RE: VPN

[Mike Johnson <mike johnson GSC GTE COM>]

At 12:21 PM 3/1/99 +1300, you wrote:
>That's a good start at explaining it, Tony.
>
>I would add that there is a HOWTO (part of the LDP?) I have read which
>discusses setting up a VPN between two <Li|U>nix boxes by ssh'ing into the
>peer and running PPP on both ends to tunnel over a ssh connection.

Ack, don't do that.  Get CIPE:
http://sites.inka.de/sites/bigred/devel/cipe.html
It is much less of a kluge than PPP over SSH (which is what the VPN HOWTO
explains).  CIPE was purpose built for encrypted communications over public
networks.  You still need SSH or PGP to do manual key exchange, but after
the keys and settings are configured, CIPE acts just like a regular device,
and the traffic is encrypted.  It's also quite fast.  There's not as much
overhead as in PPP over SSH.

>That sounds like a nice and free tunnel to me!

Well, 'free' is debatable.  You've got to watch out for which version of SSH
you use and the license.  CIPE is GPL.

>HTH,
>G
>
>PS. BEWARE of MS PPTP. There is a paper on www.counterpane.com from the
>cryptograpy legend Bruce Schneier and Mudge from L0PHT about insecurities in
>the OOTB PPTP. I'm sure MS have released fixes to the discovered holes.

Yup.  Beware closed-source encryption...

> From:	Tony Johnson [SMTP:gjohnson showmaster com]
> To talk with an excrypted connction BETWEEN SITES.  I know checkpoint
> firewall has a piece of software called secure remote that does just that.
> Raptor firewall also does VPN.  Isp that do it (I don't know of anythat
> would be this giving) can have thier remote access server setup with GRE
> Encapulation, but with Ascends, for instance, you have to devote the whole
> PRI to it, so don't count on that.  I'm positive certain Cisco routers can
> be setup in the IOS for VPN, but I'm not familiar.  NT RAS has PPTP which
> can talk encrypted between RAS boxes.
> Interesting topic...

Actually, to be technical, you can use some VPN software (CIPE included) to
do host to host encrypted communications.  Technically, a host to host (aka
end to end) encrypted channel isn't a VPN (at least, not in my opinion).
Anyways, one uses VPNs to transport communications over public or untrusted
networks (does anyone trust the internet anymore?) securely, usually by
encrypting the contents of packets sent between sites.  Note that there is
a package for the Linux Router Project (LRP) for CIPE so that one could
build two LRP's with CIPE and set up a VPN PDQ (sorry, couldn't resist).

Mike

--
Mike Johnson - mike johnson gsc gte com
Network Engineer - Prototype Development
GTE Government Systems - All opinions are mine, not GTE's.