openswan vpn

I need to set up a vpn connection between, lets say company A and
company B. I work for company A, and company B has told us that that we
can use whatever software we want as long as it is IPSec compliant. I
was having a look around and came across http://www.openswan.org. So
does openswan do the client end as well, or does it only do the server
part? Or is it just both? I was thinking about using it to set up the
the connection from company A to company B, but wanted to know for sure
if this is doable before going through the trouble. On the openswan site
it says it's "an implementation of IPsec for Linux" so I'm guessing it
would do exactly what I need, but I'm a total noob when it comes to any
kind of VPN stuff.

I have no idea if this would connect to another Linux box or Windows
box, wasn't given all the details yet, but would like to find a solid
solution and start figuring out how to get it all set up. I want it so
that when I have all the connection specifics I can set it up in the
shortest amount of time possible. Am I steering myself in the right
direction here? Any thoughts on the matter would be appreciated, thanks!

On a side note, I tried out openvpn and successfully made a connection
between two test machines before reading that it isn't IPSec
compliant...doh! lol

--Luke

Luke Matthews wrote:

> I need to set up a vpn connection between, lets say company A and
> company B. I work for company A, and company B has told us that that we
> can use whatever software we want as long as it is IPSec compliant.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^
They didn't say that, did they?
> I
> was having a look around and came across http://www.openswan.org. So
> does openswan do the client end as well, or does it only do the server
> part? Or is it just both? I was thinking about using it to set up the
> the connection from company A to company B, but wanted to know for sure
> if this is doable before going through the trouble. On the openswan site
> it says it's "an implementation of IPsec for Linux" so I'm guessing it
> would do exactly what I need, but I'm a total noob when it comes to any
> kind of VPN stuff.
I think you can not speak about a server or client. You have to establish a
tunnel and transfer data. So a gateway is actually both.
>
> I have no idea if this would connect to another Linux box or Windows
> box, wasn't given all the details yet, but would like to find a solid
> solution and start figuring out how to get it all set up. I want it so
> that when I have all the connection specifics I can set it up in the
> shortest amount of time possible. Am I steering myself in the right
> direction here? Any thoughts on the matter would be appreciated, thanks!
This could work. But it definetly depends on the ipsec implementation on the
other side. There are so many vendor specific implemntations, that could
give you a hard time or make it even impossible. For example, the
Watchguard box in my companies office will accept connection from clients
with dynamic ips only using the aggressive mode negotiations. Most
implementations find this to be insecure and don't implement it. Bad luck.
>
> On a side note, I tried out openvpn and successfully made a connection
> between two test machines before reading that it isn't IPSec
> compliant...doh! lol
>
> --Luke
You propably best of by byting the bullet and start out with freeswan. It is
a little bit harder to configure but can do all the stuff you will need.

Good luck, Luke.

Regards, Alex

> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^
> They didn't say that, did they?
>
I think they said that it just needs to be IPSec compliant. They didn't
say "use whatever you want". My bad! lol

> I think you can not speak about a server or client. You have to establish a
> tunnel and transfer data. So a gateway is actually both.
>

Ok, wasn't sure on that. Like I said, I'm a vpn noob.

>>I have no idea if this would connect to another Linux box or Windows
>>box, wasn't given all the details yet, but would like to find a solid
>>solution and start figuring out how to get it all set up. I want it so
>>that when I have all the connection specifics I can set it up in the
>>shortest amount of time possible. Am I steering myself in the right
>>direction here? Any thoughts on the matter would be appreciated, thanks!
>
> This could work. But it definetly depends on the ipsec implementation on the
> other side. There are so many vendor specific implemntations, that could
> give you a hard time or make it even impossible. For example, the
> Watchguard box in my companies office will accept connection from clients
> with dynamic ips only using the aggressive mode negotiations. Most
> implementations find this to be insecure and don't implement it. Bad luck.
>
>>On a side note, I tried out openvpn and successfully made a connection
>>between two test machines before reading that it isn't IPSec
>>compliant...doh! lol
>>
>> --Luke
>
> You propably best of by byting the bullet and start out with freeswan. It is
> a little bit harder to configure but can do all the stuff you will need.
>
> Good luck, Luke.
>
> Regards, Alex
>

The freeswan site says that openswan and strongswan are code forks of
freeswan, so they should be basically the same as freeswan, with
possibly updated/extra features, right?

I think we basically just need to have a tunnel between company A and
company B with no dynamic IP clients connecting (all static, at least on
our end), so hopefully that will make it much simpler to set up. I'll
give it a shot with freeswan, openswan, or strongswan and see where it
gets me. I just mentioned openswan before since I figured it would be
more up to date than freeswan. Although, it does look like strongswan
supports some different stuff too. I'll have to assess what is needed
when the details finally come in I suppose, then make a decision.

I'm not sure when I'll get the connection details, but I'll keep you
posted if I can get it working or not. I kinda thought I'd have the
connection info by now so I could get this up. It's kind of like
watching water boil waiting on it. lol Thanks for the info Alex!

--Luke