[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora 9 VPN Client

On Wed, 2008-11-05 at 22:25 -0700, Kevin Kempter wrote:
> Hi All;
> I have several clients I work with all of 'em have some sort of VPN - some are 
> java web based, some are PPTP, Cisco, etc

	PPTP pre Windows XP (NT and 2k) was supported under poptop but terribly
insecure.  XP "PPTP" is a varient of l2tp which supports a varient of
IPSec and is supported under several IPSec implementations.  Cisco is
also an IPSec varient that may or may not require XAUTH authentication.
You many need the Cisco specific vpn client package for Linux that's
floating around if you have authentication problems.  On Fedora, what
you are looking for to be compatible with the largest subset them would
be OpenSWAN (Debian / Ubuntu chose to go with StrongSWAN).

	OpenSWAN and StrongSWAN are very similar (both being derived from the
now defunct FreeS/WAN project) with similar configurations and both now
support both IKE (Internet Key Exchange) and IKE2, although IKE2 is less
mature than IKE.  IKE will probably suffice for the cases you quote
above, other than the java web based (which is probably a proprietary
SSL based vpn over tcp tunnels which will suck royally for performance
and scalability).

> Anyone have recommendations for a good VPN tool (tools) ?

	If you're rolling your own from scratch and are not real worried about
performance and can install third party apps on Windows then OpenVPN is
a good choice recommended by many.  If you are after standards based vpn
and interoperability and performance, then OpenSWAN / IPSec would be a
better choice.

	I use both depending on circumstances.  OpenVPN makes a nice IPv6
tunnel broker configuration which I can't do with the current *SWAN
implementations - but may be able with IKE2 as that matures.  OpenVPN is
also nice as a backup P2P VPN and outperforms SSL or SSH based VPN's but
doesn't keep up with IPSec based VPN's under heavy load.

	At one time, it was argued that OpenVPN was much easier to deploy,
configure, and use and the arguments would have been valid.  Back then.
Over the years, OpenVPN has become more feature-full (read that as more
complex, difficult to configure, and obtuse to get to work in a lot of
corner cases) while OpenSWAN/StrongSWAN/FreeSWAN has become much much
easier (OTOH, Racoon / setkey is still a rocket scientist head case) to
configure and deploy.  Now a days I don't find IPSec any more difficult
to configure than OpenVPN and it will interface with Cisco's and other
black boxs which OpenVPN will NOT.  OpenSWAN or StrongSWAN will
interface with modern Windows (XP, 2003, Vista, etc) vpn's which OpenVPN
will not (you have to install the OpenVPN client package on Windows
which you may or may not be allowed to do depending on environment).

	Also, IPSec is implemented in the Linux kernel and the tunnels run in
kernel space which is a performance win (no user space switching on
packet routing).  IPSec also supports both an ESP mode (classical IPSec)
and an ESP-IN-UDP encapsulation for IPSec NAT-T, which carries
additional overhead but will traverse NAT's.  OpenVPN, OTOH, is a user
space tunnel implementation which results in lower performance, which
won't really matter for smaller networks (but forced the JOIN IPv6
project to disable encrypt due to performance issues).  It also utilizes
ESP-IN-UDP encapsulation (and only utilizes ESP-IN-UDP), which incurs
the additional UDP overhead the same as IPSec NAT-T, although it's an
incompatible implementation of ESP-IN-UDP (different UDP port) from

	OpenVPN is well supported but the latest version has been in "RC"
status for seemingly forever.  The last 2.0 version (2.0.9) was over 2
years ago and 2.1 is only been in "release candidate" from well before
then.  The version in yum is an rc of the eventual 2.1 release.  You
really REALLY want the 2.1 release of OpenVPN for any shot at scaling
large networks, since it supports a server mode on a single UDP port
(IPv4 only).  Earlier versions required a different UDP port for each
connection (IPv6 still does) and did not scale well past a few dozen
connections.  Fully meshed mode does not scale well in either case with
OpenVPN but is very straight forward with certificates and the *SWAN's.

	All of this, OpenSWAN, IPSec-Tools (Racoon), and OpenVPN is in the
stock Fedora yum repos.

	Pick yer poison.

> Thanks in advance

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw WittsEnd com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]