[Openswan Users] Ipsec VPN from windows machines
Agent Smith
news8080 at yahoo.com
Thu Apr 3 10:46:19 EDT 2008
yes that would make sense as a matter of fact we do
this already for several of remote clinics, the
problem I am trying to solve though is more generic,
lets say bunch of people goes to starbucks and fire up
their laptops and they all want to connect in using
IPSEC?
for this perticular location, we already bought a
IPSEC endpoint that we'll do site-site in OSW so thats
resolved but you see my point here. if it works for
one person, why in the world can I not duplicate that,
openswan/linux is openswan/linux no matter where..
--- Peter McGill <petermcgill at goco.net> wrote:
> If you have 50 users behind the same remote router,
> wouldn't it make sense to connect one tunnel to that
> remote router to connect the whole subnet?
> You can still firewall the connection to only allow
> the
> remote hosts you want.
> It would be easier to setup, and maintain, as well
> as
> give better performance with a single tunnel instead
> of 50. And you can avoid the hassle with Windows
> IPSec.
> The only catch is your remote clinic will need an
> IPSec
> capable router. But you can buy one for like $100,
> or setup another Linux gateway on that end.
>
> Peter McGill
>
>
> > -----Original Message-----
> > From: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] On Behalf Of
> Agent Smith
> > Sent: April 3, 2008 8:17 AM
> > To: Marco Berizzi
> > Cc: users at openswan.org
> > Subject: Re: [Openswan Users] Ipsec VPN from
> windows machines
> >
> >
> > No, I am using 2 XP boxes to test this from, both
> > coming from behind a router and being on same
> > 192.168.x subnet, naturally with uniq IP
> addresses.
> >
> > The odd thing is that 192.168.x IP address is not
> even
> > reported in the logs, all I have hidden is the IP
> of
> > the openswan box and the IP of NAT router, the non
> > routable IP never shows up in logs.
> >
> > dude I even installed a slackware box just to
> mimic
> > your setup to see if that changes things, I'll let
> you
> > know how it turns out.
> >
> > Paul said openswan wasn't tested that much with
> this
> > setup so I am not expecting it to work but since
> you
> > said you got it working, I am going to at least
> try
> > and mimic your setup.
> >
> > I don't care if "two boxes with the same private
> ip
> > address from two different nat device" doesn't
> work; I
> > just want to accommodate for a remote clinic with
> some
> > 50 or so users connecting in to our records DB and
> > that HAS to be secure.
> >
> > here is my ipsec.conf.
> >
> > === start
> >
> > version 2.0
> >
> > config setup
> > klipsdebug=none
> > plutodebug=none
> > nat_traversal=yes
> > fragicmp=no
> > overridemtu=1200
> >
> >
>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> > interfaces=%defaultroute
> > uniqueids=yes
> > strictcrlpolicy=no
> >
> > conn %default
> > keyingtries=1
> > auto=add
> > disablearrivalcheck=no
> > pfs=no
> >
> >
>
ike=3des-md5,aes128-md5,aes128-sha,3des-sha1,aes256-md5
> >
> >
>
esp=3des-md5,aes128-md5,aes128-sha1,3des-sha1,aes256-md5
> > ikelifetime=28800s
> > keylife=14400s
> > rekey=no
> > leftrsasigkey=%dnsondemand
> > leftnexthop=%defaultroute
> > rightrsasigkey=%dnsondemand
> >
> > conn CERT
> > authby=rsasig
> > ikelifetime=28800s
> > keylife=14400s
> > rekey=yes
> > pfs=yes
> > pfsgroup=modp1024
> > left=a.b.c.d
> > leftsubnet=a.b.c.d/32
> > leftrsasigkey=%cert
> > leftcert=servercert.pem
> > right=%any
> > rightsubnet=vhost:%no,%priv
> > rightrsasigkey=%cert
> > auto=start
> > keyingtries=1
> >
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > === end
> >
> > --- Marco Berizzi <pupilla at hotmail.com> wrote:
> >
> > > Agent Smith wrote:
> > >
> > > > as you can see from it, the first client
> connects
> > > in
> > > > fine but as soon as second one comes in from
> the
> > > same
> > > > NAT box, it fails.
> > >
> > > mhhhh your log says something else:
> > >
> > > > Apr 2 22:41:05 med-idxgtw pluto[5378]:
> "CERT"[3]
> > > > xx.xx.xx.xx #3: Virtual IP xx.xx.xx.xx/32 is
> > > already
> > > > used by 'C=US, ST=Michigan, L=Detroit, O=Wayne
> > > State
> > > > University, OU=MSIS, CN=userauth2,
> > >
> > > it appears that you haven't the two boxes behind
> the
> > > same nat (I cannot say nothing because you
> hidden
> > > the
> > > ip addresses):
> > >
> > > > Apr 2 22:41:05 med-idxgtw pluto[5378]:
> "CERT"[3]
> > > > xx.xx.xx.xx #3: cannot respond to IPsec SA
> request
> > > > because no connection is known for
> x.x.x.x[C=US,
> > > > ST=Michigan, L=Detroit, O=Wayne State
> University,
> > > > OU=MSIS, CN=servercert,
> > >
> > > but two boxes with the same private ip address
> from
> > > two different nat device, which of course cannot
> > > work.
> > > May you post you ipsec.conf?
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
______________________________________________________________
> > ______________________
> > You rock. That's why Blockbuster's offering you
> one month of
> > Blockbuster Total Access, No Cost.
> > http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks
> with Openswan:
> >
>
http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > 7?n=283155
>
>
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
More information about the Users
mailing list