[Openswan Users] xp2openswan [tutorial]

[Tomasz Grzelak]

Jacco de Leeuw wrote:
> 
> Hello Tomasz,
> 

hello Jacco,

>> I can see many people have problems with configuring Openswan as the 
>> vpn server for roadwarriors. I wrote a simple tutorial with all steps 
>> required to configure it. I also had lots of problems, but was able to 
>> fix them.
> 
> I'm sorry to hear that, because *I* should be the one who already
> went through those problems :-). 

Of course you are! That's right, but they were not all the problems for 
sure.
I had several, and none was able to help me, and I did not read about 
them on your site.

Haven't you noticed? - there is a link to your site with the 
recomendation to read it ("First of all...") at the top of mine, isn't it?
you did (and do) a great job - I started learning from your tutorials, 
and read the newsgroup all the time.

> I guess it's all on the docs but
> it is easy to lose the overview.
> 

exactly, like you said, it is easy to loose the overview...
when I started reading about VPNs, and roadwarriors, it was a real 
nightmare to get through it. I was a totaly newbie, and it took me a lot 
of time to figure it out, how the xp client works, and how to start, and 
what software to use.
That's why I decided to shorten it a little to make the start less 
painful :)

>> Many tutorials on the web cover only a part of required steps, or lack 
>> of troubleshooting, or just are too difficult for newbies.
> 
> My long standing goal is to make a Howto for newbies (or improve support
> for an easy to use VPN appliance such as IPCop).
> 

My tutorial is narrowed, and simple, I know, but it is supposed to be 
like that (only NETKEY, only xp clients, but maybe it would work for 
w2k, I did not test it).
By a very simple example it helps to understand what runs inside, and 
makes a good point to start with. Next step is to adapt it, and secure 
it as you mentioned, to someone's environment.
The tutorial should be treated as a "Hello World" example with a 
roadwarrior.
When I started learning VPNs I missed such a simple howto. That's why I 
decided to write one.

> Still, this is a complex business. It is easy to make an error which
> negates security. What is worse than no security is a false sense of
> security.
> 

I agree

>> I tried to gather all required steps of the configuration process, and 
>> describe them shortly, with simple examples.
> 
> I'm not sure if compiling Openswan and rp-l2tp makes things easy. You
> forgot to mention that rp-l2tp can only hand out static IP addresses,
> unless you use something like RADIUS, which is a complication in itself.
> 

The reason for using rp-l2tp was that (x)l2tp is not stable (lots of 
'too many retransmissions for tunnel... Destroying anyway'). I saw many 
posts in the Internet about this problem, but no solution. I never got a 
VPN session to last more than 2h with the (x)l2tpd.
So I prefer to use static addressing (which I also used with the 
(x)l2tpd) because I have the STABLE connection.

> Another thing is that your certificate generation instructions do not
> mention that client certificates contain the "Client Authentication"
> property (or "Extended Key Usage purpose", EKU). If an attacker steals
> a client certificate (lacking the client EKU), he can pose as a
> legitimate server to other clients. When the stolen client cert does
> contain the EKU, the clients will detect that it is used as a server
> cert and disconnect. See http://www.freeradius.org/doc/EAPTLS.pdf
> for how to add the EKU.
> 

You're right.
But remember, please, this is a simple tutorial, I tried to avoid 
complicating things.
If someone looks for advanced knowledge, he will follow to your site for 
sure.

> Jacco

Tomek