[Openswan Users] Basic question: should I use Openswan?

[Paul Wouters]

On Thu, 12 Jan 2006, Roman Dergam wrote:

> I apologise for the lack of knowledge related to Openswan - I started and
> installed today. I would like to use a secure connection between a laptop
> (which seems to be called "Road Warrior" here) and a server (with no network
> behind it; just a server to administer). The reason I started to look for a
> more complex solution is that the laptop has no static public IP. And on top
> of that it can connect from various places - with one or two machines before
> the public internet.

That is possible. It is a standard roadwarrior configuration.

> My questions are (and thanks to anybody for any advice):
>
> Is Openswan the right solution to use for such a situation?

It is good solution.

> Is it possible to configure Openswan in such a way that is connects my two
> machines regardless of whether there is a router+modem or whatever gateway
> configuration between it and the server (which has a public IP)  - or not?

Yes, you need to enable nat_traversal=yes on the server end, and then your
laptop can connect from behind a NAT.

If your laptop is Linux, you can setup an extremely simple connection based
on two RSA keys. If you use a Windows or Mac OSX laptop, then you will want
to setup a small CA with two X.509 certificates (one for the server, and
one for the client). On the Windows/Mac you will need software to drive
the ipsec, eg lsipsecool on sourceforge for Windows, or IPsecuritas or
something similar on OSX. A thuird alternative is using L2TP on the windows
or mac clients, which requires no additional software on the client, but
a more complex setup on the linux server with an additional l2tp daemon.

Check Jacco de Leeuw's pages and/or Nate Carlson's pages (or order the
openswan book listed on www.openswan.org)

Paul