I think what you're asking for is a technique to allow multiple mobile
clients to have remote access to resources on a protected LAN.
FreeS/WAN has a patch for what it calls virtual IP addresses. This patch
is included in the Super FreeS/WAN version, see:
http://www.freeswan.ca/code/super-freeswan
Virtual IP uses proxy ARP to assign an address off of your local LAN
subnet to the mobile client. Take my laptop as an example. It uses the
same IP address when it's connected to the LAN as when it's connected
through the FreeS/WAN SGW. I can switch from a wireline network card to a
wireless network card and any established telnets will continue to
function.
Another nice feature is the SGW does not have to be the firewall.
Because the Virtual IP address feature uses proxy ARP, routing to the
mobile client is not an issue.
At one time I had one of my clients using the IPSec built in to Win2k. I
believe we were using PSK on that system. I remember finding something
out on the net on getting the IPSec/Win2k to use X.509 certs. I can
probably dig it up, but a google would find it quick enough. We ended up
standardizing the Windows configs using SSH Sentinel.
FWIW, using PSK w/ IPSec is problematic. PSK when using main mode cannot
handle dynamic IP address in the mobile client. PSK can use dynamic IP
address when aggressive mode, but aggressive mode has security
vulnerabilities.
When I last looked at FreeS/WAN (a few months ago), it did not have X.509
in the stock version. Super FreeS/WAN is your friend :-).
rna
On Wed, 14 Jan 2004, Craig White wrote:
> I was planning on using Smoothwall to set up as a firewall router for a
> clients' network - I had used it in the past with some success. I have
> come to realize that their opensource release doesn't support multiple
> external ip addresses and that is a requirement.
>
> Part of the functionality I am looking for is to permit some users to
> work from home and Windows clients can use L2TP/IPSec to VPN into the
> lan and spent some time examining the documentation for this on
> Microsoft's web site. I could always use 1 or more of the WinXP
> Professional Workstations to handle the VPN connections but these
> machines would have to be on 24/7, are limited to 3 concurrent
> connections (I may never exceed this, but if it's as popular as I think
> it will be, I might need to exceed this) and then there's the whole
> issue of logging and security that is most difficult to monitor.
>
> Thus, I am revisiting the entire option of firewall/router and FreeS/wan
> and I am wondering:
>
> 1 - Is there an open source package that includes support for
> kernel/freeS/wan updates that I could use and still be able to dmz
> multiple external ip addresses?
>
> 2 - Is anyone currently doing this? Any recommendations? If I use say a
> Red Hat distro, every time there is a kernel security errata (a little
> too frequently these days), I would have to either rebuild the kernel or
> rebuild the freeS/wan module - a PITA (makes a ClarkConnect system for
> $125 look attractive).
>
> 3 - Is there any web pages / info that can tell me how to use openssl to
> create certificates which are acceptable to Windows 2000/XP clients that
> I can give to remote clients to use to authenticate themselves with
> freeS/wan or should I stay with PSK?
>
> Thanks,
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>