[Openswan Users] A quick question
Can Akalin
canakalin77 at gmail.com
Fri Jun 2 16:07:55 CEST 2006
Ihsan,
I really appreciate your comments and help. Thank you.
The reason that I want to go with a Linux solution is that as a company, we
are moving towards to an open source OS.
I already have W2K3 VPN server at my network and it works fine. I want to
test Linux solutions and hopefully migrate our VPN connection to Linux
environment eventually.
If I don't like using Linux VPN solutions, I will probably go with W2K3 VPN
server and make remote Linux clients reach the W2K3 Server by using x509
certificates.
Again, thank you for your time and comments.
Have a good day.
Best Regards,
Can Akalin
On 6/2/06, ihsanturkmen at hedefalliance.com.tr <
ihsanturkmen at hedefalliance.com.tr> wrote:
>
>
> Can..
>
> Now , I see what you need. You want anybody outside the corporate network
> be able to work as if he/she is within the corporate intranet in a secure
> manner . Though , it is also possible to do it with Linux , I do not suggest
> you use it as a platform for X509 implemantation, because it's managment is
> a little bit difficult.
>
> The best way of doing it (from my long-term experience) is to configure a
> Microsoft 2003 server with latest patches and service packs with MsVPN
> service. This will serve as a VPN server, and allow any L2TP client coming
> from outside world . Server needs only one network interface, and a private
> address, but you need to reserve a public address and nat it to these VPN
> server on the firewall.
>
> You have two choice..
> 1 ) You can either join resources to the domain , and gain manegment
> flexibility,
> 2) or you keep away from domain and design a simple structure .
>
> If you keep away from active directory domain structure ,you need only one
> server with one network interface on which you will host VPN and CA services
> . You will configure Ms RAS server as and L2TP server, and install CA server
> service to generate X509 certificates. Root CA Certificate , and Computer
> certificates signed by this CA server will be deployed to each vpn client.
> After all this tasks are completed, you need to add a pair of registry
> entries both to your VPN server, and vpn clients if your clients are Windows
> XP with sp2 .This registry values will make you capable of establishing
> L2TP/IPSec connections even if both the server and the clients are behind a
> nat device.
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
> "AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
> "NegotiateDH2048"=dword:00000001
> "DisableSavePassword"=dword:00000001
>
> If you use an active directory domain as an alternative , you can (if you
> like) seperate CA and VPN server. and you don't have to use a x509
> certificate for the l2lt/ipsec clients which are alread a memeber of the
> domain. Kerbereos authentication between server and client eliminates the
> need of use a certificate, but you can still use install a CA server for the
> clients which are not a memeber of the domain.
>
> Now, the most important question is here.. Why did we use a Windows2003
> server for a vpn solution.?
>
> The answer is as follows ;
> 1. Users can assign their own passwords on their own without the
> administrators intervention.
> 2. You can set password expiry periods to tighten security. Linux l2tpd
> deamon does not have this feature. Administrators can read users
> passwords,and passwords are clear text.
> 3.Certificate generation and deployment can be automated with policies (in
> a domian enviroment) , and no administrator intervention needed here too,
> because CA server has a web interface. Authernticated users on the web
> server, get their own certificates if you granted them to do it.
>
> You can use linux clients to get connected to your corporate nework too,
> if you use X509 certificates generated by this authority. I don't have much
> experience on such an implementation.
>
>
>
>
>
> İhsan Türkmen
> Hedef Alliance Holding A.Ş.
> Bilgi Sistemleri Direktörlüğü
>
> Namık Kemal Cad. Göztepe Mah.
> Karanfil Sok. No: 62
> 34550 Bağcılar / İstanbul/TR
> Tel : +90 (212) 445 50 95
> Fax: +90 (212) 445 97 54
>
>
>
> *"Can Akalin" <canakalin77 at gmail.com>*
>
> 02.06.2006 18:10
> To
> "ihsanturkmen at hedefalliance.com.tr" <ihsanturkmen at hedefalliance.com.tr>,
> users at openswan.org cc
>
> Subject
> Re: [Openswan Users] A quick question
>
>
>
>
>
>
> Thank you for the quick reply Ihsan, :)
>
> I think it would be better to tell what I want to do.
>
> I have a company network behind a firewall router. We have servers and
> employees at different physical locations and sometimes these servers and
> employees will need to reach the internal company network.
>
> I want to establish a host-to-network type VPN connection with x509
> certificates so that employees and servers can reach the company resources
> securely.
>
> I have a DHCP Server and different data and file servers in the company
> network. I will also have a linux machine in the network (Suse SLES 9 with
> SP3 Kernel 2.6.5-7.257.smp - the latest available to the Suse SLES 9 - )
> that holds the Openswan. This linux machine is also a CA.
>
> Now, for the test purposes, I built a linux desktop PC with the above
> mentioned features and put it in the company LAN. No DHCP Server is set on
> this test machine. This PC has just one Ethernet NIC card. I intend to use
> this PC as a VPN server for now.
>
> Would it be possible to make a host-to-network connection with this
> configuration?
>
> Can anybody give me a clear direction to do this host-to-network VPN
> connection with x509 certificates?
>
> PS: I followed the instructions at *Nate Carlson's*<http://www.natecarlson.com/linux/ipsec-x509.php>web page but I couldn't manage to make the connection. :(
>
> Thank you all
>
> Can Akalin
>
>
>
> On 6/2/06, *ihsanturkmen at hedefalliance.com.tr*<ihsanturkmen at hedefalliance.com.tr><
> * ihsanturkmen at hedefalliance.com.tr* <ihsanturkmen at hedefalliance.com.tr>>
> wrote:
>
> Hi..
> There are two VPN types. One is transport mode (host-to-host) and the
> other is tunnel mode (network-to-network) . If you want to make a
> network-to-network VPN , you need two network interfaces on each side ,
> one for external network and the other for the internal network.Interfacesdo not have to be ethernet, any other type of interface wellcomes. .,You
> don't have to have a public ip address either . It is not a must.
>
> If you need to make a host-to-host VPN, you don't need two network
> interfaces.
>
>
> İhsan Türkmen
> Hedef Alliance Holding A.Ş.
> Bilgi Sistemleri Direktörlüğü
>
> Namık Kemal Cad. Göztepe Mah.
> Karanfil Sok. No: 62
> 34550 Bağcılar / İstanbul/TR
> Tel : +90 (212) 445 50 95
> Fax: +90 (212) 445 97 54
>
>
> *"Can Akalin" <**canakalin77 at gmail.com* <canakalin77 at gmail.com>*>*
> Sent by: *users-bounces at openswan.org* <users-bounces at openswan.org>
>
> 02.06.2006 17:01
>
> To
> *users at openswan.org* <users at openswan.org> cc
>
> Subject
> [Openswan Users] A quick question
>
>
>
>
>
>
>
>
> Hello everyone,
>
> I was reading a book called "Network Administrators Survival Guide" by
> Cisco Press. Over there, at the chapter "Linux based VPN", it says that the
> Linux machine that holds the Openswan VPN Server should have a 2 Ethernet
> NIC cards. One for publicly routed IP address and for the private network.
> Is this correct?
>
> I have a computer in my private network and it has one NIC card. This
> machine is a Linux machine, behind a firewall router and has Openswan
> 2.4.5. So, can't I use this Linux machine as a VPN Server?
>
> One other question is that when I make a host-to-server connection from
> remote, What IP address the remote host will take? Is there supposed to be a
> DHCP server in the private network where the Openswan Server resides, or
> perhaps in the machine that holds Openswan VPN server?
>
> Thank you.
>
> --
> Can Akalin _______________________________________________*
> **Users at openswan.org* <Users at openswan.org>*
> **http://lists.openswan.org/mailman/listinfo/users*<http://lists.openswan.org/mailman/listinfo/users>
> Building and Integrating Virtual Private Networks with Openswan: *
> **http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> *<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>
> Bu e-posta ve eklerinde verilen bilgiler kisiye ozel ve gizli
> olup,yalnizca mesajda belirlenen alici ile ilgilidir.
> Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres
> sahibine ait olup,Hedef Alliance Holding
>
> A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz
> mesajin ve bilgilerin size degisiklige ugrayarak veya gec
> ulasmasindan,butunlugunun ve gizliliginin korunamamasindan,virus
> icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan
> sorumlu tutulamaz.
>
>
>
> This message and attachments are confidential and intended solely for the
> individual(s) stated in this message. This email is not intended to impose
> nor shall it be construed as imposing any legally binding obligation upon
> Hedef Alliance Holding
>
> A.S. and/or any of its subsidiaries or associated companies. Our company
> shall have no liability for any changes or late receiving,loss of integrity
> and confidentiality,viruses and any damages caused in anyway to your
> computer system.
>
>
>
>
> --
> Can Akalin
>
> Bu e-posta ve eklerinde verilen bilgiler kisiye ozel ve gizli olup,yalnizca mesajda belirlenen alici ile ilgilidir.
> Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres sahibine ait olup,Hedef Alliance Holding A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz mesajin ve bilgilerin size degisiklige ugrayarak veya gec ulasmasindan,butunlugunun ve gizliliginin korunamamasindan,virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz.
>
> This message and attachments are confidential and intended solely for the individual(s) stated in this message. This email is not intended to impose nor shall it be construed as imposing any legally binding obligation upon Hedef Alliance Holding A.S. and/or any of its subsidiaries or associated companies. Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system.
>
>
--
Can Akalin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060602/756ca68f/attachment-0001.htm
More information about the Users
mailing list