Client-To-Site VPN Tunnel: NBM 3.8 EP Server, Openswan Client, Xauth
The Xauth feature is an enhancement to the existing Internet Key Exchange (IKE) Protocol feature. IKE authenticates only the device, not the user using the device. However, Xauth authenticates the user after the device is authenticated during the normal IKE authentication.
Xauth does not replace IKE, but Xauth and IKE work in tandem. Xauth authentication occurs after the IKE authentication phase 1 but before IKE IPSec SA negotiation phase 2.
Figure 1: Client-To-Site VPN between Openswan Client and NBM3.8 Server
Let's consider a scenario where a user with only a Linux machine needs to connect to an NBM 3.8 SP4 server. The Client-to-Site connection between NBM 3.8 SP4 and Openswan client supports only the Xauth PSS mode of authentication. In such a scenario, how would we set up a VPN tunnel between the NBM 3.8 SP4 server and an Openswan VPN Client in the Xauth PSS Mode?
We know that only Xauth PSS Mode of Authentication is supported for the Client-to-Site connection between NBM 3.8 SP4 and Openswan Client. Therefore, we must configure the NBM 3.8 SP4 server with the Xauth PSS Key before setting up the VPN Tunnel with the Openswan VPN Client.
The supported Netware versions for this solution are Netware 6.5 SP3 or later
Netware 5.1 SP8.
Configuring NBM 3.8 SP4 with the Xauth PSS Key
You can configure the NBM 3.8 SP4 server with the Xauth PSS Key as follows:
1. Configure NBM 3.8 SP4 VPN Server using iManager.
2. Set the Xauth PSS Key in the NBM Server using the following command:
Set ike xauth pre-shared key=1
3. Enter the admin username and password when prompted.
4. Enter the Xauth Pre-shared key when prompted.
The NBM 3.8 SP4 Server is now configured with the Xauth PSS Key.
Setting Xauth in the Openswan Client
You can set Xauth in the Openswan client as follows:
1. Download the latest openswan client.
2. Download the latest IPSec tools.
3. Install the IPSec tools.
4. Install the Openswan client.
Note: You must install the IPSec tools before installing the Openswan client.
5. Edit the /etc/ipsec.conf file by adding the following config details:
left=<IP address of Openswan client>
right=<IP address of NBM 3.8 SP4 Server>
6. Edit the /etc/ipsec.secrets file by adding the following line:
<IP address of Openswan client> <IP address of NBM 3.8 SP4 Server>: PSK "<shared secret>"
If any entry already exists in the file, comment or delete it.
Note: "PSK" in the command line refers to the Xauth pre-shared key entered at the NBM 3.8 SP4 server.
7. Restart the IPSec service using the following command:
8. Load the connection created in Step 5 using the following command:
ipsec auto --up tst
9. Enter the Full Distinguished Name of the admin and the corresponding password when prompted.
The IPSec connections will now be established.
The Client-To-Site VPN Tunnel is established between the NBM 3.8 SP4 Server and Openswan Client. Be sure to check the NBM and Openswan Logs, and check the connectivity from Openswan Client to the remote network behind the NBM Server.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.