[Openswan Users] xp2openswan [tutorial]
tgrzelak at wktpolska.com.pl
Tue Aug 22 17:19:00 EDT 2006
Jacco de Leeuw wrote:
> Hello Tomasz,
>> I can see many people have problems with configuring Openswan as the
>> vpn server for roadwarriors. I wrote a simple tutorial with all steps
>> required to configure it. I also had lots of problems, but was able to
>> fix them.
> I'm sorry to hear that, because *I* should be the one who already
> went through those problems :-).
Of course you are! That's right, but they were not all the problems for
I had several, and none was able to help me, and I did not read about
them on your site.
Haven't you noticed? - there is a link to your site with the
recomendation to read it ("First of all...") at the top of mine, isn't it?
you did (and do) a great job - I started learning from your tutorials,
and read the newsgroup all the time.
> I guess it's all on the docs but
> it is easy to lose the overview.
exactly, like you said, it is easy to loose the overview...
when I started reading about VPNs, and roadwarriors, it was a real
nightmare to get through it. I was a totaly newbie, and it took me a lot
of time to figure it out, how the xp client works, and how to start, and
what software to use.
That's why I decided to shorten it a little to make the start less
>> Many tutorials on the web cover only a part of required steps, or lack
>> of troubleshooting, or just are too difficult for newbies.
> My long standing goal is to make a Howto for newbies (or improve support
> for an easy to use VPN appliance such as IPCop).
My tutorial is narrowed, and simple, I know, but it is supposed to be
like that (only NETKEY, only xp clients, but maybe it would work for
w2k, I did not test it).
By a very simple example it helps to understand what runs inside, and
makes a good point to start with. Next step is to adapt it, and secure
it as you mentioned, to someone's environment.
The tutorial should be treated as a "Hello World" example with a
When I started learning VPNs I missed such a simple howto. That's why I
decided to write one.
> Still, this is a complex business. It is easy to make an error which
> negates security. What is worse than no security is a false sense of
>> I tried to gather all required steps of the configuration process, and
>> describe them shortly, with simple examples.
> I'm not sure if compiling Openswan and rp-l2tp makes things easy. You
> forgot to mention that rp-l2tp can only hand out static IP addresses,
> unless you use something like RADIUS, which is a complication in itself.
The reason for using rp-l2tp was that (x)l2tp is not stable (lots of
'too many retransmissions for tunnel... Destroying anyway'). I saw many
posts in the Internet about this problem, but no solution. I never got a
VPN session to last more than 2h with the (x)l2tpd.
So I prefer to use static addressing (which I also used with the
(x)l2tpd) because I have the STABLE connection.
> Another thing is that your certificate generation instructions do not
> mention that client certificates contain the "Client Authentication"
> property (or "Extended Key Usage purpose", EKU). If an attacker steals
> a client certificate (lacking the client EKU), he can pose as a
> legitimate server to other clients. When the stolen client cert does
> contain the EKU, the clients will detect that it is used as a server
> cert and disconnect. See http://www.freeradius.org/doc/EAPTLS.pdf
> for how to add the EKU.
But remember, please, this is a simple tutorial, I tried to avoid
If someone looks for advanced knowledge, he will follow to your site for
More information about the Users