VPN solution(s) for Fedora Core

Farkas Levente lfarkas at bppiac.hu
Sat May 22 12:59:09 UTC 2004


Felipe Alfaro Solana wrote:
> On Fri, 2004-05-21 at 17:52, Jason Tackaberry wrote:
> 
> 
>>There seem to be two general approaches to VPNs, each with their own
>>advantages and disadvantages: kernel space, and user space.  I feel the
>>only kernel solutions worth considering are those which implement IPsec.
>>There exist several packages implementing VPN solutions in userspace,
>>such as vtun, tinc, and OpenVPN.
> 
> 
> I would stick with industry-standard technologies, like IPSec, as much
> as possible. I have used IPSec in tunnel mode to setup VPN tunnels
> between several branch offices.
> 
> --- BEGIN ADVICE ---
> 
> However, I must say there are some problems with automatic keying and
> 2.6 kernels regarding the use of ISAKMP/IKE. The problem is that
> settings an SPD between both tunnel end-points causes the first packet
> between any of them to start negotiating the Security Association. But
> the kernel, instead of queueing the packet that triggered the ISAKMP/IKE
> exchange (in order to set up the SA), discards it and returns -EGAIN
> error to the userspace caller which, in turn, translates into "Resource
> temporarily unavailable" for user space programs.
> 
> This happened to me when using "racoon" to manage an automatically keyed
> SA, based on X.509 certificates. Doing a ping to force the ISAKMP/IKE
> exchange, and to set up the SA, caused the first ping packet to fail
> with "Resource temporarily unavailable". Once the SA had been set up, no
> more packets were discared.
> 
> --- END ADVICE ---
> 
> Don't know if this behavior is applicable to 2.4 kernels, Free/SWAN or
> Open/SWAP IPSec stacks.

we've about 80 vpn endpoints. at the begining we try to use freeswan and 
ipsec, than racoon, but after a few mounts we give it up. they 
(currently) all has such bugs and missing features that are essential in 
a real enviroment. may be ipsec is the future, but still not know. at 
the sam time openvpn has all the required features and even more! 
reliable, fast and easy to install and manage! I already ask it for last 
year but:
http://www.redhat.com/archives/fedora-devel-list/2003-October/msg00927.html

-- 
   Levente                               "Si vis pacem para bellum!"





More information about the fedora-devel-list mailing list