Topic: Which Freeswan

[Paul M]

I have given up on trying to get Freeswan working on 5.6 and decided to install 5.5 on both machines as the majority of posts say 5.6 has to many issues. Does anyone know if a particular version of freeswan works best with 5.5. Any help would be appreciated.

[Peter Schubert]

Paul,

Freeswan works fine for me !
(My Server SME 5.6 with devinfo-freeswan-1.99-8sme56.noarch.rpm,
customers with SME 5.5 and 5.6 and different freeswan versions)

But ... you need fixed IP´s and on the devinfo-freeswan-1.99-8sme56.noarch.rpm server, change the ID to the IP-adress.

Peter

[Paul M]

Hi Peter

Thanks for the reply, I have that devinfo version but im using a dynampic ip at one end but i dont understand what you mean by 180;s ?. Can I have a fixed ip on the server ?and dynamic on the client ?. Do you mean changing the ID in the server manager ?

Apprecitate the time.

Paul

[Peter Schubert]

Hi Paul,

This is a problem with ALL freeswan version for SME.

Only the devinfo version can be used with domainnames (dynip) instead of ip-adresses, but ...... i noticed that freeswan resolve this domain-names at startup to (your dynamic) ip adresses, so you need to restart freeswan every time the (dynamic) ip changes.

It works with freeswan, but there we need some changes:

You need to change your /etc/ipsec.conf the parameter "right=" must be:
right=%any

[Kelvin]

Hi Peter,

>This is a problem with ALL freeswan version for SME.

It is my understanding that the freeswan contrib for SME hosted by Shad Lords (link from contribs.org) CAN use domain names instead of Fixed IPs (this has been the case for some time now and is not new).

Is it your experience that this is not so ?

Kelvin

[ryan]

Pual, I got frustrated with IPSEC VPN addon not working with 5.6.  I ended up installing IPCop servers which are firewall/IPSEC routers.  IPCop is designed to use IPSEC and it works immediately after install.  IPCop also has a very nice web interface for administration.  

Basically, I have decided to only use stock functions of SME (except port forwarding).  Trying to get new releases of SME to work with addon functions was to much headache.  Using SME with IPCop is a very effective solution that works using default installs of each.  

IPCop allows for a third nic install for a DMZ.  If you only have a single internet IP address available, you can use the DMZ as your external subnet for SME.  Or SME can be set up as a standalone server (one nic).  IPCop has a very nice port forwarding setup.  IPCop 1.3 can forward PPTP connections to your SME server without having to deal with iptables (in this case, your SME has to be connected to the DMZ subnet).  

You should look into IPCop.  Another option is the cable/dsl firewall IPSEC vpn router from linksys.  It can handle up to 70 ipsec tunnels and is cheap and easy to use.  I actually use the linksys ipsec vpn routers to connect remote locations to my central IPCop server.  

good luck,

ryan