[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: VPN solution(s) for Fedora Core



Felipe Alfaro Solana wrote:
On Fri, 2004-05-21 at 17:52, Jason Tackaberry wrote:


There seem to be two general approaches to VPNs, each with their own
advantages and disadvantages: kernel space, and user space.  I feel the
only kernel solutions worth considering are those which implement IPsec.
There exist several packages implementing VPN solutions in userspace,
such as vtun, tinc, and OpenVPN.


I would stick with industry-standard technologies, like IPSec, as much
as possible. I have used IPSec in tunnel mode to setup VPN tunnels
between several branch offices.

--- BEGIN ADVICE ---

However, I must say there are some problems with automatic keying and
2.6 kernels regarding the use of ISAKMP/IKE. The problem is that
settings an SPD between both tunnel end-points causes the first packet
between any of them to start negotiating the Security Association. But
the kernel, instead of queueing the packet that triggered the ISAKMP/IKE
exchange (in order to set up the SA), discards it and returns -EGAIN
error to the userspace caller which, in turn, translates into "Resource
temporarily unavailable" for user space programs.

This happened to me when using "racoon" to manage an automatically keyed
SA, based on X.509 certificates. Doing a ping to force the ISAKMP/IKE
exchange, and to set up the SA, caused the first ping packet to fail
with "Resource temporarily unavailable". Once the SA had been set up, no
more packets were discared.

--- END ADVICE ---

Don't know if this behavior is applicable to 2.4 kernels, Free/SWAN or
Open/SWAP IPSec stacks.

we've about 80 vpn endpoints. at the begining we try to use freeswan and ipsec, than racoon, but after a few mounts we give it up. they (currently) all has such bugs and missing features that are essential in a real enviroment. may be ipsec is the future, but still not know. at the sam time openvpn has all the required features and even more! reliable, fast and easy to install and manage! I already ask it for last year but:
http://www.redhat.com/archives/fedora-devel-list/2003-October/msg00927.html


--
  Levente                               "Si vis pacem para bellum!"



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]