View Single Post
  #5   (View Single Post)  
Old 1st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by plexter View Post
1. OpenVPN is not used?
Correct. You have a Cisco device, which uses IPSec. OpenVPN is a different VPN technology (SSL/TLS over UDP or TCP), and requires OpenVPN clients and servers at all VPN nodes.
Quote:
2. Setting up VPN access is essentially the same between site-to-site and remote access except with remote access you use "any" as the peer?
The peer is the end node of a tunnel. I don't know if "peer any" is appropriate, or if "peer default" should be used. I would set up and test your expected environment carefully. It is easy for an admin to misconfigure SAs such that they think they are encrypting traffic, without actually doing so. The tcpdump tool is invaluable for confirming if packets are flowing properly via ESP protocol between tunnel endpoints.
Quote:
3. Road warrior?
road warrior

Slang. a person who travels extensively on business.

Origin:
suggested by the film Mad Max: The Road Warrior (1981)
Quote:
4. I'm not sure I see how to set encryption algorithms, or more so force one.
If your two endpoints are OpenBSD, you can leave the defaults, they'll just work (TM). But, with Cisco or other OSes as IPSec nodes, you might need to adjust accordingly. One of the platforms used here with IPSec is my wife's Windows XP WiFi connection. For that connection, I've set both end points of the tunnel to use SHA1 for authentication and 3DES for encryption, as that's the best available for WXP with either what's available from Microsoft built-in (Policy Management snap-in) or available for install from them (ipseccmd.exe), or the IPSec client I'm using on WXP (DrayTek's Smart VPN).

Here's an excerpt from my ipsec.conf file, sort of. The IP address used is a static address for her PC. There is a second ike command for traffic in the opposite direction. On that command, the direction is from the same address to any, with the router's IP address as the peer (tunnel end node), and otherwise the same ike command options.
Code:
ike from any to 192.168.x.y peer 192.168.x.y \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des psk "pre-shared-keyword"

Last edited by jggimi; 1st July 2009 at 03:53 AM.
Reply With Quote