On Wed, Jan 23, 2002 at 09:02:05AM +0100, Olsen Gerhard-Just wrote: > Hi I'm investigating the possibility to use Linux box as an IPsec router. I > want to be able to connect win clients to a LAN over the internet using > IPsec. there is a win2k server set up with IPsec. Has any one any experience > with this?
Yes, the FreeS/WAN ipsec implementation for Linux (www.freeswan.org) can interoperate with Win2k/XP, etc. I have not used IPsec on Windows, but am running an IPsec gateway on a Debian potato system, as well as several IPsec hosts on various other Debian systems. > It needs to completely block ALL other incoming and outgoing traffic. (I > want to force the clients thru a proxy.) iptables. > It has to be rook stable. > I've never had a Linux system crash. The FreeS/WAN code is very high quality, and has introduced no stability issues. > Maybe it needs to have some form of local ip handling (DHCP etc.) > apt-get install dhcpd > The server has static ip but the IPsec router dose not. > This is probably fine, but will require a bit of configuration magic. The freeswan docs describe such a configuration as a "roadwarrior", since it usually is used for mobile laptops. I've got such a setup running, however the machine with the dynamic IP is not a gateway. > I think there are some plug and pray routers ho has these functions all > ready, but if I can use a free Linux on a old pc. Make sure the machine has enough CPU power to perform the encryption fast enough to avoid any kind of performance hit. I've got freeswan running on a couple of fairly slow machines (a dual PPro 200 and a 300 MHz Apple PowerMac G3) and don't seem to have any problems. > I herd something about the windows implementation of the Kerberos V5 > Protocol not being compatible with the Kerberos V5 Protocol. hens it dos not > work with any thing else then Windows Is this true? This isn't related to IPsec (unless you plan on using kerberos to exchange IPsec auth info, which you con't do in Linux anyway). But yes, MS broke kerberos. They bolted Windows ACLs on to it, but since non-Windows implementations don't know anything about ACLs, bad things can happen. If your KDC is a Unix system, though, I think you can make things work. Interoperability is not completely broken. > > Is there anything else I need to think about? Make sure you read the interoperability docs. Some tweaking must be done to get different IPsec implementations to talk to each other. This info is linked from freeswan.org. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpMkbcSzHNvb.pgp
Description: PGP signature
