[Openswan Users] Windows vpn clients

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Sep 7 11:56:15 CEST 2005


On Wed, 2005-09-07 at 14:16 +0200, Norbert Wegener wrote:
> Hello Andreas,
> if you configure a vpn connection on a windows client via DUN, Windows 
> by default creates l2tp/ipsec connections, with ipsec in transport mode.
> This mode is disabled in strongswan by default and can only be activated 
> via a compiletime switch. Therefore I wonder,
> what is the recommended way to setup a vpn with a window client and a 
> strongswan server?
> Do I need a third party client for the windows system?
> Regards
> Norbert
<snip>
On the ISCS network security management project
(http://iscs.sourceforge.net), we generally either use a third party
product or use the Windows client with L2TP stripped out using the
ebootis patch (http://vpn.ebootis.de).

We found that L2TP makes securing the data in the tunnel very difficult.
By default, when a RoadWarrior connects to an ISCS system, we
dynamically change the firewall rules based upon their X.509 DN.  Thus,
we can implement very granular access controls on RoadWarriors based
upon their departments, for example.  We can then extend this "extended"
user authentication throughout the entire WAN without assigning virtual
IP addresses because of the way we modularize security with iptables in
ISCS.

When L2TP is involved, we lose that control.  The packets are passed to
the PPP server, are assigned a virtual IP address and from there,
everyone looks the same.  We have not seen an easy way to preserve the
granular security we achieve by bypassing L2TP.
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com



More information about the Users mailing list