[Openswan Users] Can OpenSWAN replace OpenVPN?

Alex Crow acrow at integrafin.co.uk
Mon Jul 23 07:32:13 EDT 2012 

Sandra,

Not really - the problem is when you have multiple "client" devices 
behind the same NAT (ie you have 3 clients sitting in the same coffee 
shop) or you have more than one device that is on the same private IP 
range behind different public IPs (eg the common default for most 
wireless routers being 192.168.0.0/24.)

Actually now I mention it I'm not sure which of the above (or even both) 
the patch fixes but I applied it as I know both the above are likely to 
happen at some point.

Cheers

Alex

On 23/07/12 12:24, Sandra Schlichting wrote:
> Hi Alex,
>
> Thanks for the info.
>
> I will give the OpenSWAN host an public IP, so I suppose that would
> free me from the double IP behind NAT problem?
>
> Hugs,
> Sandra
>
>
> On 20 July 2012 14:04, Alex Crow <acrow at integrafin.co.uk> wrote:
>> Sandra,
>>
>> I believe that IPSEC is operating in transport mode with L2TP and it's L2TP
>> that creates the tunnel to your internal network.
>>
>> BTW, one thing to watch out for is that /if/ you have two clients with the
>> same internal IP behind different NAT devices you'll have to patch the
>> kernel with the SAREF patches. Then you can specify overlapip=yes and
>> sareftrack=yes in your config. protostack=mast is required for these two
>> options to work.
>>
>> Cheers
>>
>> Alex
>>
>>
>> On 20/07/12 12:29, Sandra Schlichting wrote:
>>> Dear Alex,
>>>
>>> I see. So IPSec is just a tunnel. Very interesting =)
>>>
>>> Hugs,
>>> Sandra
>>>
>>>
>>>
>>> On 19 July 2012 13:17, Alex Crow <acrow at integrafin.co.uk> wrote:
>>>> Dear Sandra,
>>>>
>>>> To provide a private IP to the phones, you will probably need to use
>>>> IPSEC+L2TP - which most phones will support. I personally use Openswan
>>>> with
>>>> xl2tpd.
>>>>
>>>> Good starting points here:
>>>>
>>>> http://www.jacco2.dds.nl/networking/openswan-l2tp.html
>>>>
>>>> Cheers
>>>>
>>>> Alex
>>>>
>>>>
>>>> On 19/07/12 11:59, Sandra Schlichting wrote:
>>>>> Dear readers,
>>>>>
>>>>> I have a working OpenVPN setup right now, where users can connect the
>>>>> the private network at home with their computers.
>>>>>
>>>>> However most phones only support IPSec, so I would like to offer the
>>>>> same service for phones with IPSec as I do for computers with OpenVPN.
>>>>>
>>>>> Problem
>>>>>
>>>>> I can't find any tutorials that describes how to configure OpenSWAN to
>>>>> offer a private IP to the client.
>>>>>
>>>>> With my OpenVPN, clients have to provide a key and passphrase to get
>>>>> access. On Android/iPhone I suppose a key is not possible, so it would
>>>>> be fine with only a passphrase.
>>>>>
>>>>> Question
>>>>>
>>>>> Can OpenSWAN be configured to give a private IP to the clients,
>>>>> similar to my OpenVPN setup?
>>>>>
>>>>> OpenVPN config
>>>>>
>>>>> port 1194
>>>>> proto udp
>>>>> dev tun
>>>>> ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
>>>>> cert /etc/openvpn/secrets/server.crt
>>>>> key /etc/openvpn/secrets/server.key
>>>>> dh /etc/openvpn/secrets/dh1024.pem
>>>>> server 192.168.240.0 255.255.255.0
>>>>> ifconfig-pool-persist ipp.txt
>>>>> push "route 10.10.64.0  255.255.252.0"
>>>>> push "dhcp-option DNS xxx.xxx.xxx.xxx"
>>>>> duplicate-cn
>>>>> keepalive 10 120
>>>>> comp-lzo
>>>>> user openvpn
>>>>> group openvpn
>>>>> persist-key
>>>>> persist-tun
>>>>> status /var/log/openvpn-status.log
>>>>> log-append  /var/log/openvpn.log
>>>>> verb 4
>>>>> mute 20
>>>>> plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
>>>>> "/etc/openvpn/auth/ldap.conf"
>>>>> script-security 2
>>>>> auth-user-pass-verify /etc/openvpn/scripts/check_cn_on_connect.sh
>>>>> via-env
>>>>> learn-address /etc/openvpn/scripts/log_clients_ip.sh
>>>>>
>>>>> Hugs,
>>>>> Sandra
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>>
>>>> --
>>>> This message is intended only for the addressee and may contain
>>>> confidential information.  Unless you are that person, you may not
>>>> disclose its contents or use it in any way and are requested to delete
>>>> the message along with any attachments and notify us immediately.
>>>>
>>>> "Transact" is operated by Integrated Financial Arrangements plc
>>>> Domain House, 5-7 Singer Street, London  EC2A 4BQ
>>>> Tel: (020) 7608 4900 Fax: (020) 7608 5300
>>>> (Registered office: as above; Registered in England and Wales under
>>>> number:
>>>> 3727592)
>>>> Authorised and regulated by the Financial Services Authority (entered on
>>>> the
>>>> FSA Register; number: 190856)
>>>>
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>> --
>> This message is intended only for the addressee and may contain
>> confidential information.  Unless you are that person, you may not
>> disclose its contents or use it in any way and are requested to delete
>> the message along with any attachments and notify us immediately.
>>
>> "Transact" is operated by Integrated Financial Arrangements plc
>> Domain House, 5-7 Singer Street, London  EC2A 4BQ
>> Tel: (020) 7608 4900 Fax: (020) 7608 5300
>> (Registered office: as above; Registered in England and Wales under number:
>> 3727592)
>> Authorised and regulated by the Financial Services Authority (entered on the
>> FSA Register; number: 190856)
>>


-- 
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the Users mailing list