[Openswan Users] Can OpenSWAN replace OpenVPN?

Sandra Schlichting littlesandra88 at gmail.com
Tue Jul 24 10:19:51 EDT 2012


Thanks Alex.

Absolutely amazing. Thanks a lot =)

Hugs,
Sandra



On 23 July 2012 13:42, Alex Crow <acrow at integrafin.co.uk> wrote:
> Here you go:
>
> https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd
>
> The MAST protostack with SARefs supports the "same private IP behind two
> different routers" issue as well as multiple IPs behind the same NAT.
>
> According to this:
>
> https://www.openswan.org/issues/1099
>
> NETKEY only supports the multiple private IPs behind the same router.
>
>
> Cheers
>
> Alex
>
>
>
> On 23/07/12 12:24, Sandra Schlichting wrote:
>>
>> Hi Alex,
>>
>> Thanks for the info.
>>
>> I will give the OpenSWAN host an public IP, so I suppose that would
>> free me from the double IP behind NAT problem?
>>
>> Hugs,
>> Sandra
>>
>>
>> On 20 July 2012 14:04, Alex Crow <acrow at integrafin.co.uk> wrote:
>>>
>>> Sandra,
>>>
>>> I believe that IPSEC is operating in transport mode with L2TP and it's
>>> L2TP
>>> that creates the tunnel to your internal network.
>>>
>>> BTW, one thing to watch out for is that /if/ you have two clients with
>>> the
>>> same internal IP behind different NAT devices you'll have to patch the
>>> kernel with the SAREF patches. Then you can specify overlapip=yes and
>>> sareftrack=yes in your config. protostack=mast is required for these two
>>> options to work.
>>>
>>> Cheers
>>>
>>> Alex
>>>
>>>
>>> On 20/07/12 12:29, Sandra Schlichting wrote:
>>>>
>>>> Dear Alex,
>>>>
>>>> I see. So IPSec is just a tunnel. Very interesting =)
>>>>
>>>> Hugs,
>>>> Sandra
>>>>
>>>>
>>>>
>>>> On 19 July 2012 13:17, Alex Crow <acrow at integrafin.co.uk> wrote:
>>>>>
>>>>> Dear Sandra,
>>>>>
>>>>> To provide a private IP to the phones, you will probably need to use
>>>>> IPSEC+L2TP - which most phones will support. I personally use Openswan
>>>>> with
>>>>> xl2tpd.
>>>>>
>>>>> Good starting points here:
>>>>>
>>>>> http://www.jacco2.dds.nl/networking/openswan-l2tp.html
>>>>>
>>>>> Cheers
>>>>>
>>>>> Alex
>>>>>
>>>>>
>>>>> On 19/07/12 11:59, Sandra Schlichting wrote:
>>>>>>
>>>>>> Dear readers,
>>>>>>
>>>>>> I have a working OpenVPN setup right now, where users can connect the
>>>>>> the private network at home with their computers.
>>>>>>
>>>>>> However most phones only support IPSec, so I would like to offer the
>>>>>> same service for phones with IPSec as I do for computers with OpenVPN.
>>>>>>
>>>>>> Problem
>>>>>>
>>>>>> I can't find any tutorials that describes how to configure OpenSWAN to
>>>>>> offer a private IP to the client.
>>>>>>
>>>>>> With my OpenVPN, clients have to provide a key and passphrase to get
>>>>>> access. On Android/iPhone I suppose a key is not possible, so it would
>>>>>> be fine with only a passphrase.
>>>>>>
>>>>>> Question
>>>>>>
>>>>>> Can OpenSWAN be configured to give a private IP to the clients,
>>>>>> similar to my OpenVPN setup?
>>>>>>
>>>>>> OpenVPN config
>>>>>>
>>>>>> port 1194
>>>>>> proto udp
>>>>>> dev tun
>>>>>> ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
>>>>>> cert /etc/openvpn/secrets/server.crt
>>>>>> key /etc/openvpn/secrets/server.key
>>>>>> dh /etc/openvpn/secrets/dh1024.pem
>>>>>> server 192.168.240.0 255.255.255.0
>>>>>> ifconfig-pool-persist ipp.txt
>>>>>> push "route 10.10.64.0  255.255.252.0"
>>>>>> push "dhcp-option DNS xxx.xxx.xxx.xxx"
>>>>>> duplicate-cn
>>>>>> keepalive 10 120
>>>>>> comp-lzo
>>>>>> user openvpn
>>>>>> group openvpn
>>>>>> persist-key
>>>>>> persist-tun
>>>>>> status /var/log/openvpn-status.log
>>>>>> log-append  /var/log/openvpn.log
>>>>>> verb 4
>>>>>> mute 20
>>>>>> plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
>>>>>> "/etc/openvpn/auth/ldap.conf"
>>>>>> script-security 2
>>>>>> auth-user-pass-verify /etc/openvpn/scripts/check_cn_on_connect.sh
>>>>>> via-env
>>>>>> learn-address /etc/openvpn/scripts/log_clients_ip.sh
>>>>>>
>>>>>> Hugs,
>>>>>> Sandra
>>>>>> _______________________________________________
>>>>>> Users at lists.openswan.org
>>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>>> Micropayments:
>>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>>>
>>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>>>
>>>>> --
>>>>> This message is intended only for the addressee and may contain
>>>>> confidential information.  Unless you are that person, you may not
>>>>> disclose its contents or use it in any way and are requested to delete
>>>>> the message along with any attachments and notify us immediately.
>>>>>
>>>>> "Transact" is operated by Integrated Financial Arrangements plc
>>>>> Domain House, 5-7 Singer Street, London  EC2A 4BQ
>>>>> Tel: (020) 7608 4900 Fax: (020) 7608 5300
>>>>> (Registered office: as above; Registered in England and Wales under
>>>>> number:
>>>>> 3727592)
>>>>> Authorised and regulated by the Financial Services Authority (entered
>>>>> on
>>>>> the
>>>>> FSA Register; number: 190856)
>>>>>
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>>
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>>
>>> --
>>> This message is intended only for the addressee and may contain
>>> confidential information.  Unless you are that person, you may not
>>> disclose its contents or use it in any way and are requested to delete
>>> the message along with any attachments and notify us immediately.
>>>
>>> "Transact" is operated by Integrated Financial Arrangements plc
>>> Domain House, 5-7 Singer Street, London  EC2A 4BQ
>>> Tel: (020) 7608 4900 Fax: (020) 7608 5300
>>> (Registered office: as above; Registered in England and Wales under
>>> number:
>>> 3727592)
>>> Authorised and regulated by the Financial Services Authority (entered on
>>> the
>>> FSA Register; number: 190856)
>>>
>
>
> --
> This message is intended only for the addressee and may contain
> confidential information.  Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
>
> "Transact" is operated by Integrated Financial Arrangements plc
> Domain House, 5-7 Singer Street, London  EC2A 4BQ
> Tel: (020) 7608 4900 Fax: (020) 7608 5300
> (Registered office: as above; Registered in England and Wales under number:
> 3727592)
> Authorised and regulated by the Financial Services Authority (entered on the
> FSA Register; number: 190856)
>


More information about the Users mailing list