[Openswan Users] L2TP IPSec with multiple customers using roadwarrior configuration

Paul Wouters paul at xelerance.com
Mon Oct 3 11:23:29 EDT 2011


On Tue, 4 Oct 2011, Geekman wrote:

> Because I want it in a road warrior configuration, I'm aware that I'd
> need to specify something like:
>
> SERVER_IP %any: "CustomerOnePSK"
>
> However, obviously I'd want different PSKs for each customer ideally,
> but that's not really going to fly unless I have different customers
> connect to a different public IP on the VPN server, right?

Correct. The safer method would be using certificates.

> I was considering, for about a second, just having each customer use
> the PSK, but from what I understand the PSK is an encryption key, not
> a password - and should not be treated as such? So this would be a
> definite no.

The PSK is a shared secret to start the privacy channel. It is not the
encryption key itself. The encryption key is a session key generated
based on both ends crypto negotiation. When using PFS, the key changes
regularly, but most (at least Win7 and earlier) don't do PFS.

> A separate IP for each customer isn't too much of a stretch, as we'll
> be doing NAT on the same server anyway. So I guess, if I am right on
> the above, the deciding factor between L2TP and PPTP is really remote
> end point support.

Adding an identifying public IP on the gateway would likely be the
easiest solution, yes.

> I know anything down to XP/2000 (with patch) can be supported, but I'm
> wondering what the general experience is when trying to support L2TP
> with IPSec vs. PPTP. I know with PPTP (at least, deployed on Windows)
> has given us very few problems itself. So I guess what I'm getting at
> is, would you consider L2TP to be less supported by common end-user
> platforms than PPTP?

I've never used PPTP with crypto. From what I gather, you should not trust it,
seeing that even the vendor who invented it, has gone anothe rway.

> Of course, I'm not trying to say I expect there to be no issues with
> it. There will always be problems.

Yes, if you have multiple roadwarriors on the same internal IP or connecting
from behind the same NAT router, you will need IPsec SAref support on your
gateway.

Paul


More information about the Users mailing list