[Openswan Users] Setup openswan with roadwarrior configuration to ipsecuritas using PSK IKE

[Troy Telford]

On 2010-09-10 12:51:47 -0600, Terron Wright said:

> I am trying to configure openswan on Ubuntu 10.04. I have it installed 
> correctly and have tried configuring a road warrior connection. I am 
> having all types of issues. The clients are using ipsecuritas. I want 
> to use a pre-shared key IKE only. Can someone point me in the right 
> direction with openswan and ipsecuritas. I have not been successful at 
> all.

I've been doing something similar with a Debian (sid) system; so things 
should be nearly identical between Debian and Ubuntu.  (I'm familiar 
with both, of course.)  There are a couple of threads only a couple of 
weeks old in this maiiing list that I've been using to discuss the 
issues I've had.

As far as the "right direction":  There was little that was helpful in 
your initial post:  nothing of your Ubuntu ipsec.conf, firewall rules, 
or of your OS X configuration.  That doesn't give us much to work with.

That being said, I'll do what pointing I can - and know that I started 
from the same place as you a couple of weeks ago.

I too initially wanted to do a pure IPsec VPN, and have my road 
warriers connect using ipsecuritas as well.  I was aware that OS X and 
WIndows have native L2TP clients, but I wanted to do it "right" with a 
pure IPsec VPN - even if I did need to use an add-on software client.

Here are a few things I've learned:
1.)  If you want to have IP addresses, routes, and DNS auto-assigned to 
your clients, L2TP unfortunately seems to be the way to go.   
dhcp-over-ipsec never really made it.
2.)  L2TP seems to be the direction accepted by the industry; if only 
because both Windows and OS X have native support for L2TP.  (As  well 
as iOS, probably Android and others...)
3.)  I still don't know how to make a pure IPsec VPN and connect using 
IP Securitas.  I'm not quite sure how IP addresses are supposed to be 
assigned with a pure IPsec configuration.  I'm thinking it has to be a 
manual config for each client - but how to do that manual config eludes 
me as well - partly because of item #4.
4.)  It's easy for an ISP or anybody else to block an IPsec VPN.

Getting IPsec with l2tp configured (via the xl2tpd daemon) is 
documented fairly well:
http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/

His 

config has both IPsec+l2tp, as well as the "pure" IPsec connections 
configured, and it covers how to set up and use x.509 certificates.

If you use l2tp, use the xl2tpd package/daemon (maintained by 
xelerance) instead of l2tpd (which is not maintained).

I feel it's more prudent to use x.509 certificates instead of a PSK, no 
matter how few clients you may have.  It's honestly not that hard to 
configure and use x.509.  It takes me all of 5 minutes to set up a new 
CA, generate keys for the server and a few clients, and sign the server 
& client certificates.  Then if you need to revoke access to just one 
of the clients, you revoke only that client's certificate.  That way 
you don't have to change the PSK every time somebody has access rights 
removed - or if a client's computer is comprimised.

To quote from Paul & Ken's book "Building and integrating virtual 
private networks with Openswan":
"People believe a PSK is like a passphrase on their PGP key, but this 
is wrong.  A PSK is not a password or passphrase.  A pre-shared secred 
is used as the *key!*.  . . .  Using a PSK like 'test' or even a line 
of random characters is just not good enough.  It can be easily cracked 
on modern CPUs.  Do not use PSK unless you have to."

Given that Paul & Ken are openswan developers, they probably know a 
little bit of how openswan works.  If they say a PSK is just not good 
enough, I'll listen to them...

If you're interested, my config is in the list archive, in the thread titled:
"xl2tpd not responding - why?"
-- 
Troy Telford