[Openswan Users] Setup openswan with roadwarrior configuration to ipsecuritas using PSK IKE
ttelford.groups at gmail.com
Mon Sep 13 16:09:31 EDT 2010
On 2010-09-10 12:51:47 -0600, Terron Wright said:
> I am trying to configure openswan on Ubuntu 10.04. I have it installed
> correctly and have tried configuring a road warrior connection. I am
> having all types of issues. The clients are using ipsecuritas. I want
> to use a pre-shared key IKE only. Can someone point me in the right
> direction with openswan and ipsecuritas. I have not been successful at
I've been doing something similar with a Debian (sid) system; so things
should be nearly identical between Debian and Ubuntu. (I'm familiar
with both, of course.) There are a couple of threads only a couple of
weeks old in this maiiing list that I've been using to discuss the
issues I've had.
As far as the "right direction": There was little that was helpful in
your initial post: nothing of your Ubuntu ipsec.conf, firewall rules,
or of your OS X configuration. That doesn't give us much to work with.
That being said, I'll do what pointing I can - and know that I started
from the same place as you a couple of weeks ago.
I too initially wanted to do a pure IPsec VPN, and have my road
warriers connect using ipsecuritas as well. I was aware that OS X and
WIndows have native L2TP clients, but I wanted to do it "right" with a
pure IPsec VPN - even if I did need to use an add-on software client.
Here are a few things I've learned:
1.) If you want to have IP addresses, routes, and DNS auto-assigned to
your clients, L2TP unfortunately seems to be the way to go.
dhcp-over-ipsec never really made it.
2.) L2TP seems to be the direction accepted by the industry; if only
because both Windows and OS X have native support for L2TP. (As well
as iOS, probably Android and others...)
3.) I still don't know how to make a pure IPsec VPN and connect using
IP Securitas. I'm not quite sure how IP addresses are supposed to be
assigned with a pure IPsec configuration. I'm thinking it has to be a
manual config for each client - but how to do that manual config eludes
me as well - partly because of item #4.
4.) It's easy for an ISP or anybody else to block an IPsec VPN.
Getting IPsec with l2tp configured (via the xl2tpd daemon) is
documented fairly well:
config has both IPsec+l2tp, as well as the "pure" IPsec connections
configured, and it covers how to set up and use x.509 certificates.
If you use l2tp, use the xl2tpd package/daemon (maintained by
xelerance) instead of l2tpd (which is not maintained).
I feel it's more prudent to use x.509 certificates instead of a PSK, no
matter how few clients you may have. It's honestly not that hard to
configure and use x.509. It takes me all of 5 minutes to set up a new
CA, generate keys for the server and a few clients, and sign the server
& client certificates. Then if you need to revoke access to just one
of the clients, you revoke only that client's certificate. That way
you don't have to change the PSK every time somebody has access rights
removed - or if a client's computer is comprimised.
To quote from Paul & Ken's book "Building and integrating virtual
private networks with Openswan":
"People believe a PSK is like a passphrase on their PGP key, but this
is wrong. A PSK is not a password or passphrase. A pre-shared secred
is used as the *key!*. . . . Using a PSK like 'test' or even a line
of random characters is just not good enough. It can be easily cracked
on modern CPUs. Do not use PSK unless you have to."
Given that Paul & Ken are openswan developers, they probably know a
little bit of how openswan works. If they say a PSK is just not good
enough, I'll listen to them...
If you're interested, my config is in the list archive, in the thread titled:
"xl2tpd not responding - why?"
More information about the Users