[strongSwan] Home network config
Razza
razza30 at gmail.com
Fri Feb 19 15:14:46 CET 2010
Hi Daniel,
That's fantastic! I'll have a play later with the Shrew Soft client on XP.
I'm quite happy with all traffic flowing through the VPN, that might stop my
3G/HSDPA provider blocking internet radio when I'm away :o)
Thanks again!
On 19 February 2010 13:48, Daniel Mentz <
danielml+mailinglists.strongswan at sent.com<danielml%2Bmailinglists.strongswan at sent.com>
> wrote:
> Hi Raza,
>
> I never used the L2TP/IPsec client so I can't tell how to set it up.
>
> If you want to use plain IPsec you have - in my opinion - the following
> options:
>
> IKEv1:
> WindowsXP + NCP Secure Entry Client for Win32/64 (142 EUR)
> WindowsXP + Shrew Soft VPN client (free of charge)
> Windows 7 + NCP Secure Entry Client for Win32/64 (142 EUR)
>
> IKEv2:
> Windows 7 + built-in IKEv2 VPN client
>
> If you decide to use IKEv1, you are going to setup the pluto daemon
> (plutostart=yes). If you want to use IKEv2 you are going to use the charon
> daemon on the strongSwan side.
>
> You have to make sure that your NAT router forwards packets destined for
> 192.168.1.0/24 to your strongSwan box.
>
> Do you know how to create X.509 certificates?
>
> If you want to use Windows 7 you could use a connection definition which is
> similar to
>
> config setup
> charonstart=yes
> plutostart=no
>
> conn win7
> keyexchange=ikev2
> ike=aes256-sha1-modp1024!
> esp=aes256-sha1!
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftsubnet=0.0.0.0/0
> leftauth=pubkey
> leftcert=razz_home_network.pem
> leftid=@vpn.razz.net
> right=%any
> rightsourceip=192.168.1.0/24
> rightauth=eap-mschapv2
> rightsendcert=never
> eap_identity=%any
> auto=add
>
> There's one issue I have with Windows 7: The native IPsec client sends all
> IP traffic through the IPsec tunnel; even traffic that is not destined for
> your home network. As a consequence, if the road warrior accesses some site
> on the internet, the traffic will be sent through your strongSwan box at
> home.
>
> -Daniel
>
> Razza wrote:
>
>> Hi Daniel,
>> I was thinking of the bundled L2TP/IPsec client, I don't mind paying for a
>> VPN client if there are better/more flexible options. If the client is over
>> £30 ($40) I would rather just buy Win 7.
>> I am happy with a different range, say 192.168.1.0/24 <
>> http://192.168.1.0/24> for the VPN users.
>>
>> Kind regards,
>>
>>
>>
>> On 19 February 2010 12:29, Daniel Mentz <
>> danielml+mailinglists.strongswan at sent.com<danielml%2Bmailinglists.strongswan at sent.com><mailto:
>> danielml%2Bmailinglists.strongswan at sent.com<danielml%252Bmailinglists.strongswan at sent.com>>>
>> wrote:
>>
>> Hi Razza,
>>
>> you need to setup your DSL/NAT Router to forward UDP datagrams
>> destined for ports 500 and 4500 to your strongSwan box.
>> You said that you want to allocate IP addresses for road warriors
>> inside the 192.168.10.0/24 <http://192.168.10.0/24> range. This
>>
>> could be difficult to achieve. Can you waive this requirement and
>> come up with a separate IP prefix for road warriors? Like
>> 10.x.y.0/24? This would make things much easier.
>>
>> I'm using this kind of setup for Win7 clients. Which IPsec client
>> software do you want to use on Windows XP?
>>
>> -Daniel
>>
>>
>> Razza wrote:
>>
>> Hi all, I’m new to the list and am looking for a bit of advice.
>> I’ve looked
>> around but can’t find any examples close to what I want to
>> achieve, probably
>> because it’s flawed from a purists security view point. Anyway,
>> I want to
>> use strongSwan in a home network environment, mainly so I can
>> access home
>> network machines whilst I’m away. E.g. ssh to my asterisk
>> server, RDP/VNC to
>> my partners machine etc.
>>
>>
>>
>> My network is as follows –
>>
>>
>>
>> 192.168.10.0/24 <http://192.168.10.0/24> -- | 192.168.10.1 | |
>>
>> Dynamic RIPE IP | -- Internet
>>
>> Home Network | Inside i/f | | Outside i/f |
>>
>> | DSL/NAT Router |
>>
>>
>>
>> As I only have a single RIPE address on my DSL, I intend to port
>> forward
>> necessary ports to a single interface on my strongSwan box.
>>
>> My strongSwan box will have an address in the range
>> 192.168.10.0/24 <http://192.168.10.0/24>. I would
>>
>> prefer to have a singe physical interface if possible, but could
>> have two.
>>
>> When I connect from an internet connected machine (soon Win7,
>> currently XP),
>> I would like to be allocated a virtual IP in the range of my
>> home network (
>> 192.168.10.0/24 <http://192.168.10.0/24>).
>>
>>
>>
>> Is this possible?
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>>
>
More information about the Users
mailing list