[Openswan Users] Ipsec VPN from windows machines

Peter McGill petermcgill at goco.net
Thu Apr 3 10:28:33 EDT 2008


If you have 50 users behind the same remote router,
wouldn't it make sense to connect one tunnel to that
remote router to connect the whole subnet?
You can still firewall the connection to only allow the
remote hosts you want.
It would be easier to setup, and maintain, as well as
give better performance with a single tunnel instead
of 50. And you can avoid the hassle with Windows IPSec.
The only catch is your remote clinic will need an IPSec
capable router. But you can buy one for like $100,
or setup another Linux gateway on that end.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Agent Smith
> Sent: April 3, 2008 8:17 AM
> To: Marco Berizzi
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Ipsec VPN from windows machines
> 
> 
> No, I am using 2 XP boxes to test this from, both
> coming from behind a router and being on same
> 192.168.x subnet, naturally with uniq IP addresses.
> 
> The odd thing is that 192.168.x IP address is not even
> reported in the logs, all I have hidden is the IP of
> the openswan box and the IP of NAT router, the non
> routable IP never shows up in logs.
> 
> dude I even installed a slackware box just to mimic
> your setup to see if that changes things, I'll let you
> know how it turns out.
> 
> Paul said openswan wasn't tested that much with this
> setup so I am not expecting it to work but since you
> said you got it working, I am going to at least try
> and mimic your setup.
> 
> I don't care if  "two boxes with the same private ip
> address from two different nat device" doesn't work; I
> just want to accommodate for a remote clinic with some
> 50 or so users connecting in to our records DB and
> that HAS to be secure. 
> 
> here is my ipsec.conf.
> 
> === start
> 
> version 2.0
> 
> config	setup
> 	klipsdebug=none
> 	plutodebug=none
> 	nat_traversal=yes
> 	fragicmp=no
> 	overridemtu=1200
> 
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> 	interfaces=%defaultroute
> 	uniqueids=yes
>         strictcrlpolicy=no
> 
> conn	%default
> 	keyingtries=1
> 	auto=add
> 	disablearrivalcheck=no
> 	pfs=no
> 
> ike=3des-md5,aes128-md5,aes128-sha,3des-sha1,aes256-md5
> 
> esp=3des-md5,aes128-md5,aes128-sha1,3des-sha1,aes256-md5
> 	ikelifetime=28800s
> 	keylife=14400s
> 	rekey=no
> 	leftrsasigkey=%dnsondemand
> 	leftnexthop=%defaultroute
> 	rightrsasigkey=%dnsondemand
> 
> conn CERT
> 	authby=rsasig
> 	ikelifetime=28800s
> 	keylife=14400s
> 	rekey=yes
> 	pfs=yes
> 	pfsgroup=modp1024
> 	left=a.b.c.d
> 	leftsubnet=a.b.c.d/32
> 	leftrsasigkey=%cert
> 	leftcert=servercert.pem
> 	right=%any
> 	rightsubnet=vhost:%no,%priv
> 	rightrsasigkey=%cert
> 	auto=start
> 	keyingtries=1
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
> === end
> 
> --- Marco Berizzi <pupilla at hotmail.com> wrote:
> 
> > Agent Smith wrote:
> > 
> > > as you can see from it, the first client connects
> > in
> > > fine but as soon as second one comes in from the
> > same
> > > NAT box, it fails.
> > 
> > mhhhh your log says something else:
> > 
> > > Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
> > > xx.xx.xx.xx #3: Virtual IP xx.xx.xx.xx/32 is
> > already
> > > used by 'C=US, ST=Michigan, L=Detroit, O=Wayne
> > State
> > > University, OU=MSIS, CN=userauth2,
> > 
> > it appears that you haven't the two boxes behind the
> > same nat (I cannot say nothing because you hidden
> > the
> > ip addresses):
> > 
> > > Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
> > > xx.xx.xx.xx #3: cannot respond to IPsec SA request
> > > because no connection is known for x.x.x.x[C=US,
> > > ST=Michigan, L=Detroit, O=Wayne State University,
> > > OU=MSIS, CN=servercert,
> > 
> > but two boxes with the same private ip address from
> > two different nat device, which of course cannot
> > work.
> > May you post you ipsec.conf?
> > 
> > 
> > 
> 
> 
> 
>       
> ______________________________________________________________
> ______________________
> You rock. That's why Blockbuster's offering you one month of 
> Blockbuster Total Access, No Cost.  
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155



More information about the Users mailing list