[vpn] best SOHO devices
Sandy Harris
sandy at storm.ca
Sun Apr 7 20:16:20 EDT 2002
Travis Watson wrote:
>
> Hi,
>
> I'm looking for feedback on the best SOHO device in your opinions.
>
> So, if it were you and/or your company, what device would you recommend as
> the best SOHO VPN device around the $500US range?
Using an off-the-shelf or surplus PC and free software may not
turn out to be what you need, but is worth considering. I'll
speak of FreeS/WAN for Linux (www.freeswan.org) since that's
what I know (I wrote most of its documentation), but FreeBSD,
NetBSD and OpenBSD all have IPsec too.
For an account of a large company (AT&T Research) implementing
a home office solution along these lines, see:
http://www.quintillion.com/moat/lisa/
Alternately, several companies offer turnkey VPN devices using the
FreeS/WAN software. There is a list at:
http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/intro.html#fw_dist
> Please keep in mind that I would like it to:
>
> 1) Be able to do IPSec b2b's with T-DES/SHA-1 and IKE group2
> (1024-bit) primes.
The FreeS/WAN defaults.
> 2) Be able to play nice with others
Documented interoperation with over 20 other implementations:
http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/interop.html
> 3) Be able to NAT internally (i.e. have the distant end provide it with IPs
> and be able to NAT to those IPs without disturbing the networking schema of
> the internal net. Commonly, we find business partners that have non-routable
> space assigned to their workstations. If we provide them with IPs, we don't
> want to have to mandate that they re-IP their network).
This is not directly supported by FreeS/WAN itself, though it is
certainly possible with Linux tools and some scripting.
Some of the products or packages that include FreeS/WAN may
provide this. I don't know.
> 4) Be able to support 5 to 25 users (understanding that the
> licensing cost may well increase for users beyond 5 or 10).
Licensing cost zero in all cases, no constraint on number of users.
A surplus machine can saturate a T1, cable link or ADSL. Current
PC is fine up to at least 20 Mbit/second.
http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/performance.html
> 5) Have 24x7 support available.
http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/faq.html#commercial
> 6) Can be managed remotely in a secure manner (centrally would be
> even more preferable).
This is not provided as part of the FreeS/WAN package, but is
routinely done using standard Linux tools such as SSH.
Some of the commercial packages or open source firewalls that
include FreeS/WAN also include administration tools.
> 7) Have client software available (not critical and, again,
> understanding that client software may involve further costs).
For Win 2K or XP, or any of the BSD's, just use the built-in
IPsec. For Linux, use FreeS/WAN.
Beyond that, see:
http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/interop.html#winclient
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list