ClearFoundation

I get that its old, and a pain in the butt to support. But I was rather disappointed to see it would not be supported moving forward.

There are heaps of people that are still using it as a preferred solution to ppptp or openvpn

Openswan is still available as an rpm from the repo and it can be configured manually. A simple configuration is pretty easy. It is a bit harder if you want to make it compatible with the ClearOS5.2 and previous way of doing it (which was more complicated to retain backwards compatibility).

IPSec is now a paid app called dynamic vpn, which you can use if you want to have an app to manage ipsec or what Nick suggested would be the other option.

The Dynamic or Managed VPN has always been a paid for app. The basic app (app-ipsec) has been dropped/deprecated.

Hi All,

I think what we need is a very basic 'app' that simply writes the configuration back to ipsec.conf and secrets.conf as one would configure if doing it manually. Things like validation can be added at a later date - but I think that a basic IPSEC VPN should be made available from the GUI if Clear is to taken seriously as a gateway appliance.

We should forget trying to configure for backwards compatibility - The way it was done with four separate connections seemed hellishly complicated in 5.2. We should use native open swan configuration, or as close as possible.

Netgear do a basic VPN for their DG834 series router, this is published under an open source licence, and while I don't envisage copying the code completely, I feel that it could be a good starting point. I've attached the html.

I think myself and several others would be happy to sponsor the development. I'm not a coder, nor do I have the hours to learn from scratch, but if someone could perhaps create a VPN 'app' which has at least one input field that writes to the ipsec.conf file, I would love to have a try at adding lines!!

David

Hi all,

but I think that a basic IPSEC VPN should be made available from the GUI if Clear is to taken seriously as a gateway appliance.
It is - it's called Dynamic VPN Experience showed us that a plain old IPsec VPN connections did not work with dynamic IPs and were often (but not always) unreliable in the real world. The demand for a reliable VPN solution in ClarkConnect was strong and Dynamic VPN was born many years ago.

Fast forward to today and the need for IPsec is still strong. However, we're not too keen on putting out a solution that's going to be crap. It may be okay for some to reset a stuck unmanaged VPN connection every few weeks, but that's untenable for most businesses. Nobody on the development team has touched that old IPsec code in years (,.. looks through ClarkConnect archive... at least 7 years!) As David noted, it uses the old 4-tunnel style connections (yes, 4 VPN tunnels per connection) instead of the standard 1-tunnel with advanced routing (like Dynamic VPN). Why? That's the way it was done back in the day and nobody has touched the code.

To make a long story short, the app was dropped due to lack of a project champion and a record of poor reliability. Keep in mind, the API is still there and anyone is welcome to run with it.

Personally, I would prefer to see energy put into an OpenVPN solution for ClearOS-to-ClearOS systems:

- NAT in the way? No problem for OpenVPN.
- Dynamic IP? No problem for OpenVPN
- Reliability? OpenVPN is more robust -- the protocol defines a keepalive process.
- Network MTU issues? OpenVPN can handle it. MTU issues continue to plague IPsec connections.
- Better firewall management? You betcha.

Pete

There will also be energy put into IPsec connections to 3rd party IPsec appliances, but that will be part of the Dynamic/Managed VPN app.

Peter Baldwin wrote:
- NAT in the way? No problem for OpenVPN.
- Dynamic IP? No problem for OpenVPN
- Reliability? OpenVPN is more robust -- the protocol defines a keepalive process.
- Network MTU issues? OpenVPN can handle it. MTU issues continue to plague IPsec connections.
- Better firewall management? You betcha.
Compatibility with third party router end points? Not to my knowledge with OpenVPN.
Dynamic IP? Much better now with Openswan

Hi Pete / Nick,

I agree that a Clear - to Clear VPN is one thing, but there are still a large number of medium size businesses who use a hub and spoke IPSEC VPN to connect all their sites.

Without a significant investment in new router / gateway hardware (ie a clear box at every site) I think there has to be some backwards compatibility with IPSEC VPN tunnel support maintained.

I think that the existing application would be a good place to start, and hopefully much of the code could be simplified. I have given some serious thought to sponsoring the development of the application. If anyone would be interested please drop me a message.

The more advanced options can (and should) still be configured from the CLI, but I think a basic page in the GUI would be good.

David

Nick Howitt wrote:
Dynamic IP? Much better now with Openswan
Just to elaborate on this one, Openswan is not tied to using ip addresses everywhere. It can also use FQDN's locally and remotely and can accept remote endpoints from anywhere even without an FQDN. Since somewhere in the v2.6.2x updates the compile time option of working with dynamic IP's was turned on. This means if you use DPD (I think with the restart or restart-by-peer option) then FQDN's are re-read both in the conn and in ipsec.secrets. Remote IP's and FQDN's can be completely avoided, even in complex set ups by using rightip=%any and then using left/rightid in the conn and secrets file. In a simple set up you can use %any in the secrets file as well but it is not ideal.