Re: VPN solution needed (linux<->win32) or (nt<->win32)

["Stephen P. Berry" <spb () twiddle net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


In message <4.2.2.19991208101550.00b0ee10 () mail almerco ca>, Mailing Lists writes:

> I'm looking at implementing a VPN for my network.
> Basically, I actually have a linux firewall (ip filtering + masquerading) 
> connected over a cable modem line.
> I want to access an internal server over untrusted networks (a friend's 
> internet connection, the office or my own dialup account with another 
> provider when I'm on the road).
> First scenario (preferred):  what would be a free VPN solution using my 
> existing linux fw?
> Second: what would be a non-free using my linux?
> third: what are the alternatives using NT as a FW?

Depends on what your data is worth and what your bandwidth and availability
requirements are.  Assuming (based on your description of your exisiting
setup):

        -The data you'll be passing won't be important enough to
         get anybody dead or broke if it's compromised[0]
        -You don't feel any but the largest fluctuations in
         the size of your pipe, and can live with them when you feel
         them
        -Your requirements for availability of the channel don't
         exceed the expected availability of your linux box.  also,
         you're probably willing to initiate and terminate the VPN
         sessions by hand

Take a look at FreeS/WAN (I hope I got all the right letters capped
there), an IPsec implimentation (including IKE) that'll run
with 2.0.3x and 2.2.x linux kernels.

I'm not hip to all of the interoperability issues, but I know it'll
talk to OpenBSD's IPsec implimentation (using isakmp(8) for IKE),
as well as, I believe, FreeBSD's KAME.  The compatibility list
theoretically includes IPsec implimentations, but I have no firsthand
experience with getting FreeS/WAN talking to anything other than
FreeS/WAN boxen and BSDs.


Now that I've addressed your first question, and in light of the
fact that I'm actually going to ignore your second and third questions,
I'll instead answer a fourth, unasked, question:

You might consider scrapping both linux and NT for this particular
project and instead used OpenBSD, which rocks.


That all being said, you might want to re-evaluate whether or not
you actually need a VPN.  In many (and I daresay most) situations
in which I've been asked to set up a VPN, subsequent investigation
has revealed that what in fact was needed was just a single SSL-enabled
application, ssh(1), or something more along those lines.





- -Steve

- -----
0     Including the value of illicit access to the channel itself.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4T/aH5OQO77HrT8IRAgRTAJwMR3i/rRvxEPwAcoMRYQBhREsv7gCdEEze
9SDuN9GrJo6RiQCxNMSEQko=
=WOtf
-----END PGP SIGNATURE-----