[strongSwan] Home network config

Razza razza30 at gmail.com
Fri Feb 19 15:14:46 CET 2010 

Hi Daniel,
That's fantastic! I'll have a play later with the Shrew Soft client on XP.
I'm quite happy with all traffic flowing through the VPN, that might stop my
3G/HSDPA provider blocking internet radio when I'm away :o)

Thanks again!

On 19 February 2010 13:48, Daniel Mentz <
danielml+mailinglists.strongswan at sent.com<danielml%2Bmailinglists.strongswan at sent.com>
> wrote:

> Hi Raza,
>
> I never used the L2TP/IPsec client so I can't tell how to set it up.
>
> If you want to use plain IPsec you have - in my opinion - the following
> options:
>
> IKEv1:
> WindowsXP + NCP Secure Entry Client for Win32/64 (142 EUR)
> WindowsXP + Shrew Soft VPN client (free of charge)
> Windows 7 + NCP Secure Entry Client for Win32/64 (142 EUR)
>
> IKEv2:
> Windows 7 + built-in IKEv2 VPN client
>
> If you decide to use IKEv1, you are going to setup the pluto daemon
> (plutostart=yes). If you want to use IKEv2 you are going to use the charon
> daemon on the strongSwan side.
>
> You have to make sure that your NAT router forwards packets destined for
> 192.168.1.0/24 to your strongSwan box.
>
> Do you know how to create X.509 certificates?
>
> If you want to use Windows 7 you could use a connection definition which is
> similar to
>
> config setup
>        charonstart=yes
>        plutostart=no
>
> conn win7
>    keyexchange=ikev2
>    ike=aes256-sha1-modp1024!
>    esp=aes256-sha1!
>    dpdaction=clear
>    dpddelay=300s
>    rekey=no
>    left=%any
>    leftsubnet=0.0.0.0/0
>    leftauth=pubkey
>    leftcert=razz_home_network.pem
>    leftid=@vpn.razz.net
>    right=%any
>    rightsourceip=192.168.1.0/24
>    rightauth=eap-mschapv2
>    rightsendcert=never
>    eap_identity=%any
>    auto=add
>
> There's one issue I have with Windows 7: The native IPsec client sends all
> IP traffic through the IPsec tunnel; even traffic that is not destined for
> your home network. As a consequence, if the road warrior accesses some site
> on the internet, the traffic will be sent through your strongSwan box at
> home.
>
> -Daniel
>
> Razza wrote:
>
>> Hi Daniel,
>> I was thinking of the bundled L2TP/IPsec client, I don't mind paying for a
>> VPN client if there are better/more flexible options. If the client is over
>> £30 ($40) I would rather just buy Win 7.
>> I am happy with a different range, say 192.168.1.0/24 <
>> http://192.168.1.0/24> for the VPN users.
>>
>> Kind regards,
>>
>>
>>
>> On 19 February 2010 12:29, Daniel Mentz <
>> danielml+mailinglists.strongswan at sent.com<danielml%2Bmailinglists.strongswan at sent.com><mailto:
>> danielml%2Bmailinglists.strongswan at sent.com<danielml%252Bmailinglists.strongswan at sent.com>>>
>> wrote:
>>
>>    Hi Razza,
>>
>>    you need to setup your DSL/NAT Router to forward UDP datagrams
>>    destined for ports 500 and 4500 to your strongSwan box.
>>    You said that you want to allocate IP addresses for road warriors
>>    inside the 192.168.10.0/24 <http://192.168.10.0/24> range. This
>>
>>    could be difficult to achieve. Can you waive this requirement and
>>    come up with a separate IP prefix for road warriors? Like
>>    10.x.y.0/24? This would make things much easier.
>>
>>    I'm using this kind of setup for Win7 clients. Which IPsec client
>>    software do you want to use on Windows XP?
>>
>>    -Daniel
>>
>>
>>    Razza wrote:
>>
>>        Hi all, I’m new to the list and am looking for a bit of advice.
>>        I’ve looked
>>        around but can’t find any examples close to what I want to
>>        achieve, probably
>>        because it’s flawed from a purists security view point. Anyway,
>>        I want to
>>        use strongSwan in a home network environment, mainly so I can
>>        access home
>>        network machines whilst I’m away. E.g. ssh to my asterisk
>>        server, RDP/VNC to
>>        my partners machine etc.
>>
>>
>>
>>        My network is as follows –
>>
>>
>>
>>        192.168.10.0/24 <http://192.168.10.0/24> -- | 192.168.10.1 | |
>>
>>        Dynamic RIPE IP | -- Internet
>>
>>         Home Network     |  Inside i/f  | |   Outside i/f   |
>>
>>                          |         DSL/NAT Router           |
>>
>>
>>
>>        As I only have a single RIPE address on my DSL, I intend to port
>>        forward
>>        necessary ports to a single interface on my strongSwan box.
>>
>>        My strongSwan box will have an address in the range
>>        192.168.10.0/24 <http://192.168.10.0/24>. I would
>>
>>        prefer to have a singe physical interface if possible, but could
>>        have two.
>>
>>        When I connect from an internet connected machine (soon Win7,
>>        currently XP),
>>        I would like to be allocated a virtual IP in the range of my
>>        home network (
>>        192.168.10.0/24 <http://192.168.10.0/24>).
>>
>>
>>
>>        Is this possible?
>>        _______________________________________________
>>        Users mailing list
>>        Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>
>>        https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>>
>

More information about the Users mailing list