[Openswan Users] First time setup common questions
rmichael-openswan at edgeofthenet.org
Sun Jun 15 21:28:09 EDT 2008
I'm afraid I'm about to ask questions that are probably posted every
week, but I don't see the answers already on the list, nor in an updated
FAQ anywhere. (If they're out there, just point me to them please.)
I'm planning on migrating a VPN setup to openswan with xl2tpd (using
Fedora 9 for convenience). This means (currently) kernel 18.104.22.168, but
with Fedora patches.
The server is behind a NAT'd router on a garden variety broadband
connection. I don't see CONFIG_IPSEC_NAT_TRAVERSAL in /boot/config*
files; so I assume the patch isn't merged mainline yet, nor has Fedora
done the work for me. Do I need to patch this kernel?
If so, I obviously want to track security kernel updates from the distro
and would like to avoid building a new kernel every time. Is the NAT-T
stuff a module by any chance? What's the minimal work solution here?
(2.6.25 updates are frequent.)
Since F9 ships with openswan 2.6.09, I intend to build openswan 2.6.14.
Any pitfalls of which I should be aware?
Why would I choose KLIPS instead of NETKEY (or vice versa)? Note that
prior experience is not a factor for me, as I'll be new to either.
Reading the mailing list, one post mentions PSK doesn't work well with
NAT-T clients and I should use x.509 certs. Is that still the case?
Can I use PAM or some other currently existing auth scheme instead of
chap-secrets? (I suppose this is an xl2tpd question, but any advice?
This would be the deal breaker, because I'm trying to avoid foo-secret
plaintext password files.)
Am I way off base on any of these issues and/or my questions nonsense?
More information about the Users