OpenSWAN tips and tricks

IPSec is a nice technology providing secure access to other subnets or hosts. Recently I had to work on many different configurations for openswan. I can't say documentation out there is full enough to cover every single question. Here are my tips and tricks. In this article left is an alias for local-side (our PC), while generally it is not. I assume that you have read man ipsec.conf Generic tips
  1. Make sure you fulfill virtual_private with allowed subnets correctly. For IPv4 it is: %v4:,%v4:,%v4: and then add v4:! entries separated by comma. For IPv6: %v6:FD00::/8
  2. Force keepalive packets if you use cellular connection or you're NATed. force_keepalive=yes keep_alive=10 Also, modify Dead Peer Detection accordingly. dpddelay=10 dpdtimeout=480 This really helped me to get connections based on 3G modem work flawlessly.
  3. *nexthop for ppp connections is peer itself.
  4. It is better to include rightnexthop in case if right is IP. For FQDN, OpenSWAN will do the job.
  5. AES is faster for most architectures except if it is hardware-accelerated. For NETKEY kernel crypto is working by default, and for KLIPS you would like to insmod cryptodev (or even cryptosoft).
  6. For L2TP/IPSec client, be specific with open ports: leftprotoport=17/1701. For L2TP/IPsec server, be less specific: leftprotoport=17/%any. Same rule applies to to other side: For L2TP/IPSec client, use rightprotoport=17/1701, and rightprotoport=17/%any for server.
  7. Make sure you have a good route (and/or routing rule) to peer. Some environments might work well until actual connection is established, and then they change routes, making route to peer tunnelled. It mustn't be tunnelled. (For KLIPS it is a bit harder to manage).
  8. XFRM (Netkey) stack is hard to manage in some environments (i.e. gateways). Sometimes I prefer KLIPS for that.
  9. For KLIPS, disable rp_filter. There are other good security advices, but without it it won't work at all.
Certificate tips
  1. If you wish to install certificates on Android, you'd want to have critical,CA:FALSE (or TRUE)-like extension in your certificate.
  2. Set correct IDs for both sides (leftid and rightid). It is really critical. It totally depends on the server side. I usually prefer %fromcert designation, which instructs openswan to insert full description of certificate of the side
  3. Don't forget to configure date :)
Not all tricks are mentioned here, but it is majority of things found during development. Other details can be easily found in the internet.

OSBuilder8: процесс разработки

It is russian version of the article. Look below for english version. Это русскоязычная версия статьи. Англоязычная версия расположена здесь: OSBuilder8: The Process Русскоязычная версия статьи не рекомендуется к цитированию, так как является лишь вольным переводом указанной выше статьи. Я обычно не публикую подробности о проектах, находящихся в активной (посмеялся) разработке. Но я решил напомнить читателям, что я всё ещё жив.
Continue reading

OSBuilder8: development

It is english version of article. Russian version is located here: OSBuilder8: процесс разработки Usually I don't post any details of projects being actively (haha) developed. But this time I decided to do that just to let you know that I am still alive. So, it all started with a simple idea: what about transferring OSBuilder's rom building experience to Windows Phone 8? Huh, important consideration here: there are not that many devices that can take an advantage of custom ROM. Huawei W1, 8X/8S (theoretically), Ativ S are on the top of the list.
Continue reading

Site Footer

Sliding Sidebar

© Maxim Menshchikov