Novell Home

Client-To-Site VPN Tunnel: NBM 3.8 EP Server, Openswan Client, Xauth

Novell Cool Solutions: Feature
By Chendil Kumar

Digg This - Slashdot This

Posted: 29 Dec 2005
 

Client-To-Site VPN Tunnel: NBM 3.8 EP Server, Openswan Client, Xauth

Background

The Xauth feature is an enhancement to the existing Internet Key Exchange (IKE) Protocol feature. IKE authenticates only the device, not the user using the device. However, Xauth authenticates the user after the device is authenticated during the normal IKE authentication.

Xauth does not replace IKE, but Xauth and IKE work in tandem. Xauth authentication occurs after the IKE authentication phase 1 but before IKE IPSec SA negotiation phase 2.

Problem

Figure 1: Client-To-Site VPN between Openswan Client and NBM3.8 Server

Let's consider a scenario where a user with only a Linux machine needs to connect to an NBM 3.8 SP4 server. The Client-to-Site connection between NBM 3.8 SP4 and Openswan client supports only the Xauth PSS mode of authentication. In such a scenario, how would we set up a VPN tunnel between the NBM 3.8 SP4 server and an Openswan VPN Client in the Xauth PSS Mode?

Solution

We know that only Xauth PSS Mode of Authentication is supported for the Client-to-Site connection between NBM 3.8 SP4 and Openswan Client. Therefore, we must configure the NBM 3.8 SP4 server with the Xauth PSS Key before setting up the VPN Tunnel with the Openswan VPN Client.

The supported Netware versions for this solution are Netware 6.5 SP3 or later Netware 5.1 SP8.

Configuring NBM 3.8 SP4 with the Xauth PSS Key

You can configure the NBM 3.8 SP4 server with the Xauth PSS Key as follows:

1. Configure NBM 3.8 SP4 VPN Server using iManager.

2. Set the Xauth PSS Key in the NBM Server using the following command:

Set ike xauth pre-shared key=1

3. Enter the admin username and password when prompted.

4. Enter the Xauth Pre-shared key when prompted.

The NBM 3.8 SP4 Server is now configured with the Xauth PSS Key.

Setting Xauth in the Openswan Client

You can set Xauth in the Openswan client as follows:

1. Download the latest openswan client.

2. Download the latest IPSec tools.

3. Install the IPSec tools.

4. Install the Openswan client.

Note: You must install the IPSec tools before installing the Openswan client.

5. Edit the /etc/ipsec.conf file by adding the following config details:

conn tst
left=<IP address of Openswan client>
leftxauthclient=yes
right=<IP address of NBM 3.8 SP4 Server>
rightxauthserver=yes
rightsubnet=0.0.0.0/0
auto=add
uthby=secret

6. Edit the /etc/ipsec.secrets file by adding the following line:

<IP address of Openswan client> <IP address of NBM 3.8 SP4 Server>: PSK "<shared secret>"

If any entry already exists in the file, comment or delete it.

Note: "PSK" in the command line refers to the Xauth pre-shared key entered at the NBM 3.8 SP4 server.

7. Restart the IPSec service using the following command:

/etc/init.d/ipsec restart

8. Load the connection created in Step 5 using the following command:

ipsec auto --up tst

9. Enter the Full Distinguished Name of the admin and the corresponding password when prompted.

The IPSec connections will now be established.

The Client-To-Site VPN Tunnel is established between the NBM 3.8 SP4 Server and Openswan Client. Be sure to check the NBM and Openswan Logs, and check the connectivity from Openswan Client to the remote network behind the NBM Server.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell