[strongSwan] Home network config
razza30 at gmail.com
Fri Feb 19 15:14:46 CET 2010
That's fantastic! I'll have a play later with the Shrew Soft client on XP.
I'm quite happy with all traffic flowing through the VPN, that might stop my
3G/HSDPA provider blocking internet radio when I'm away :o)
On 19 February 2010 13:48, Daniel Mentz <
danielml+mailinglists.strongswan at sent.com<danielml%2Bmailinglists.strongswan at sent.com>
> Hi Raza,
> I never used the L2TP/IPsec client so I can't tell how to set it up.
> If you want to use plain IPsec you have - in my opinion - the following
> WindowsXP + NCP Secure Entry Client for Win32/64 (142 EUR)
> WindowsXP + Shrew Soft VPN client (free of charge)
> Windows 7 + NCP Secure Entry Client for Win32/64 (142 EUR)
> Windows 7 + built-in IKEv2 VPN client
> If you decide to use IKEv1, you are going to setup the pluto daemon
> (plutostart=yes). If you want to use IKEv2 you are going to use the charon
> daemon on the strongSwan side.
> You have to make sure that your NAT router forwards packets destined for
> 192.168.1.0/24 to your strongSwan box.
> Do you know how to create X.509 certificates?
> If you want to use Windows 7 you could use a connection definition which is
> similar to
> config setup
> conn win7
> There's one issue I have with Windows 7: The native IPsec client sends all
> IP traffic through the IPsec tunnel; even traffic that is not destined for
> your home network. As a consequence, if the road warrior accesses some site
> on the internet, the traffic will be sent through your strongSwan box at
> Razza wrote:
>> Hi Daniel,
>> I was thinking of the bundled L2TP/IPsec client, I don't mind paying for a
>> VPN client if there are better/more flexible options. If the client is over
>> £30 ($40) I would rather just buy Win 7.
>> I am happy with a different range, say 192.168.1.0/24 <
>> http://192.168.1.0/24> for the VPN users.
>> Kind regards,
>> On 19 February 2010 12:29, Daniel Mentz <
>> danielml+mailinglists.strongswan at sent.com<danielml%2Bmailinglists.strongswan at sent.com><mailto:
>> danielml%2Bmailinglists.strongswan at sent.com<danielml%252Bmailinglists.strongswan at sent.com>>>
>> Hi Razza,
>> you need to setup your DSL/NAT Router to forward UDP datagrams
>> destined for ports 500 and 4500 to your strongSwan box.
>> You said that you want to allocate IP addresses for road warriors
>> inside the 192.168.10.0/24 <http://192.168.10.0/24> range. This
>> could be difficult to achieve. Can you waive this requirement and
>> come up with a separate IP prefix for road warriors? Like
>> 10.x.y.0/24? This would make things much easier.
>> I'm using this kind of setup for Win7 clients. Which IPsec client
>> software do you want to use on Windows XP?
>> Razza wrote:
>> Hi all, I’m new to the list and am looking for a bit of advice.
>> I’ve looked
>> around but can’t find any examples close to what I want to
>> achieve, probably
>> because it’s flawed from a purists security view point. Anyway,
>> I want to
>> use strongSwan in a home network environment, mainly so I can
>> access home
>> network machines whilst I’m away. E.g. ssh to my asterisk
>> server, RDP/VNC to
>> my partners machine etc.
>> My network is as follows –
>> 192.168.10.0/24 <http://192.168.10.0/24> -- | 192.168.10.1 | |
>> Dynamic RIPE IP | -- Internet
>> Home Network | Inside i/f | | Outside i/f |
>> | DSL/NAT Router |
>> As I only have a single RIPE address on my DSL, I intend to port
>> necessary ports to a single interface on my strongSwan box.
>> My strongSwan box will have an address in the range
>> 192.168.10.0/24 <http://192.168.10.0/24>. I would
>> prefer to have a singe physical interface if possible, but could
>> have two.
>> When I connect from an internet connected machine (soon Win7,
>> currently XP),
>> I would like to be allocated a virtual IP in the range of my
>> home network (
>> 192.168.10.0/24 <http://192.168.10.0/24>).
>> Is this possible?
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
More information about the Users