Hi Raza,

I never used the L2TP/IPsec client so I can't tell how to set it up.

If you want to use plain IPsec you have - in my opinion - the following 
options:

IKEv1:
WindowsXP + NCP Secure Entry Client for Win32/64 (142 EUR)
WindowsXP + Shrew Soft VPN client (free of charge)
Windows 7 + NCP Secure Entry Client for Win32/64 (142 EUR)

IKEv2:
Windows 7 + built-in IKEv2 VPN client

If you decide to use IKEv1, you are going to setup the pluto daemon 
(plutostart=yes). If you want to use IKEv2 you are going to use the 
charon daemon on the strongSwan side.

You have to make sure that your NAT router forwards packets destined for 
192.168.1.0/24 to your strongSwan box.

Do you know how to create X.509 certificates?

If you want to use Windows 7 you could use a connection definition which 
is similar to

config setup
         charonstart=yes
         plutostart=no

conn win7
     keyexchange=ikev2
     ike=aes256-sha1-modp1024!
     esp=aes256-sha1!
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftsubnet=0.0.0.0/0
     leftauth=pubkey
     leftcert=razz_home_network.pem
     left...@vpn.razz.net
     right=%any
     rightsourceip=192.168.1.0/24
     rightauth=eap-mschapv2
     rightsendcert=never
     eap_identity=%any
     auto=add

There's one issue I have with Windows 7: The native IPsec client sends 
all IP traffic through the IPsec tunnel; even traffic that is not 
destined for your home network. As a consequence, if the road warrior 
accesses some site on the internet, the traffic will be sent through 
your strongSwan box at home.

-Daniel

Razza wrote:
> Hi Daniel,
> I was thinking of the bundled L2TP/IPsec client, I don't mind paying for 
> a VPN client if there are better/more flexible options. If the client is 
> over £30 ($40) I would rather just buy Win 7.
> I am happy with a different range, say 192.168.1.0/24 
> <http://192.168.1.0/24> for the VPN users.
> 
> Kind regards,
> 
> 
> On 19 February 2010 12:29, Daniel Mentz 
> <danielml+mailinglists.strongs...@sent.com 
> <mailto:danielml%2bmailinglists.strongs...@sent.com>> wrote:
> 
>     Hi Razza,
> 
>     you need to setup your DSL/NAT Router to forward UDP datagrams
>     destined for ports 500 and 4500 to your strongSwan box.
>     You said that you want to allocate IP addresses for road warriors
>     inside the 192.168.10.0/24 <http://192.168.10.0/24> range. This
>     could be difficult to achieve. Can you waive this requirement and
>     come up with a separate IP prefix for road warriors? Like
>     10.x.y.0/24? This would make things much easier.
> 
>     I'm using this kind of setup for Win7 clients. Which IPsec client
>     software do you want to use on Windows XP?
> 
>     -Daniel
> 
> 
>     Razza wrote:
> 
>         Hi all, I’m new to the list and am looking for a bit of advice.
>         I’ve looked
>         around but can’t find any examples close to what I want to
>         achieve, probably
>         because it’s flawed from a purists security view point. Anyway,
>         I want to
>         use strongSwan in a home network environment, mainly so I can
>         access home
>         network machines whilst I’m away. E.g. ssh to my asterisk
>         server, RDP/VNC to
>         my partners machine etc.
> 
> 
> 
>         My network is as follows –
> 
> 
> 
>         192.168.10.0/24 <http://192.168.10.0/24> -- | 192.168.10.1 | |
>         Dynamic RIPE IP | -- Internet
> 
>          Home Network     |  Inside i/f  | |   Outside i/f   |
> 
>                           |         DSL/NAT Router           |
> 
> 
> 
>         As I only have a single RIPE address on my DSL, I intend to port
>         forward
>         necessary ports to a single interface on my strongSwan box.
> 
>         My strongSwan box will have an address in the range
>         192.168.10.0/24 <http://192.168.10.0/24>. I would
>         prefer to have a singe physical interface if possible, but could
>         have two.
> 
>         When I connect from an internet connected machine (soon Win7,
>         currently XP),
>         I would like to be allocated a virtual IP in the range of my
>         home network (
>         192.168.10.0/24 <http://192.168.10.0/24>).
> 
> 
>         Is this possible?
>         _______________________________________________
>         Users mailing list
>         Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
>         https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to