.
> >Is this the (only) way it works or am I on the wrong path?
>
> With NAT-T, this shouldn't be the case.  You use virtual_private to
> control from which NAT ranges you permit.
>
> >The clients do use Marcus Müller's ipsec.exe tool, which is quite
> > nice. Well I personally love this solution, because it does not
> > require a password to type in when connecting. But my customers not
> > - it has no nice to handle GUI!
>
> There is a GUI to some of this on some Windows platforms - see iVPN.

Oh, I didn't know. Thanks for this hint.

> >Because of this, I consider to use XAUTH with Openswan. There are
> > some free Windows Clients (such as Cisco VPN Client I think) which
> > support XAUTH.
>
> Cisco client is only free if you own licenses to use it, which only
> come with Cisco PIX and/or Cisco 3000 series VPN concentrators.

So, I have to buy it if I use an OpenSWAN server? Argh.

> >Some other Windows clients are really nice (like the one from NCP)
> > but very expensive, too.
> >
> >An other approach is to implement l2tpd and to use the internal
> > Windows connections.
>
> Yes, this is quite common now.  Nate Carlson's site does a good job
> of explaining this.
>
> >So, my problem is, I don't know which strategy to use. My main
> >requirements are:
> >* security
> >* stability
> >* ease of use for the clients
> >
> >
> >How do you implement Openswan? Any thoughts are welcome.
>
> You missed the important bit - how many clients?  If it's a few,
> spending a few hundred bucks on NCP might save you a few days of
> fiddling around with l2tpd and friends.  But for > 15 or so clients,
> it might be worth it.

Well, there are about 30 clients but the number of connected clients at 
the same time is very low. One or two if I read the logs correctly ;-)

Thanks 
Thomas

> Ken

-- 
Thomas Heidemann
thomas.heidemann at gmx.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050213/c625badf/attachment.bin


More information about the Users mailing list