[strongSwan] Site2site VPN Config Examples

[Martin Willi]

> Would you recommend using 1 or 2 separate physical machines or a
> completely different setup for the network toplogy I mentioned in my
> last mail?

For me, the proposed solution looks fine. I don't think that a separate
box adds much security to it (if that jail thingy is secure). But it's
finally not my decision :-).

> Is EAP-MSCHAPv2 really the only EAP variant that works with Linux,
> Windows (both XP and 7), and possible also Mac OS X or are there other
> possibilities? Which would be the most secure and would work with all
> mentioned OSes?

Windows XP supports L2TP over IPsec with IKEv1 only, so is a completely
different story. It works with our IKEv1 daemon, but I won't recommend
it for a productive setup. And RADIUS is a no-go then from our side. You
probably better look for a commercial client if this should work
hassle-free with XP. But one capable of IKEv2 is hard to get!?

Windows 7 works fine with IKEv2, EAP-MSCHAPv2 comes with Windows and
therefore is the choice for username/password authentication. Security
of the EAP protocol does not really matter, as the connection is
properly encrypted and authenticated before EAP jumps in (at least
between gateway and client. You might consider securing the
gateway-RADIUS connection with IPsec, too ;-).

On Linux, strongSwan works fine with EAP-MSCHAPv2. We have kinda Mac
support, but using virtual IPs as you probably would use it with
Win7/Linux doesn't work yet.

> > Do you authenticate the net2net tunnel via RADIUS, too?

> Not sure on this one yet. Would you recommend it?

EAP is an unidirectional protocol and not often used in net2net
scenarios. Using certificates is probably simpler.

Regards
Martin