[Openswan Users] A few questions... I'd like to RTFM, but...

Paul Wouters paul at xelerance.com
Sun Sep 5 13:17:33 EDT 2010

On Sat, 4 Sep 2010, Troy Telford wrote:

> I've been setting it up to use certificates, and the book is most
> helpful there, however there are a few things that are still unclear to
> me:
> 1.)  How are 'internal' VPN'd IP addresses handled for a 'pure' IPsec
> connection?  So far, it seems that the 'internal' IP address needs to
> be configured statically, and part of my brain refuses to accept that
> static IP address assignment is the only option for pure IPsec...  Is
> there a mechanism for an internal IP address to be auto-assigned after
> an IPSec connection is established?

There is XAUTH that tried to address this, but the the dhcp-over-ipsec
never really made it. So for IP assignments, the world has moved to
using L2TP unfortunately. It is what is supported out of the box on
the major OSes (windows, osx, etc)

> 2.)  If I want to have 'nice' things automatically assigned to my VPN
> clients via DHCP (like assigning an IP addresses, an internal DNS
> server, etc.) is L2TP the only way to do it?


> 3.)  In examples and in the mailing list archive, I keep seeing:
> 	rightsubnet=vhost:%no,%priv
> I cannot find where the vhost: is documented; I'm curious about what
> it's for, as well as the arguments it's providing.  I certainly can't
> find the documentation in 'man ipsec.conf'

vhost means "pick/allow the virtual IP", that is the native IP before NAT.
The "%priv" means "allow any virtual ip from the virtual_private line,
which normally includes all of RFC1918 address space. %no means that
the client has no virtual ip because it is on a real public ip.

> 4.)  This is mainly curiosity:  The Openswan book has a chapter
> dedicated to opportunistic encryption - just how commonly is OE used on
> the internet at large?  Since my site is merely a 'consumer' of data,
> not a producer, is it likely that I'd end up using OE if I were to set
> it up?  Or would it be more of an academic excersise...

It is currently kind of a dead end until things are restarted again with
new and updated DNS(SEC) records and a NAT-NAT method. I would not recommend
using it right now.


More information about the Users mailing list