[Openswan Users] Can OpenSWAN replace OpenVPN?

Alex Crow acrow at integrafin.co.uk
Mon Jul 23 07:42:32 EDT 2012 

Here you go:

https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd

The MAST protostack with SARefs supports the "same private IP behind two 
different routers" issue as well as multiple IPs behind the same NAT.

According to this:

https://www.openswan.org/issues/1099

NETKEY only supports the multiple private IPs behind the same router.

Cheers

Alex



On 23/07/12 12:24, Sandra Schlichting wrote:
> Hi Alex,
>
> Thanks for the info.
>
> I will give the OpenSWAN host an public IP, so I suppose that would
> free me from the double IP behind NAT problem?
>
> Hugs,
> Sandra
>
>
> On 20 July 2012 14:04, Alex Crow <acrow at integrafin.co.uk> wrote:
>> Sandra,
>>
>> I believe that IPSEC is operating in transport mode with L2TP and it's L2TP
>> that creates the tunnel to your internal network.
>>
>> BTW, one thing to watch out for is that /if/ you have two clients with the
>> same internal IP behind different NAT devices you'll have to patch the
>> kernel with the SAREF patches. Then you can specify overlapip=yes and
>> sareftrack=yes in your config. protostack=mast is required for these two
>> options to work.
>>
>> Cheers
>>
>> Alex
>>
>>
>> On 20/07/12 12:29, Sandra Schlichting wrote:
>>> Dear Alex,
>>>
>>> I see. So IPSec is just a tunnel. Very interesting =)
>>>
>>> Hugs,
>>> Sandra
>>>
>>>
>>>
>>> On 19 July 2012 13:17, Alex Crow <acrow at integrafin.co.uk> wrote:
>>>> Dear Sandra,
>>>>
>>>> To provide a private IP to the phones, you will probably need to use
>>>> IPSEC+L2TP - which most phones will support. I personally use Openswan
>>>> with
>>>> xl2tpd.
>>>>
>>>> Good starting points here:
>>>>
>>>> http://www.jacco2.dds.nl/networking/openswan-l2tp.html
>>>>
>>>> Cheers
>>>>
>>>> Alex
>>>>
>>>>
>>>> On 19/07/12 11:59, Sandra Schlichting wrote:
>>>>> Dear readers,
>>>>>
>>>>> I have a working OpenVPN setup right now, where users can connect the
>>>>> the private network at home with their computers.
>>>>>
>>>>> However most phones only support IPSec, so I would like to offer the
>>>>> same service for phones with IPSec as I do for computers with OpenVPN.
>>>>>
>>>>> Problem
>>>>>
>>>>> I can't find any tutorials that describes how to configure OpenSWAN to
>>>>> offer a private IP to the client.
>>>>>
>>>>> With my OpenVPN, clients have to provide a key and passphrase to get
>>>>> access. On Android/iPhone I suppose a key is not possible, so it would
>>>>> be fine with only a passphrase.
>>>>>
>>>>> Question
>>>>>
>>>>> Can OpenSWAN be configured to give a private IP to the clients,
>>>>> similar to my OpenVPN setup?
>>>>>
>>>>> OpenVPN config
>>>>>
>>>>> port 1194
>>>>> proto udp
>>>>> dev tun
>>>>> ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
>>>>> cert /etc/openvpn/secrets/server.crt
>>>>> key /etc/openvpn/secrets/server.key
>>>>> dh /etc/openvpn/secrets/dh1024.pem
>>>>> server 192.168.240.0 255.255.255.0
>>>>> ifconfig-pool-persist ipp.txt
>>>>> push "route 10.10.64.0  255.255.252.0"
>>>>> push "dhcp-option DNS xxx.xxx.xxx.xxx"
>>>>> duplicate-cn
>>>>> keepalive 10 120
>>>>> comp-lzo
>>>>> user openvpn
>>>>> group openvpn
>>>>> persist-key
>>>>> persist-tun
>>>>> status /var/log/openvpn-status.log
>>>>> log-append  /var/log/openvpn.log
>>>>> verb 4
>>>>> mute 20
>>>>> plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
>>>>> "/etc/openvpn/auth/ldap.conf"
>>>>> script-security 2
>>>>> auth-user-pass-verify /etc/openvpn/scripts/check_cn_on_connect.sh
>>>>> via-env
>>>>> learn-address /etc/openvpn/scripts/log_clients_ip.sh
>>>>>
>>>>> Hugs,
>>>>> Sandra
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>>
>>>> --
>>>> This message is intended only for the addressee and may contain
>>>> confidential information.  Unless you are that person, you may not
>>>> disclose its contents or use it in any way and are requested to delete
>>>> the message along with any attachments and notify us immediately.
>>>>
>>>> "Transact" is operated by Integrated Financial Arrangements plc
>>>> Domain House, 5-7 Singer Street, London  EC2A 4BQ
>>>> Tel: (020) 7608 4900 Fax: (020) 7608 5300
>>>> (Registered office: as above; Registered in England and Wales under
>>>> number:
>>>> 3727592)
>>>> Authorised and regulated by the Financial Services Authority (entered on
>>>> the
>>>> FSA Register; number: 190856)
>>>>
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>> --
>> This message is intended only for the addressee and may contain
>> confidential information.  Unless you are that person, you may not
>> disclose its contents or use it in any way and are requested to delete
>> the message along with any attachments and notify us immediately.
>>
>> "Transact" is operated by Integrated Financial Arrangements plc
>> Domain House, 5-7 Singer Street, London  EC2A 4BQ
>> Tel: (020) 7608 4900 Fax: (020) 7608 5300
>> (Registered office: as above; Registered in England and Wales under number:
>> 3727592)
>> Authorised and regulated by the Financial Services Authority (entered on the
>> FSA Register; number: 190856)
>>


-- 
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the Users mailing list