Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   IPSEC How To? (http://www.linux-archive.org/centos/653037-ipsec-how.html)

Helmut Drodofsky 04-05-2012 02:55 PM

IPSEC How To?
 
Hello,

now I have spent many hours to configure openswan for VPN connections
without any success.

My goal:

VPN Server CentOS 6 with public IPv4
VPN Client (= road warrier) from private site with NAT router or from
mobile cell with Linux, Windows 7, Mac, iPhone or Android

Is there any how to in the net?

When I read
file:///usr/share/doc/openswan-doc-2.6.32/config.html
then I belive, there is no solution. It is written, that I have to
reconfigure the NAT router of the mobile provider or the hardware NAT
router of the private dsl uplink.

Both is impossible.

Thank you for help in advance.

Helmut

Helmut Drodofsky

Internet XS Service GmbH
Heßbrühlstraße 15
70565 Stuttgart

Geschäftsführung
Dr.-Ing. Roswitha Hahn-Drodofsky
HRB 21091 Stuttgart
USt.ID: DE190582774
Tel. 0711 781941 0
Fax: 0711 781941 79
Mail: info@internet-xs.de
www.internet-xs.de




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Les Mikesell 04-05-2012 03:05 PM

IPSEC How To?
 
On Thu, Apr 5, 2012 at 9:55 AM, Helmut Drodofsky
<drodofsky@internet-xs.de> wrote:
>
> now I have spent many hours to configure openswan for VPN connections
> without any success.
>
> My goal:
>
> VPN Server CentOS 6 with public IPv4
> VPN Client (= road warrier) from private site with NAT router or from
> mobile cell with Linux, Windows 7, Mac, iPhone or Android
>
> Is there any how to in the net?
>
> When I read
> file:///usr/share/doc/openswan-doc-2.6.32/config.html
> then I belive, there is no solution. It is written, that I have to
> reconfigure the NAT router of the mobile provider or the hardware NAT
> router of the private dsl uplink.
>
> Both is impossible.
>
> Thank you for help in advance.

Can you use openvpn instead of IPsec? It can run over udp and is
nat-friendly. I think you need root access on android and a
jailbroken iphone to make the clients work there, though.

--
Les Mikesell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Patrick Lists 04-05-2012 04:47 PM

IPSEC How To?
 
On 04/05/2012 04:55 PM, Helmut Drodofsky wrote:
> Hello,
>
> now I have spent many hours to configure openswan for VPN connections
> without any success.
>
> My goal:
>
> VPN Server CentOS 6 with public IPv4
> VPN Client (= road warrier) from private site with NAT router or from
> mobile cell with Linux, Windows 7, Mac, iPhone or Android
>
> Is there any how to in the net?
>
> When I read
> file:///usr/share/doc/openswan-doc-2.6.32/config.html
> then I belive, there is no solution. It is written, that I have to
> reconfigure the NAT router of the mobile provider or the hardware NAT
> router of the private dsl uplink.
>
> Both is impossible.

Maybe you get better luck on the Openswan mailing list but I would not
get my hopes up. One of the Openswan developers has repeatedly mentioned
that IPsec does not like NAT. Les' suggestion to try OpenVPN is what I
did and it works well assuming you can find the tun.ko kernel module for
your Android phone. I don't know if there is an OpenVPN client for
Windows phone or iPhone.

Regards,
Patrick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ross Walker 04-06-2012 01:20 PM

IPSEC How To?
 
On Apr 5, 2012, at 10:55 AM, Helmut Drodofsky <drodofsky@internet-xs.de> wrote:

> Hello,
>
> now I have spent many hours to configure openswan for VPN connections
> without any success.
>
> My goal:
>
> VPN Server CentOS 6 with public IPv4
> VPN Client (= road warrier) from private site with NAT router or from
> mobile cell with Linux, Windows 7, Mac, iPhone or Android
>
> Is there any how to in the net?
>
> When I read
> file:///usr/share/doc/openswan-doc-2.6.32/config.html
> then I belive, there is no solution. It is written, that I have to
> reconfigure the NAT router of the mobile provider or the hardware NAT
> router of the private dsl uplink.
>
> Both is impossible.

Long, long time ago in a datacenter far far away I managed to cobble openswan/racoon to provide L2TP VPN connectivity for WinXP. It was a great big hack at the time, but it can be done.

IPSec can work over NAT if the implementation supports the latest RFCs that allow for NAT traversal and I believe L2TP is the mobile IPSec VPN protocol of choice. It is basically PPTP wrapped in IPSec where the IPSec key is the client X.509 certificate and the PPTP uses mschap authentication.

This is the most secure as it only allows those clients that have a certificate issued from your CA to connect.

Don't have a CA, don't know about PKI, then use PPTP with 128-bit encryption as it's easier to get going and universally supported.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ross Walker 04-06-2012 01:34 PM

IPSEC How To?
 
On Apr 6, 2012, at 9:20 AM, Ross Walker <rswwalker@gmail.com> wrote:

> On Apr 5, 2012, at 10:55 AM, Helmut Drodofsky <drodofsky@internet-xs.de> wrote:
>
>> Hello,
>>
>> now I have spent many hours to configure openswan for VPN connections
>> without any success.
>>
>> My goal:
>>
>> VPN Server CentOS 6 with public IPv4
>> VPN Client (= road warrier) from private site with NAT router or from
>> mobile cell with Linux, Windows 7, Mac, iPhone or Android
>>
>> Is there any how to in the net?
>>
>> When I read
>> file:///usr/share/doc/openswan-doc-2.6.32/config.html
>> then I belive, there is no solution. It is written, that I have to
>> reconfigure the NAT router of the mobile provider or the hardware NAT
>> router of the private dsl uplink.
>>
>> Both is impossible.
>
> Long, long time ago in a datacenter far far away I managed to cobble openswan/racoon to provide L2TP VPN connectivity for WinXP. It was a great big hack at the time, but it can be done.
>
> IPSec can work over NAT if the implementation supports the latest RFCs that allow for NAT traversal and I believe L2TP is the mobile IPSec VPN protocol of choice. It is basically PPTP wrapped in IPSec where the IPSec key is the client X.509 certificate and the PPTP uses mschap authentication.
>
> This is the most secure as it only allows those clients that have a certificate issued from your CA to connect.
>
> Don't have a CA, don't know about PKI, then use PPTP with 128-bit encryption as it's easier to get going and universally supported.

Here is a how-to on openswan l2tp.

Seems PSKs are also supported so no PKI is necessary.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ross Walker 04-06-2012 01:35 PM

IPSEC How To?
 
On Apr 6, 2012, at 9:34 AM, Ross Walker <rswwalker@gmail.com> wrote:

> Here is a how-to on openswan l2tp.
>
> Seems PSKs are also supported so no PKI is necessary.

Oops forgot the link:

http://www.jacco2.dds.nl/networking/openswan-l2tp.html


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Patrick Lists 04-06-2012 03:14 PM

IPSEC How To?
 
On 04/06/2012 03:35 PM, Ross Walker wrote:
> On Apr 6, 2012, at 9:34 AM, Ross Walker<rswwalker@gmail.com> wrote:
>
>> Here is a how-to on openswan l2tp.
>>
>> Seems PSKs are also supported so no PKI is necessary.
>
> Oops forgot the link:
>
> http://www.jacco2.dds.nl/networking/openswan-l2tp.html

Here's another one:

https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd

Regards,
Patrick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 03:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.