Linux VPN

Michael H. Warfield mhw at WITTSEND.COM
Fri Jan 21 20:06:02 EST 2000


	Uhhh...  Just to correct some technical details and not to
debate the issues...

On Fri, Jan 21, 2000 at 01:10:42PM -0500, Patrick Ethier wrote:
> Hi,

>  I've tried FreeS/WAN on Linux and it is fairly difficult ot implement. Have
> you considered a solution like OpenBSD( http://www.openbsd.org
> <http://www.openbsd.org> ).

> Advantages over Linux(These aren't scientific mind you but a result of my
> personal opinion).

> IPFilter is easier to implement than IPChains and has a few extra
> features(Like keeping state of connections)
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

	Don't know about the "easier" part but the state issue is true.

> ISAKMPD on OpenBSD is included witht he initial installation, all you need
> to do is edit some configuration files

	One can argue the same for FreeS/WAN (at least recent versions).
With the proviso that once it's in the kernel, it's just a matter of
some configuration files.

> IKE supports X509 certs and Pre-Shared secrets

	There are patches for X509 certs for FreeS/WAN although they are
not up to the latest snapshot.  Pluto (FreeS/WAN IKE) supports RSA keys
as well as preshared secrets with or without automatic rekeying.

> It's Canadian, so encryption is not an issue(Unless you are in the States,
> then you need to obtain it from a US ftp server).

	FreeS/WAN is also Canadian in origin.  Hopefully, now that the
crypto regs have been relaxed a bit, we should have FreeS/WAN in the kernel
sources (at least the KLIPS part of it).  That will vastly easy the install
difficulty (no more patching the kernel).  Hoping for 2.4.

> It also has very clear instructions off their website on how to recompile a
> kernel and do basic system administration.
> Also, most of the users on their mailing lists are experienced systems
> administrators with a very strong background in security.
> You get in contact with the actual developers if there is a problem. Things
> are very personal.

	Could also be argued for FreeS/WAN.

> NetBSD and FreeBSD are also alternatives. Linux makes a great workstation
> because of how many people support it. As for setting up a Firewall/VPN
> Gateway, Linux has too many audit issues to make me comfortable with it.

	So go with one of the audited distros and add Bastille to it.

	Oh...  And just because OpenBSD is audited, the lack of auditing
in NetBSD and FreeBSD make me uncomfortable.  I get real uneasy when people
lump the *BSD varients into one pile when a lot of those guys won't even
talk to one another...

	We just had a dust-up over this "streams.c" which seems to hit
FreeBSD pretty hard but I found it doesn't even cause OpenBSD to blink.
It causes some problems for Linux (slows it down - spotty) but it's not
a major problem.  Seems to be able to panic FreeBSD under the right
conditions.  The network stacks are not the same.

> Regards,

> Patrick Ethier

> -----Original Message-----
> From: Todd Wilburn [mailto:toddw at LIGHTMAIL.COM]
> Sent: Friday, January 21, 2000 1:21 AM
> To: VPN at SECURITYFOCUS.COM
> Subject: Linux VPN



> We are thinking us using Linux for our server/firewalls and we need to do
>
> VPN. What programs are available for a Linux VPN box? I can use secret
>
> pass codes or certs.
>
>
>
> Thanks,
>
> Todd Wilburn
>

--
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list