The three different packages available to configure IPsec all cater for LAN-LAN connections and not roadwarrior. Your best bet is OpenVPN. With IPsec (Openswan), for road warriors you need to install and configure xl2tpd as well and it will be a fully manual configuration. If the IPsec package has switched to Libreswan, then have a look on their site for how to do a roadwarrior connection. I think their example uses certificates but you can probably also do it with PSK's.

The pain-free way is OpenVPN.

Nick,

thanks for clarifying this one.

I've a similar setup, though I got a IPSec (static route) already running and stability testing through days of pining the ip. Good so far and almost a purchase for me...!

BUT: if I have this static IPsec route running, how can I connect my 4-5 road warriors additionally onto the same server? Just install OpenVPN and keep it running with Static IPsec at the same time?

Or is it that only one can coexist to each other?


Thanks in advance!!!

They coexist quite happily. I use both at the same time. There is even a cute way you can configure the roadwarriors on OpenVPN to be able to connect to your remote IPsec subnet via your server. When on the road I can connect to my srrver by OpenVPN then onto my brother by IPsec.

Just to add, it is possible to configure IPsec for roadwarriors now using IKEv2 but the ClearOS interfaces do not support it. You can configure the files manually, but you'd need to look at the Libreswan website to see how.

Nick,

Thanks again. You wrote "There is even a cute way you can configure the roadwarriors on OpenVPN to be able to connect to your remote IPsec subnet via your server"

This is EXACTLY what I want to achieve. Is it possible you could help me setup this scenario?

Cheers
Sascha

What are your local and remote LAN subnets with your IPsec tunnel?

[edit]
Hmm it seems I undid my set up. I'll try to remember.
[/edit]

Nick Howitt wrote:

What are your local and remote LAN subnets with your IPsec tunnel?

[edit]
Hmm it seems I undid my set up. I'll try to remember.
[/edit]

Local: 192.168.130.0/24
Remote (ClearOS): 192.168.131.0/24

Because your local and remote subnets are adjacent and in the same /23 subnet, you can't use my cute way. I'll post a more detailed instructions later today as I need to test one thing.

Nick Howitt wrote:

Because your local and remote subnets are adjacent and in the same /23 subnet, you can't use my cute way. I'll post a more detailed instructions later today as I need to test one thing.

Nick,

I can definately still change the remote subnet to whatever would be needed. I just have to get these road warriors on board ... somehow

I would post this job on guru.com if you like to help me!


Cheers
Sascha

Just got home and tested.

The cute/easy way is to put your OpenVPN subnet (in /etc/openvpn/clients.conf) and your LAN subnet on adjacent subnets which can then form part of a larger subnet. As an example you could switch your LAN subnet to 10.8.1.0/24. Then in IPsec your local subnet becomes 10.8.0.0/23 and your remote one stays as 192.168.131.0/24. Then in /etc/clearos/network.conf set EXTRALANS to 192.168.131.0/24. Then restart OpenVPN and everything should work. Alternatively move OpenVPN to 192.168.131.0/24 then in IPsec your local LAN becomes 192.168.130.0/23. You would then choose something else for your remote LAN and put that something else into EXTRALANS in /etc/clearos/network.conf and restart OpenVPN. Make the remote IPsec configuration match your local one. I hope you get the picture. The key thing is to get your local LAN onto an adjacent subnet to the OpenVPN LAN such that they form part of a larger subnet.

If you don't want to change your LANs you don't have to. Unfortunately the Webconfig IPsec interface does not support multiple LANs in the local/remote subnet lines even though the underlying package, libreswan, does. You can go to a manual configuration (but it uses a slightly different syntax for multiple LANs), but you can also get round it with the webconfig. In the webconfig you have to create an identical connection to your current LAN/LAN connection, only changing the name and the local subnet which you set to your OpenVPN subnet (10.8.0.0/24). Again, mirror this at the remote end. It is essential that the PSK's of both connections are the same. As before, in /etc/clearos/network.conf set EXTRALANS to 192.168.131.0/24 and restart OpenVPN.

We are considering upgrading our ClearOS 6 machine to 7, and I saw this offered as a $25 addon to the subscription.
I need to get my users onto their office desktops from home or the road. Right now we use port forwarding, which works fine but is not very secure.
From the description in this thread, I'm guessing this is way too complicated for our needs.
Is there any way I can give my users access using the Windows Remote Desktop app, but with better security than forwarding ports through our gateway, that doesn't require elaborate setup on their home machines?

Hi Greg,
IPsec within ClearOS is only really for LAN-LAN connections. You can set up libreswan on your own for roadwarriors using IKEv2 but you can't use the ClearOS webconfig as it is missing a setting or two.

The only real VPN alternatives are PPTP and OpenVPN. PPTP is not so secure these days but has the advantage it is built into many OS's and in Windoze can cache the password allowing an autoconnect. OpenVPN is more secure. If you need, it is very easy to unbolt the user/pass bit so it only needs certificates to connect and this is probably not much different to Windoze caching the password. If you do this, the PC can automatically connect on boot up if you set the service to start, otherwise it will automatically connect when you start connection the OpenVPN GUI without prompting for a password.