[strongSwan] Home network config
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Fri Feb 19 14:48:54 CET 2010
Hi Raza,
I never used the L2TP/IPsec client so I can't tell how to set it up.
If you want to use plain IPsec you have - in my opinion - the following
options:
IKEv1:
WindowsXP + NCP Secure Entry Client for Win32/64 (142 EUR)
WindowsXP + Shrew Soft VPN client (free of charge)
Windows 7 + NCP Secure Entry Client for Win32/64 (142 EUR)
IKEv2:
Windows 7 + built-in IKEv2 VPN client
If you decide to use IKEv1, you are going to setup the pluto daemon
(plutostart=yes). If you want to use IKEv2 you are going to use the
charon daemon on the strongSwan side.
You have to make sure that your NAT router forwards packets destined for
192.168.1.0/24 to your strongSwan box.
Do you know how to create X.509 certificates?
If you want to use Windows 7 you could use a connection definition which
is similar to
config setup
charonstart=yes
plutostart=no
conn win7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=razz_home_network.pem
leftid=@vpn.razz.net
right=%any
rightsourceip=192.168.1.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
There's one issue I have with Windows 7: The native IPsec client sends
all IP traffic through the IPsec tunnel; even traffic that is not
destined for your home network. As a consequence, if the road warrior
accesses some site on the internet, the traffic will be sent through
your strongSwan box at home.
-Daniel
Razza wrote:
> Hi Daniel,
> I was thinking of the bundled L2TP/IPsec client, I don't mind paying for
> a VPN client if there are better/more flexible options. If the client is
> over £30 ($40) I would rather just buy Win 7.
> I am happy with a different range, say 192.168.1.0/24
> <http://192.168.1.0/24> for the VPN users.
>
> Kind regards,
>
>
> On 19 February 2010 12:29, Daniel Mentz
> <danielml+mailinglists.strongswan at sent.com
> <mailto:danielml%2Bmailinglists.strongswan at sent.com>> wrote:
>
> Hi Razza,
>
> you need to setup your DSL/NAT Router to forward UDP datagrams
> destined for ports 500 and 4500 to your strongSwan box.
> You said that you want to allocate IP addresses for road warriors
> inside the 192.168.10.0/24 <http://192.168.10.0/24> range. This
> could be difficult to achieve. Can you waive this requirement and
> come up with a separate IP prefix for road warriors? Like
> 10.x.y.0/24? This would make things much easier.
>
> I'm using this kind of setup for Win7 clients. Which IPsec client
> software do you want to use on Windows XP?
>
> -Daniel
>
>
> Razza wrote:
>
> Hi all, I’m new to the list and am looking for a bit of advice.
> I’ve looked
> around but can’t find any examples close to what I want to
> achieve, probably
> because it’s flawed from a purists security view point. Anyway,
> I want to
> use strongSwan in a home network environment, mainly so I can
> access home
> network machines whilst I’m away. E.g. ssh to my asterisk
> server, RDP/VNC to
> my partners machine etc.
>
>
>
> My network is as follows –
>
>
>
> 192.168.10.0/24 <http://192.168.10.0/24> -- | 192.168.10.1 | |
> Dynamic RIPE IP | -- Internet
>
> Home Network | Inside i/f | | Outside i/f |
>
> | DSL/NAT Router |
>
>
>
> As I only have a single RIPE address on my DSL, I intend to port
> forward
> necessary ports to a single interface on my strongSwan box.
>
> My strongSwan box will have an address in the range
> 192.168.10.0/24 <http://192.168.10.0/24>. I would
> prefer to have a singe physical interface if possible, but could
> have two.
>
> When I connect from an internet connected machine (soon Win7,
> currently XP),
> I would like to be allocated a virtual IP in the range of my
> home network (
> 192.168.10.0/24 <http://192.168.10.0/24>).
>
>
> Is this possible?
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
More information about the Users
mailing list