[Openswan Users] Windows vpn clients

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Sep 7 15:57:03 CEST 2005 

Thanks very much for the input.  I'll answer (and query) in the text -
John

On Wed, 2005-09-07 at 19:20 +0200, Jacco de Leeuw wrote:
> John A. Sullivan III wrote:
> 
> > We found that L2TP makes securing the data in the tunnel very difficult.
> > By default, when a RoadWarrior connects to an ISCS system, we
> > dynamically change the firewall rules based upon their X.509 DN.  Thus,
> > we can implement very granular access controls on RoadWarriors based
> > upon their departments, for example.
> > 
> > When L2TP is involved, we lose that control.  The packets are passed to
> > the PPP server, are assigned a virtual IP address and from there,
> > everyone looks the same.  We have not seen an easy way to preserve the
> > granular security we achieve by bypassing L2TP.
> 
> What if you assign *static* virtual IP addresses to users? Then every
> user has his own internal IP address (assuming there is no shortage of
> those). Plus, the firewall rules can be static. They do not have to be
> changed dynamically.
This probably reflects more of my ignorance of PPP.  I wasn't aware we
could do that. I'm sure this is not the forum to ask how!

However, it seems like it would be a lot of overhead but, then again,
I'm pretty ignorant here.  With the current ISCS approach
(http://iscs.sourceforge.net), we add users to groups in a hierarchy.
Users inherit the access of all ancestor groups.  We can say something
like, any user with an X.509 cert where O=MyCompany and OU=Engineering
is part of the MyCompany/Engineering group.  I can have thousands of
such users.  They can connect to any of hundreds or thousands of
gateways and from there be secured throughout the entire WAN by their DN
but I only need to make that one entry to accomplish it.

To use L2TP as described, wouldn't I have to tie a pool of IP addresses
(similar to the RADIUS approach someone else suggested) to any DN with
those fields set and then do that on every gateway through which those
users might enter the system? I would also think that I am now tied to a
spoofable IP address for security throughout the system -- no, on second
thought, we could probably modularize it as we do other modes of
security.
> 
> Alternatively, you could use /etc/ppp/auth-up (man pppd) to dynamically
> change the firewall rules for a particular user on interface pppXXX.
> 
Can we tie the selection of PPP interface and thus the custom rules to a
users DN?

Thanks for all the well thought out and useful suggestions - John
> Jacco
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Users mailing list