[Openswan Users] A quick question

ihsanturkmen at hedefalliance.com.tr ihsanturkmen at hedefalliance.com.tr
Fri Jun 2 20:41:15 CEST 2006 

Can..

Now , I see what you need. You want anybody outside the corporate network 
be able to work as if he/she is within the corporate intranet in a secure 
manner . Though , it is also possible to do it with Linux , I do not 
suggest you use it  as a platform for X509 implemantation, because it's 
managment is a little bit difficult.

The best way of doing it (from my long-term experience)  is to configure a 
Microsoft 2003 server with latest patches and service packs with MsVPN 
service. This will serve as a VPN server, and allow any L2TP client coming 
from outside world . Server needs only one network interface, and a 
private address, but you need to reserve a public address and nat it to 
these VPN server on the firewall. 

You have two choice.. 
1 ) You can either join resources to the domain , and gain manegment 
flexibility,
2)  or you keep away from domain and design a simple structure .

If you keep away from active directory domain structure ,you need only one 
server with one network interface on which you will host VPN and CA 
services . You will configure Ms RAS server as and L2TP server, and 
install CA server service to generate X509 certificates. Root CA 
Certificate  , and Computer certificates signed by this CA server will be 
deployed to each vpn client. After all this tasks are completed, you need 
to add a pair of registry entries both to your VPN server, and vpn clients 
if your clients are Windows XP with sp2 .This registry values will make 
you capable of establishing L2TP/IPSec connections even if both the server 
and the clients are behind a nat device.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"NegotiateDH2048"=dword:00000001
"DisableSavePassword"=dword:00000001
 
If you use an active directory domain as an alternative , you can (if you 
like) seperate CA and VPN server. and you don't have to use a x509 
certificate for the l2lt/ipsec clients which are alread a memeber of the 
domain. Kerbereos authentication between server and client eliminates the 
need of use a certificate, but you can still use install a CA server for 
the clients which are not a memeber of the domain.

Now, the most important question is here.. Why did we use a Windows2003 
server for a vpn solution.? 

The answer is as follows ;
1. Users can assign their own passwords on their own without  the 
administrators intervention. 
2. You can set password expiry periods to tighten security. Linux l2tpd 
deamon does not have this feature. Administrators can read users 
passwords,and passwords are clear text.
3.Certificate generation and deployment can be automated with policies (in 
a domian enviroment) , and no administrator intervention needed here too, 
because CA server has a web interface. Authernticated users on the web 
server, get their own certificates if you granted them to do it.

You can use linux clients to get connected to your corporate nework too, 
if you use X509 certificates generated by this authority. I don't have 
much experience on such an implementation. 




İhsan Türkmen
Hedef Alliance Holding A.Ş.
Bilgi Sistemleri Direktörlüğü

Namık Kemal Cad. Göztepe Mah.
Karanfil Sok. No: 62
34550 Bağcılar / İstanbul/TR
Tel : +90 (212) 445 50 95
Fax: +90 (212) 445 97 54




"Can Akalin" <canakalin77 at gmail.com> 
02.06.2006 18:10

To
"ihsanturkmen at hedefalliance.com.tr" <ihsanturkmen at hedefalliance.com.tr>, 
users at openswan.org
cc

Subject
Re: [Openswan Users] A quick question






Thank you for the quick reply Ihsan, :)

I think it would be better to tell what I want to do. 

I have a company network behind a firewall router. We have servers and 
employees at different physical locations and sometimes these servers and 
employees will need to reach the internal company network. 

I want to establish a host-to-network type VPN connection with x509 
certificates so that employees and servers can reach the company resources 
securely. 

I have a DHCP Server and different data and file servers in the company 
network. I will also have a linux machine in the network (Suse SLES 9 with 
SP3 Kernel 2.6.5-7.257.smp - the latest available to the Suse SLES 9 - ) 
that holds the Openswan. This linux machine is also a CA.

Now, for the test purposes, I built a linux desktop PC with the above 
mentioned features and put it in the company LAN. No DHCP Server is set on 
this test machine.  This PC has just one Ethernet NIC card. I intend to 
use this PC as a VPN server for now. 

Would it be possible to make a host-to-network connection with this 
configuration? 

Can anybody give me a clear direction to do this host-to-network VPN 
connection with x509 certificates? 

PS: I followed the instructions at Nate Carlson's web page but I couldn't 
manage to make the connection. :(

Thank you all 

Can Akalin



On 6/2/06, ihsanturkmen at hedefalliance.com.tr < 
ihsanturkmen at hedefalliance.com.tr> wrote: 

Hi.. 
There are two VPN types. One is transport mode (host-to-host) and the 
other is tunnel mode (network-to-network)  . If you want to make a 
network-to-network  VPN , you need two network interfaces on each side  , 
one for external network and the other for the internal network.Interfaces 
do not have to be ethernet, any other type of interface wellcomes. .,You 
don't have to have a public ip address either . It is not a must. 

If you need to make a host-to-host VPN, you don't need two network 
interfaces. 


İhsan Türkmen
Hedef Alliance Holding A.Ş.
Bilgi Sistemleri Direktörlüğü

Namık Kemal Cad. Göztepe Mah.
Karanfil Sok. No: 62
34550 Bağcılar / İstanbul/TR
Tel : +90 (212) 445 50 95
Fax: +90 (212) 445 97 54



"Can Akalin" <canakalin77 at gmail.com> 
Sent by: users-bounces at openswan.org 
02.06.2006 17:01 


To
users at openswan.org 
cc

Subject
[Openswan Users] A quick question








Hello everyone,

I was reading a book called "Network Administrators Survival Guide" by 
Cisco Press. Over there, at the chapter "Linux based VPN", it says that 
the Linux machine that holds the Openswan VPN Server should have a 2 
Ethernet NIC cards. One for publicly routed IP address and for the private 
network. Is this correct? 

I have a computer in my private network and it has one NIC card. This 
machine is a Linux machine, behind a firewall router and has Openswan 
2.4.5. So, can't I use this Linux machine as a VPN Server?

One other question is that when I make a host-to-server connection from 
remote, What IP address the remote host will take? Is there supposed to be 
a DHCP server in the private network where the Openswan Server resides, or 
perhaps in the machine that holds Openswan VPN server? 

Thank you.

-- 
Can Akalin _______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 

Bu e-posta ve eklerinde verilen bilgiler kisiye ozel ve gizli 
olup,yalnizca mesajda belirlenen alici ile ilgilidir.
Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres 
sahibine ait olup,Hedef Alliance Holding 

A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz 
mesajin ve bilgilerin size degisiklige ugrayarak veya gec 
ulasmasindan,butunlugunun ve gizliliginin korunamamasindan,virus 
icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan 
sorumlu tutulamaz.



This message and attachments are confidential and intended solely for the 
individual(s) stated in this message. This email is not intended to impose 
nor shall it be construed as imposing any legally binding obligation upon 
Hedef Alliance Holding 

A.S. and/or any of its subsidiaries or associated companies. Our company 
shall have no liability for any changes or late receiving,loss of 
integrity and confidentiality,viruses and any damages caused in anyway to 
your computer system.




-- 
Can Akalin 
Bu e-posta ve eklerinde verilen bilgiler kisiye ozel ve gizli olup,yalnizca mesajda belirlenen alici ile ilgilidir.
Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres sahibine ait olup,Hedef Alliance Holding A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz mesajin ve bilgilerin size degisiklige ugrayarak veya gec ulasmasindan,butunlugunun ve gizliliginin korunamamasindan,virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz.

This message and attachments are confidential and intended solely for the individual(s) stated in this message. This email is not intended to impose nor shall it be construed as imposing any legally binding obligation upon Hedef Alliance Holding A.S. and/or any of its subsidiaries or associated companies. Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060602/c9be7376/attachment-0001.htm

More information about the Users mailing list