On Wed, 2008-11-05 at 22:25 -0700, Kevin Kempter wrote: > Hi All; > > I have several clients I work with all of 'em have some sort of VPN - some are > java web based, some are PPTP, Cisco, etc PPTP pre Windows XP (NT and 2k) was supported under poptop but terribly insecure. XP "PPTP" is a varient of l2tp which supports a varient of IPSec and is supported under several IPSec implementations. Cisco is also an IPSec varient that may or may not require XAUTH authentication. You many need the Cisco specific vpn client package for Linux that's floating around if you have authentication problems. On Fedora, what you are looking for to be compatible with the largest subset them would be OpenSWAN (Debian / Ubuntu chose to go with StrongSWAN). OpenSWAN and StrongSWAN are very similar (both being derived from the now defunct FreeS/WAN project) with similar configurations and both now support both IKE (Internet Key Exchange) and IKE2, although IKE2 is less mature than IKE. IKE will probably suffice for the cases you quote above, other than the java web based (which is probably a proprietary SSL based vpn over tcp tunnels which will suck royally for performance and scalability). > Anyone have recommendations for a good VPN tool (tools) ? If you're rolling your own from scratch and are not real worried about performance and can install third party apps on Windows then OpenVPN is a good choice recommended by many. If you are after standards based vpn and interoperability and performance, then OpenSWAN / IPSec would be a better choice. I use both depending on circumstances. OpenVPN makes a nice IPv6 tunnel broker configuration which I can't do with the current *SWAN implementations - but may be able with IKE2 as that matures. OpenVPN is also nice as a backup P2P VPN and outperforms SSL or SSH based VPN's but doesn't keep up with IPSec based VPN's under heavy load. At one time, it was argued that OpenVPN was much easier to deploy, configure, and use and the arguments would have been valid. Back then. Over the years, OpenVPN has become more feature-full (read that as more complex, difficult to configure, and obtuse to get to work in a lot of corner cases) while OpenSWAN/StrongSWAN/FreeSWAN has become much much easier (OTOH, Racoon / setkey is still a rocket scientist head case) to configure and deploy. Now a days I don't find IPSec any more difficult to configure than OpenVPN and it will interface with Cisco's and other black boxs which OpenVPN will NOT. OpenSWAN or StrongSWAN will interface with modern Windows (XP, 2003, Vista, etc) vpn's which OpenVPN will not (you have to install the OpenVPN client package on Windows which you may or may not be allowed to do depending on environment). Also, IPSec is implemented in the Linux kernel and the tunnels run in kernel space which is a performance win (no user space switching on packet routing). IPSec also supports both an ESP mode (classical IPSec) and an ESP-IN-UDP encapsulation for IPSec NAT-T, which carries additional overhead but will traverse NAT's. OpenVPN, OTOH, is a user space tunnel implementation which results in lower performance, which won't really matter for smaller networks (but forced the JOIN IPv6 project to disable encrypt due to performance issues). It also utilizes ESP-IN-UDP encapsulation (and only utilizes ESP-IN-UDP), which incurs the additional UDP overhead the same as IPSec NAT-T, although it's an incompatible implementation of ESP-IN-UDP (different UDP port) from IPSec NAT-T. OpenVPN is well supported but the latest version has been in "RC" status for seemingly forever. The last 2.0 version (2.0.9) was over 2 years ago and 2.1 is only been in "release candidate" from well before then. The version in yum is an rc of the eventual 2.1 release. You really REALLY want the 2.1 release of OpenVPN for any shot at scaling large networks, since it supports a server mode on a single UDP port (IPv4 only). Earlier versions required a different UDP port for each connection (IPv6 still does) and did not scale well past a few dozen connections. Fully meshed mode does not scale well in either case with OpenVPN but is very straight forward with certificates and the *SWAN's. All of this, OpenSWAN, IPSec-Tools (Racoon), and OpenVPN is in the stock Fedora yum repos. Pick yer poison. > Thanks in advance Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw WittsEnd com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Description: This is a digitally signed message part