Re: [Users] FreeS/WAN with L2TP install on Debian
Damir Dezeljin wrote:
I read lot of docs on setting IPSec Roadworriro setup for Win2k/XP
clients. I found especialy usefull the following documents:
- http://www.natecarlson.com/linux/ipsec-x509.php
- http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
After setting all the things up I found that I haven't the ipseccmd.exe on
my WinXP box. So I searched the internet again and after some time I found
that I have to install it from WinXP CD. While this is very anoying for my
users (I have to set up the VPN connection for other users of my system) I
want to enable them to use Win2k/XP native client (that client that can be
invoked from 'Network Connections' by clicing 'New Connection' and
following the instructions for 'Connect to Network at My Workplace'.
So I have some questions ... please if anyone can give me any hint, let do
it ;) :
- I couldn't found out if the Freeswan and kernel-pathc-freeswan that
comes with Debian Woody is enough for my setup (freeswan 1.96-1.4 and
kernel-patch-feeswan 1.96-1.4)? I also couldn't found out if the kernel
patch also contains L2TP patch? Are those two tools ok or I have to
compile them manualy? Is there an already compiled .deb package?
If you are using freeswan-1.96 then X.509 patch version 0.9.9 would be
applied to it. Verify if you see the string
Starting Pluto (FreeS/WAN Version 1.96)
including X.509 patch (Version 0.9.9)
in the logfile during the startup of Pluto. Or even easier try if the
command
ipsec auto --listall
works and would show you a list of public keys and certificates. The
CHANGES file
http://www.strongsec.com/freeswan/CHANGES.txt
will show you which features you are missing with 0.9.9.
- I want to use keys for authentication (X.509) because I want to support
more clients and I don't want to share the same secret between all
clients. Is it posible to set-up Win2k/XP to use such a certificate with
native IPSec client (is there any doc showing how to do this or any
hint?)?
http://www.natecarlson.com/linux/ipsec-x509.php
- In the first above mentioned doc (first URL) there is a sample
configuration for ipsec.conf. There is a section 'conn roadwarrior'.
What I have to enter inest of 'right=%any' to uniquly identify the
client on the other part of the connection (I want to use the same CA
certificate to sign all the certificates I will issue for varous servers
in my company, however I don't want that a user from one server can use
the VPN connection of the other server - for this reason I have to allow
only clients with certain certificates to connect to my FreeS/Wan server
do I have to put the public key that I provide to the client there?)?
X.509 patch version 0.9.27 for freeswan-1.99 and version 1.3.0 for
freeswan-2.00 introduced the rightca= parameter which can be used to
restrict access to a specific host or subnet to a certain CA, only.
For details see my howto at
http://www.strongsec.com/freeswan/install.htm#section_4.7
If you want to use this advanced feature you must upgrade either to
freeswan-1.99 or freeswan-2.01. X.509-patched versions are available
from
http://www.freeswan.ca/download.php
Regards,
Dezo
Regards
Andreas
=======================================================================
Andreas Steffen e-mail: andreas.steffen@strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
Reply to: