[Openswan Users] First time setup common questions

Paul Wouters paul at xelerance.com
Sun Jun 15 22:58:32 EDT 2008 

On Sun, 15 Jun 2008, Richard Michael wrote:

> I'm planning on migrating a VPN setup to openswan with xl2tpd (using
> Fedora 9 for convenience).  This means (currently) kernel 2.6.25.6, but
> with Fedora patches.
>
> The server is behind a NAT'd router on a garden variety broadband
> connection.  I don't see CONFIG_IPSEC_NAT_TRAVERSAL in /boot/config*
> files; so I assume the patch isn't merged mainline yet, nor has Fedora
> done the work for me.  Do I need to patch this kernel?

You only need NAT-T patch for KLIPS, not NETKEY. And hopefully soon also
no longer for NETKEY for kernels 2.6.23+

> Since F9 ships with openswan 2.6.09, I intend to build openswan 2.6.14.
> Any pitfalls of which I should be aware?

No, I wonder why fedora hasn't kept up with RHEL 5.2 and shipped something
newer yet. note you can just download openswan and use its own spec file
in openswan-2.6.14/packaging/fedora/openswan.spec to build.

> Why would I choose KLIPS instead of NETKEY (or vice versa)?  Note that
> prior experience is not a factor for me, as I'll be new to either.

Currently, KLIPS is not very stable on 2.6.24+ kernels. I'd stick for
NETKEY for now. Though one feature KLIPS has that NETKEY does not have
is IPsec SAref tracking (see doc/ipsecsaref.png) needed to support
complex l2tp scenarios.

> Reading the mailing list, one post mentions PSK doesn't work well with
> NAT-T clients and I should use x.509 certs.  Is that still the case?

It is inherently bad yes. Use x509. If you need help with generating
certificates and a CA, look at testing/x509/dist_certs, which is used
to generate CA and a wide variety of certs for the testing code.

> Can I use PAM or some other currently existing auth scheme instead of
> chap-secrets?  (I suppose this is an xl2tpd question, but any advice?
> This would be the deal breaker, because I'm trying to avoid foo-secret
> plaintext password files.)

If you use X.509 certs (not PSK) then you have no plaintext passwords
anywhere. xl2tpd calls pppd which can call whatever you want with its
own auth modules (eg PAM or Radius)

Paul

More information about the Users mailing list