Re: [LUG] Problems VPNing with IPCop 1.3+patches?

To: list@xxxxxxxxxxxx
Subject: Re: [LUG] Problems VPNing with IPCop 1.3+patches?
From: Robin Cornelius <robin@xxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 14 Nov 2004 21:51:41 +0000
Reply-to: list@xxxxxxxxxxxx

On Sunday 14 November 2004 13:43, Grant Sewell wrote:

On Sun, 14 Nov 2004 12:40:13 +0000

Robin Cornelius <robin@xxxxxxxxxxxxxxxxxxxxx> wrote:

Left is often though as local and right remote but they are switchable
but it is nice to use some system to remember.


Thanks.  Can I ask where you discovered this?  I read the VPN howto (the
newer one) but it seemed only concerned with a VPN through SSH... not
exactly what I'm trying to do :D


Try having a read of the freeswan / openswan / strongswan (freeswan.org 
openswan.org strongswan.org) documentation. It looks like IPCop is based on 
the "swans" anyway, however looking at the IPCOP page it is based on 
superfreeswan which might mean if you need nat traversal you are in trouble.  
Openswan appears to be the offical fork of the now suspended freeswan 
project.

What this does mean is that you need to watch the /var/log/secure 
or /var/log/auth.log for details of the success/errors of the connection.

Eeek, two next hops? Loose the left next hop set the right parameter to
right=%any, and the right next hop to the ip address of the gateway.


Thank you.  Done that now.

Using PSK (pre share keys) or secrets is not the best way to do
things,(but is often good for inital testing) can you use x509 certs with
both ends on your setup?


Since we haven't got any sensitive data (that I'm aware of) on our network
(it is, afterall, a home network), is this really necessary?  The secret is
33 characters long... I know there's no such thing as "secure", but do I
actually need to implement any sort of higher-security system?


Entirly up to you. It can also depend on how many connections you are making. 
If it is more than one then x509 provides a more secure authentication + 
encryption system the PSK alone as each user/computer has their own 
certificates.

I would get your PSK's working before you even consider x590 certs anyway!

I have done this with the "swans" before and all my setup is documented
at http://www.cornelius.demon.co.uk if that is any help?


Thanks... I'll have a look at those.  They look to be really quite
thorough!  Nice job.


-- 

Robin Cornelius
---------------------------------------------------
robin@xxxxxxxxxxxxxxxxxxxxx
GPG Key ID: 0x729A79A23B7EE764
http://www.biglumber.com/x/web?qs=0x729A79A23B7EE764

Attachment: pgp00025.pgp
Description: PGP signature

References:
- [LUG] Problems VPNing with IPCop 1.3+patches?
  - From: Grant Sewell
- Re: [LUG] Problems VPNing with IPCop 1.3+patches?
  - From: Robin Cornelius
- Re: [LUG] Problems VPNing with IPCop 1.3+patches?
  - From: Grant Sewell

Prev by Date: Re: [LUG] A debian diary
Next by Date: [LUG] Knoppix install
Previous by thread: Re: [LUG] Problems VPNing with IPCop 1.3+patches?
Next by thread: [LUG] Evolution palm sync, ttyUSB1 permissions problem
Index(es):
- Date
- Thread

Lynx friendly