[CentOS] IPSEC How To?

Fri Apr 6 13:34:08 UTC 2012
Ross Walker <rswwalker at gmail.com>

On Apr 6, 2012, at 9:20 AM, Ross Walker <rswwalker at gmail.com> wrote:

> On Apr 5, 2012, at 10:55 AM, Helmut Drodofsky <drodofsky at internet-xs.de> wrote:
> 
>> Hello,
>> 
>> now I have spent many hours to configure openswan for VPN connections 
>> without any success.
>> 
>> My goal:
>> 
>> VPN Server CentOS 6 with public IPv4
>> VPN Client (= road warrier) from private site with NAT router or from 
>> mobile cell with Linux, Windows 7, Mac, iPhone or Android
>> 
>> Is there any how to in the net?
>> 
>> When I read
>> file:///usr/share/doc/openswan-doc-2.6.32/config.html
>> then I belive, there is no solution. It is written, that I have to 
>> reconfigure the NAT router of the mobile provider or the hardware NAT 
>> router of the private dsl uplink.
>> 
>> Both is impossible.
> 
> Long, long time ago in a datacenter far far away I managed to cobble openswan/racoon to provide L2TP VPN connectivity for WinXP. It was a great big hack at the time, but it can be done.
> 
> IPSec can work over NAT if the implementation supports the latest RFCs that allow for NAT traversal and I believe L2TP is the mobile IPSec VPN protocol of choice. It is basically PPTP wrapped in IPSec where the IPSec key is the client X.509 certificate and the PPTP uses mschap authentication.
> 
> This is the most secure as it only allows those clients that have a certificate issued from your CA to connect.
> 
> Don't have a CA, don't know about PKI, then use PPTP with 128-bit encryption as it's easier to get going and universally supported.

Here is a how-to on openswan l2tp.

Seems PSKs are also supported so no PKI is necessary.

-Ross