Re: [CentOS] IPSEC How To?
On Apr 5, 2012, at 10:55 AM, Helmut Drodofsky drodof...@internet-xs.de wrote: Hello, now I have spent many hours to configure openswan for VPN connections without any success. My goal: VPN Server CentOS 6 with public IPv4 VPN Client (= road warrier) from private site with NAT router or from mobile cell with Linux, Windows 7, Mac, iPhone or Android Is there any how to in the net? When I read file:///usr/share/doc/openswan-doc-2.6.32/config.html then I belive, there is no solution. It is written, that I have to reconfigure the NAT router of the mobile provider or the hardware NAT router of the private dsl uplink. Both is impossible. Long, long time ago in a datacenter far far away I managed to cobble openswan/racoon to provide L2TP VPN connectivity for WinXP. It was a great big hack at the time, but it can be done. IPSec can work over NAT if the implementation supports the latest RFCs that allow for NAT traversal and I believe L2TP is the mobile IPSec VPN protocol of choice. It is basically PPTP wrapped in IPSec where the IPSec key is the client X.509 certificate and the PPTP uses mschap authentication. This is the most secure as it only allows those clients that have a certificate issued from your CA to connect. Don't have a CA, don't know about PKI, then use PPTP with 128-bit encryption as it's easier to get going and universally supported. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPSEC How To?
On Apr 6, 2012, at 9:20 AM, Ross Walker rswwal...@gmail.com wrote: On Apr 5, 2012, at 10:55 AM, Helmut Drodofsky drodof...@internet-xs.de wrote: Hello, now I have spent many hours to configure openswan for VPN connections without any success. My goal: VPN Server CentOS 6 with public IPv4 VPN Client (= road warrier) from private site with NAT router or from mobile cell with Linux, Windows 7, Mac, iPhone or Android Is there any how to in the net? When I read file:///usr/share/doc/openswan-doc-2.6.32/config.html then I belive, there is no solution. It is written, that I have to reconfigure the NAT router of the mobile provider or the hardware NAT router of the private dsl uplink. Both is impossible. Long, long time ago in a datacenter far far away I managed to cobble openswan/racoon to provide L2TP VPN connectivity for WinXP. It was a great big hack at the time, but it can be done. IPSec can work over NAT if the implementation supports the latest RFCs that allow for NAT traversal and I believe L2TP is the mobile IPSec VPN protocol of choice. It is basically PPTP wrapped in IPSec where the IPSec key is the client X.509 certificate and the PPTP uses mschap authentication. This is the most secure as it only allows those clients that have a certificate issued from your CA to connect. Don't have a CA, don't know about PKI, then use PPTP with 128-bit encryption as it's easier to get going and universally supported. Here is a how-to on openswan l2tp. Seems PSKs are also supported so no PKI is necessary. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPSEC How To?
On Apr 6, 2012, at 9:34 AM, Ross Walker rswwal...@gmail.com wrote: Here is a how-to on openswan l2tp. Seems PSKs are also supported so no PKI is necessary. Oops forgot the link: http://www.jacco2.dds.nl/networking/openswan-l2tp.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPSEC How To?
On 04/06/2012 03:35 PM, Ross Walker wrote: On Apr 6, 2012, at 9:34 AM, Ross Walkerrswwal...@gmail.com wrote: Here is a how-to on openswan l2tp. Seems PSKs are also supported so no PKI is necessary. Oops forgot the link: http://www.jacco2.dds.nl/networking/openswan-l2tp.html Here's another one: https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd Regards, Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPSEC How To?
On Thu, Apr 5, 2012 at 9:55 AM, Helmut Drodofsky drodof...@internet-xs.de wrote: now I have spent many hours to configure openswan for VPN connections without any success. My goal: VPN Server CentOS 6 with public IPv4 VPN Client (= road warrier) from private site with NAT router or from mobile cell with Linux, Windows 7, Mac, iPhone or Android Is there any how to in the net? When I read file:///usr/share/doc/openswan-doc-2.6.32/config.html then I belive, there is no solution. It is written, that I have to reconfigure the NAT router of the mobile provider or the hardware NAT router of the private dsl uplink. Both is impossible. Thank you for help in advance. Can you use openvpn instead of IPsec? It can run over udp and is nat-friendly. I think you need root access on android and a jailbroken iphone to make the clients work there, though. -- Les Mikesell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPSEC How To?
On 04/05/2012 04:55 PM, Helmut Drodofsky wrote: Hello, now I have spent many hours to configure openswan for VPN connections without any success. My goal: VPN Server CentOS 6 with public IPv4 VPN Client (= road warrier) from private site with NAT router or from mobile cell with Linux, Windows 7, Mac, iPhone or Android Is there any how to in the net? When I read file:///usr/share/doc/openswan-doc-2.6.32/config.html then I belive, there is no solution. It is written, that I have to reconfigure the NAT router of the mobile provider or the hardware NAT router of the private dsl uplink. Both is impossible. Maybe you get better luck on the Openswan mailing list but I would not get my hopes up. One of the Openswan developers has repeatedly mentioned that IPsec does not like NAT. Les' suggestion to try OpenVPN is what I did and it works well assuming you can find the tun.ko kernel module for your Android phone. I don't know if there is an OpenVPN client for Windows phone or iPhone. Regards, Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos