From: Ken Bantoft (ken_at_freeswan.ca)
Date: Tue Nov 12 2002 - 02:21:01 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 11 Nov 2002, mowglie wrote:
> just asking for basic guidance. i successfully installed freeswan and
> checked per the quickstart. but i need these answers to get a clue on
> what to do next. with these answers i know there's enuf doc/info on the
> sites to get me the rest of the way.
>
> using rh 8 as ipsec vp gateway/router (static ip w/ NAT) with win ME
> remote clients (dynamic IP from isp so probably dhcp as well).
> questions:
>
> 1. what is a good (and free) vpn client for win me w/ ipsec
> and freeswan? i saw ms makes one for a L2tp/ipsec tunnel. can i use
> that with freeswan?
> http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp
The only 100% free client I'm aware of is Markus Muller's ipsec.exe tool.
http://vpn.ebootis.de/
> 2. client only needs files on vpn gateway, not other nodes on LAN. is the NAT an ipsec issue for me?
> gateway has 2 nics, one pvt ip, one public.
Probably not an issue, if it's statically NAT'd.
> 2.5 (afterthought) is it more secure to have vpn gateway on a
> physically seperate linux box than the LAN router/fileserver? or no big
> security gain from that?
There's always the tradeoff of more security by seperating services, but
more complexity, and more things to be mis-configured (and possibly
opening up more security holes). It all depends on the situation.
> 3. i read the manuals and docs and all (yes still a bit confused) but
> one person explained all the certificate setup. but does that mean i
> need to pay someone for being my certificate authority in order to
> accomplish the goals above (remote client login via vpn)? not totally
> familiar with the certificate process and how that works. do i even
> need to create/use certificates?
You can create a self-signed OpenSSL CA + various certs for free. Nate
Carlson's Howto explains this procedure step by step -
http://www.natecarlson.com/ipsec-x509.html
> 4. though i read it, i dont get still what the exact benefits of
> opportunistic encryption are? any sample scenarios to make it more
> clear to a newbie to ipsec?
OE (as it's commonly referred to) is used to "hide" the complexities of
encryption configure from the end-user, and the applications. It uses PKI
(Public keys in DNS Records) to do key management, and allows any two OE
enabled hosts to establish an IPSec tunnel without system administrator
intervention. Great for any sort of server to have enabled, so both OE
and non-OE clients can connect, and the OE enabled ones get the benifit of
encryption on all traffic.
Unfortunatly, there's no MS Windows client at the momentm so it won't help
you in your situation.
> comment: u guys are one of the more patient support lists i've found.
> oft, beginner questions are just completely disregarded.
>
> thanx a great deal for that.
Hope this lives up to your expectations then =)
- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
PGP Key: finger ken_at_bantoft.org
"Random numbers should not be generated with a method
chosen at random." -- Donald Knuth,
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPdBXgFiWUusaxGxpAQFZ1wP9H/+6OrHvWNR3oXEx2PEh1IZRHYPcnjI0
8DqB+jP3nS/xP5vUDk060qoAut2YDCssUXKizaefInW2G97ieLqNR45uirSpC8bQ
3xftIy4kQQ3T5sR+CPo2bv72IHaW0aWf0ihnsuiZ24czJ1x2NL0Uhd0nIiFe/PlP
AZDPd+FPyQk=
=/IMf
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Nov 13 2002 - 05:20:41 CET