Slashdot Mirror
Open VPNs On Unix That Support Windows Clients?
Adam Schumacher writes:"At work, I've been investigating the possibility of migrating our proxy/ftp/VPN server from NT4 to Linux. Proxying and FTP are obviously no problem, but I am at a bit of a loss as to what to recommend as our VPN server. We need transparent and secure tunneling of our network traffic across the Internet to Windows 95/98/NT/2000 workstations. I know that there are commercial vendors offering VPN solutions that interoperate beautifully between Windows and Linux, but these carry a hefty pricetag, upwards of several thousand dollars. I would much rather go with an Open Source solution. What experience have you had with setting up a VPN between a Linux server and Windows clients? Can you recommend any particular products I should investigate further? In the event that we do have to go with a commercial solution, would you recommend one product over another? Why? Bear in mind that this machine will control access to our entire internal network, so I need a product that has been proven to be robust and secure. Immature code need not apply."
I rather like that he's showing demand for an Open Source or Free Software alternative. He's betting his company's future on something mature and well-tested, and it is clear he'd obviously settle for a commerical offering if necessary. However, he's testing the waters.
OpenBSD with IPSec is a no brainer. It is simple to set up, works great, and never goes down. Plus, IPSec is a standard, works with lots of other implementations. The OpenBSD folks have done an amazing job with IPSec. It is awesome.
I have set up PoPToP (www.moretonbay.com) for Linux as a VPN solution. It has worked pretty well - no real complaints. The only thing I don't like is how addresses are assigned - this is something that can and will get unmanageable if you have a large VPN to roll out. Personally, I prefer the Cisco IRE client, though its not linux based.
Actually the Nortel Contivity Extranet Switch has heavy interoperability with the Free S/WAN product. And Nortel does support it and it is listed under supported interoperability. They also have white papers that give you step by step installation instructions. The Nortel solution does support every brand of VPN tunnel(PPTP, L2TP, IPSec, L2F, and in 3.0 Ipsec Protected L2TP) and since it is ICSA certified it can interoperate with everything IPSec based VPN solution that is also certified. Since Nortel owns part of Entrust they have full support with them for Digital Certifcates. Full support with Verisign. You can go on. All the major managed VPN solution use it(GTE, Sprint, Genuity, MCI). The number 2 player in that space is Checkpoint which can get expensive in a hurry. By far the best solution on the market for the money. Look on E-Bay there is usally one of the older models laying around if you are worried about price.
I recommend SonicWall (http://www.sonicwall.com). They work great. Tech support never answers, but neither does Checkpoint's, and a hefty SonicWall only costs 1/10 as much ($2500). VPN clients cost $50 each. It also does nice firewall stuff.
Hey, ssh has port redirection over a tunnel to another box with ssh on it. We had it setup here, with a NT 4 server on one end and a few 95 clients on the other. The Windows people didn't even know they were going over anything but a LAN, because we managed to get samba to flow seamlessly over ssh. Drop me a note if you want more info. mattj@invisik.com
I use a VPN system called Carnivore, by FBI Privacy Solutions, Inc. The FBI techs (called agents) are extremely helpful, and do all the installation and monitoring for you, no added charge.
Once the VPN systems were in production with Freeswan, they were plagued by kernel panics, flaky startup and shutdown and many other problems.
Also, back then, there was a major problem with Windows clients connecting using DHCP addresses (all?!!), in that the way Freeswan is configured, it expects a static IP address at the other end of the tunnel.
These guys who are posting that Freeswan is any sort of panacea, or even a workable solution, either haven't used it for real or are using a dramatically different product than the one I used 4 months ago.
You can read my many cries for help on the mailing list archives I'm sure. Whatever your case, I wouldn't recommend Freeswan unless they have fixed the kernel panics, flaky startup and shutdown,and the dependency on fixed IP addresses.
My two cents. --Aaron Newsome
Once the VPN systems were in production with Freeswan, they were plagued by kernel panics, flaky startup and shutdown and many other problems.
Also, back then, there was a major problem with Windows clients connecting using DHCP addresses (all?!!), in that the way Freeswan is configured, it expects a static IP address at the other end of the tunnel.
These guys who are posting that Freeswan is any sort of panacea, or even a workable solution, either haven't used it for real or are using a dramatically different product than the one I used 4 months ago.
You can read my many cries for help on the mailing list archives I'm sure. Whatever your case, I wouldn't recommend Freeswan unless they have fixed the kernel panics, flaky startup and shutdown,and the dependency on fixed IP addresses.
I submitted this earlier as a reply, I hope the dupe engine doesn't flag me as bad.
My two cents. --Aaron Newsome
WWJD? JWRTFM!!!
There are tools out there that will let you tunnel PPP over SSH or SSL. Five minutes of config work and you have a completely transparent VPN (though granted one better suited for LAN-to-LAN VPN than remote client-type VPN like this question is asking about). Do a freshmeat search for vpnstarter (for SSH) or stunnel (for SSL) for more info.
"This is not the VPN solution you're looking for."
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
The quick answer:
First of all, if you want a VPN with Windows clients and don't want to spend any money, use PoPToP. However, be aware: PoPToP doesn't work correctly with many broken versions of Windows, and the PPTP protocol has some serious shortcomings.
IPsec, while still not being particularly secure, is a somewhat better protocol. However, you'll need to purchase a commercial Windows client to use it (even with Windows 2000, which supports IPsec, you'll need a commercial client such as that from Network Associates to work without L2TP; I haven't heard of anyone making succesful use of l2tpd in this context). Via FreeS/WAN, a free, high quality client/server solution for linux is available, as well.
In any event, you'll want to use ipsec for your linux clients. Use it for your Windows clients also, if you can afford the commercial software.
Posted by BSD-Pat:
recently, at USENIX, I had the pleasure of talking to Jason Wright, who works at NETSEC.
Jason is also an OpenBSD developer, and rpesented a paper on something very interesting, which I am in the process of planning to deploy.
OpenBSD currently can bridge layer 2 over IPSec interfaces, which makes for a nice, transparent VPN.
those who are interested, I can point anyone to the paper that was written, its also available from the USENIX Association... http://www.usenix.org.
echoing other people's comments, OpenBSD , because of its IPSec implementation, is perfect for this scenario, in fact IMHO its really the only thing that will do this particular job this well.
And this is coming from someone adamantly pro-FreeBSD =)
-Pat
But there are now differences between open source and free software (at least according to OSI and FSF, arguably the two big deciders even if neither term is really limited in usage).
The APSL is not free software, but it is open source, for example. There would be more, except the OSI stopped certifying new licenses (AFAICT) a long time ago.
What it comes down to for me is this: Open Source is unconcerned with the users; a good number of annoying licenses (from the user-programmer's PoV) have come into existance because of OSI's policies. Companies have essentially been able to progressively trim down the rights extended to licensees because of their willingness to extend the Open Source blanket to new licenses -- the new licenses are no longer written by hackers to make sure their software isn't misused, but by lawyers intent on making sure as little IP escapes as possible.
Their attempt and failure to trademark "Open Source" made it abundantly clear, as well, that companies didn't have to toe community lines to fit in -- Plan 9, an operating system that I really like, now refers to itself as Open Source even though their license has some of the nastiest clauses I've seen for end-user licenses ("if you bring an intellectual property claim against any Contributor you will lose your license to Plan 9," essentially and paraphrased although IANAL) which would make any business that relies on Plan 9 unable to protect their intellectual property (which, as it happens, includes enforcing the terms of the GPL on other software) since another entity could probably become a contributor to Plan 9 trivially (i.e., find a single bug, fix it, rape other company). A company wouldn't dare call their software Free Software (although possibly freeware or free) unless the license seemed free to the community; but the community doesn't matter to Open Source.
Free Software, OTOH, is all about users. The user's right to modify the code, the user's right to borrow the code, the user's right to learn from the code, and the user's right to be part of a community that shares the code. If nobody makes money from it, well, that's OK because people benefitted. If people do make money from it, well that's great because more people benefitted.
The point to this long rant is that, really, there is a difference between Open Source and Free software, whether the people who started it want to be different or not. That difference is how, at the end of the day, a person like me feels after contributing to both -- with free software, I've added something; with open source, something has been taken from me.
--Matthew
There is a company here in Ireland called Danu. They are located in the Dundalk Institute of Technology. Their web address is http://www.danu.ie and they do VPN stuff for NT and Linux (and Solaris, maybe). They might be of some help.
T.
I've heard very bad things about pptp, which PoPTop implments.
I believe the FAQ is talking about the MSCHAPV1 protocol, which is indeed very poor. You can convince the server to drop encryption altogether. I have -mschap_v1 in my options.pptpd file.
I also believe that the FAQ speaks about the Microsoft PPTP server, although looking through it again doesn't specifically say. I am confident that the PoPToP pptpd does not allow the clients to "talk it down" as the MS server allowed. To quote the article:
Passwords are protected by hash functions so badly that most can be easily recovered. And the control channel is so sloppily designed that anyone can cause a Microsoft PPTP server to go belly up.
These problems are allievated by MSCHAPV2 and PoPToP, this much I do know for sure. :-)
I too scoured all kinds of messages on PPTP security and came to the conclusion that it was all in lieu of MSCHAPV1 and not MSCHAPV2. The latter does allow provisions to fall back to MSCHAPV1 but I do not allow this in my configuration, as I have stated above.
BTW, Google had 60,000 hits for "linux vpn".
Yeah, but "linux vpn pptp" had only 5000 :-)
Hi, I'd like to move a server from NT4 to Linux. I'd like to stress that it is a server that is extremely vital to my company's business.
Actually the linux fileserver I'd installed performs much better and is far more reliable than the NT4 box we have here doing nothing but PDC. It used to run Exchange Server 5 (P2-233 I think) and crashed regularly. Meanwhile the poor linux box gets pounded for ever file and db access the office generates. Damn, I wish I had stayed with NT.
Just because it costs money doesn't mean it is better. The reverse of your little translation is just as true.
So, what does that mean for the average user? Does this make the MSCHAPv2 authentication mechanism less secure than other password based protocols - let's say ssh?
Probably on the same as password-based protocols. As I said in a few earlier posts the PPTP configuration I've chosen is to force MSCHAPV2 and 128-bit encryption.
1) Kernel patches (yay). There seem to be problems getting these patches to work with some distros (read: Red Hat) that have slightly-customized kernels
Only if you're dealing with some bonehead distribution that customizes the kernel instead of using kernel modules and a userland (or at least non-invasive) process to do whatever the hell it is they think is so important they should modify the kernel in the first place.
2) Windows only supports some real lame encryption out-of-the-box. To get 128 bit, you have to go through some real hoops to get the software from Microsoft, only to find it doesn't work.
Got some proof? I downloaded an easily-found file from MS' site, installed it and while I have not verified that it is indeed spitting out 128-bit encryption (anyone know a good way to actually test the wire?) pptpd/pppd won't talk to the client if I force 128-bit encryption on the server side and use weak encryption on the client.
3) Firewall/IPMasq causes even more fun, depending on which side of the firemasq the PPTP server is on.
Come on. This is getting silly. In my case I put the pptpd server on the firewall. I figure a VPN is an integral part of a firewall. Then I set aside a block of IPs and set up your masquerade rules to match. The hardest part of my whole firewall was making sure that my input chain didn't kill packets I didn't want gone. The forward chain is only three lines long.
4) Browsing windows shares over a VPN link is akin to black magic and seldom works.
I haven't had too much trouble. You mention that you're on the PoPToP list. Check out the Samba lists as well and read up on Samba and WINS. The key is a WINS server which is accessible to everyone (internal and VPN).
The rabbit I'm gonna have to pull out of my hat involves setting up a VPN'd subnet (using FreeS/WAN, pptpd is useless here) and making a couple servers on the inside of each end appear in the subnet as well, without munging things up too badly and without having each server step too much into the VPN. I may just set up coda and Samba on the firewalls and "fake" that they're the servers in question. It'll make security tighter in the end, I think.
Moretonbay, the company who gave us so much work on uCLinux has PoPToP, a Linux PPTP server.
I have set it up personally and included the MPPE and stateless patches which give excellent performance and 128-bit encryption.
You mentioned that immature code need not apply. I can't say how mature this code is but I have not had any problem with the encryption nor the actual VPN going down or otherwise futzing up.
PoPToP uses pppd + openssl with a custom daemon to set up Windows VPN connections. You can force MSCHAPV2 (V1 has problems with security, what else is new? :-), enforce 128-bit encryption, use PAP or CHAP, whatever you please. Since it is pppd which is authenticating, you can use PAM or whatever authentication methods you can use with pppd. Another important feature is that you can configure pptpd to assin IPs or have pppd do it for you. Configuring for MPPE and stateless compression was a bit of a pain but in reality it involved scanning the already big mailing list and applying the correct version of the patches.
Overall I am very pleased with PoPToP, even if my typing slows to 10WPM when I have to type the name. :-)
2) Then, there's always SKIP. An invention of SUN, but still worth investigating. SKIP has higher throughput than IPSEC, and faster recovery in the event of a system failure anywhere down the chain. Again, it's available for Windows and Linux.
3) Thirdly, there's SSH, SCP, et al. This is OK, but it's main drawback as a -transparent- VPN is that it's not very transparent. It's at the application level, rather than the stack level, which means that it's going to be more visible to the average user.
4) Last, but by no means least, your favourite hound of hell and mine, Kerberos! It's possible to set Kerberos as both an authentication AND an encryption mechanism. The main drawback with this option is that applications would need to be aware of Kerberos before they could benefit.
All in all, I'd say IPSEC or SUN SKIP are your two best options, as they don't require any user intervention or special code in the application.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I've got a system I've been sitting on for a while that gives you the network isolation of Windows PPTP with the trustable crypto of SSH. I haven't done much development work on it in quite some time; anyone out there who'd like to hack on this and get it up to 1.0, toss me a note.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Little Caesars? You do pizza?"
- Microsoft's "secure" PPTP protocol is inherently insecure, and hence no implementation of it can be secure.
Daaaaah. Trying to match MS at FUD or what?The protocol itself is okay, according to people who have a much better understanding of security matters than me (like Bruce Schneier). It's just that Microsoft's implementation of PPTP is brain-damaged. To quote from Counterpane's FAQ about the matter(emphasis mine):
- 1. What did Bruce Schneier and Mudge actually do? They found security flaws in Microsoft PPTP that allow attacks to sniff passwords across the network, break the encryption scheme and read confidential data, and mount denial of service attacks against PPTP servers. They did not find flaws in PPTP, only in Microsoft's implementation of it.
Read the whole thing herewww.checkpoint.com no BS....
Microsoft's "secure" PPTP protocol is inherently insecure, and hence no implementation of it can be secure.
/. readers will post links to them).
I was wondering about this thing myself, so I did some reasearch. Basically, the situation is that there are Unix VPN servers/clients that implement IPSec protocol. IPSec is the industry standard for VPN. (read: it's secure). Microsoft did not want to go with the standard protocol (surprised?) and instead "innovated" PPTP. Well, PPTP is complete joke. It didn't take me long to find articles analyzing PPTP security. (I'm sure other
So anyway, there are PPTP servers for Linux, like PoPTop, and PPTP comes built into win9x/NT. You could certainly go with this solution, as it would be the easiest one. (PPTP is better than nothing, I guess). If you want real security though, the best thing to do is to put Linux VPN servers on both sides of the tunnel. This is not always possible though. If you have two or more offices that you want to connect, that's easy -- just put the VPN servers/firewalls in each of them. But if you have windows users with laptops, or people working from home, you'll have to resort to PPTP. Unless there is a free/cheap IPSec client for windows (which I am not aware of).
___
___
If you think big enough, you'll never have to do it.
You know where I can get one?
___
___
If you think big enough, you'll never have to do it.
What the hell are you talking about? I just downloaded VPND source code and looked at it myself. Looks fine to me. Go troll somewhere else. I got it from the link below, btw.
http://sunsite.auc.dk/vpnd/
___
___
If you think big enough, you'll never have to do it.
uh, free s/wan works with anything that does tcp/ip.
US Citizen living abroad? Register to vote!
IPSec is one of the more interesting technologies out there at the moment. Essentially, it has the advantages of being implemented into multiple diffrent server platforms and client workstations.
For example OpenBSD supports it's natively and Linux can be made to support it with the FreeS/WAN projects kernel patches which allow you the IPSec functionality.
Unforuntately, the problems lie with IPSec compatible clients for the Win32 platform:
Essentially, if you company uses Win9X and NT then you have no problems. The Link will show you a bunch of clients that will actually work under OpenBSD's implementation of IPSec. Some of which are actually quite good.
On the other hand Windows 2000 is VERY unsupported. In fact it is very hard to find a Windows 2000 implementation (other then the poor implementation in Windows 2000 itself). Quite a few promise an implementation in a few months, some even a few weeks, but that does little if you need it done now.
If you need to get VPN clients for Windows 2000. I have found two that support it, but have yet to be able to test it's implementation ability with OpenBSD (the companies current Firewall/NAT platform). The two I have found are listed below:
.
Now if anyone else knows of Windows 2000 compatible clients that work with IPSec then I would be very interested in knowing about them
I use a combination of PGPNet windows clients and Linux FreeSWAN gateways with great success. The FreeSWAN code has been maturing quite nicely.
http://www.freeswan.org
Server: OpenBSD
l ient_intro.asp
Client: NAI Labs PGP Client
Information On PGP Client:
http://www.pgp.com/asp_set/products/tns/pgpvpnc
To quote their page:
PGP MIT Freeware Downloads
PGP is the world's defacto standard for email encryption and authentication, with over 6 million users. PGP 6.5.1 MIT freeware supports RSA, PGP email and secure client-to-client connections using PGP certificates. It is available for non-commercial use only.
The commercial PGP VPN Client is available from Network Associates and is fully IPSec compliant with support for X.509 certificates from industry leaders such as VeriSign, Entrust and Net Tools, and VPN gateway support to create encrypted network connections to your company for secure remote access. The commercial client also includes PGPdisk for lightning fast disk, file and directory encryption and authentication in addition to technical support!
-------------------------------------------
Use the OpenBSD mailing list archives, man pages, and faqs for info on how to set up this scenario (VPNs with X.509 certificates).
Just one caveat: this is probably not the same product, but the VPN client that Nortel acquired from Bay Networks doesn't work with Windows 2000, and according to my IS guy, there is no ETA on a version that does. Grr !
The difference between Open Source and Free Software is just a matter of focus (focus on freedom or on open development), of ideology, and of degree of purism (some borderline licences might get more easily accepted by Open Source advocates than by Free Software ones), but the main idea is the same: software where you get the source code, and the right to use, modify, alter, compile and distribute (incl. for profit) under the same conditions.
If you only need SSH1, there is a free Windows plugin for TeraTerm that will do SSH. We use this in our office, with port-forwarding, to provide a secure TCP connection to our SQL database, and it works exceedingly well.
The plugin is called ttssh, and it's a tiny bit tricky to set up, but if you follow the instructions it will work.
Haven't looked at the license, but it is free for all uses, and comes with source code, as is TeraTerm.
For the server side, OpenSSH should work, although we use the F-Secure server.
My Web Page
If you used a copy of VMWare running Linux on the Windows laptop, that could act as the gateway. Set up host-only networking, give Linux control of the modem...Kinda crude, but it could (possibly) work.
My Web Page
To make this work under Windows, rather than to a proxy server, and configure everything on the Windows machine to go through the proxy via the forwarded port. Bring up Dial-Up Networking, start up ssh, and everything should Just Work.
That would force *everything* through the VPN, though, which might not be what you want.
My Web Page
By definition, you can't restrict redistribution of Open Source software, so with every Open Source program I'm aware of, zero-cost legal copies are available.
Zero cost certainly isn't the most important part of an Open Source program, but it isn't the least important part, either. There's nothing wrong with using Open Source software just because it's free and good.
My Web Page
Only if you're dealing with some bonehead distribution that customizes the kernel instead of using kernel modules and a userland (or at least non-invasive) process to do whatever the hell it is they think is so important they should modify the kernel in the first place.
Userland processes to fix kernel security bugs?
--
The LDP just doesn't hang when some random bug drops your entire system to a dead halt in the middle of the night. Sure, you can spend the weekend hacking to figure out what the bug is but it takes you a lot longer than it would the author cause you have to learn so much first. Commerical support has it's uses.
I assume you mean support as in "Help me with this problem" support? In that case, how does Linux stand up to Windows when the problem is "I need a driver for XXX". Also, Linux and gaming should not be mentioned in the same comment. They are mutually exclusive.
That's fine when you have a few days to wait for a e-mail response, but what about when a production system is down and you need help NOW? AFAIK most Open Source programmers don't include their cell phone numbers in the README :)
http://freshmeat.net/search.php3?query=v pn
i always thought it was a "squares are rectangles but not all rectangles are squares" type relationship, substituting "free software" for "squares" and "open source software" for "rectangles". conflating these terms as synonums is sick and wrong, not to mention sloppy.
This is linux-to-linux currently, but as someone else suggested, you can resurrect an old 486 to make it a gateway system. I have 9 people work from home over DSL or cable modem behind linux routers running CIPE. It works very well and runs on low end hardware.
I'm on the mailing list, and there is currently a concerted effort to get it working on NT. I believe that a beta is almost ready. So there will soon be support for your windows road warriors.
I think what you mean to say here is "I want someone to make me this thing for free." This is a great example of why RMS doesn't like the term Open Source. For 90% of the schmucks out there it translates to Free Beer, rather than the Free Speech he is speaking of. You want VPN software? Go write it and GPL it.
Left shift 1 for e-mail...
go to google, type "linux vpn" and click the "i'm feeling lucky" button. is it really that hard?
I'll get scored for redundancy, but you hit the nail on the head.
Open source is great, but geeze, with some people its a religion and anything and every other goal (including sound business decisions) must be made for it.
I'm actually pretty shocked that you managed to score a rating of 4: Insightful off this one, but what the hell, I'll bite.
Is that not reasonable? I use OpenSSH, Snort, and nmap all the time at my place of business for security. For other purposes, I use Red Hat, Debian, Apache, Perl, PHP, MySQL, and PostgresSQL. All "high-powered, reliable software," as you put it. All free.
This may come as a shock to you, but I'm not in the habit of spending money on Open Source software unless I absolutely have to. Oh, I've certainly purchased the occasional RH distro CD because I wanted to install it at home, but at work, where I'm fortunate to have a decent net connection, I do net installs like crazy.
It's true that you can spend money on OSS. However, most people associate OSS with no charge, and not without reason.
The orignal poster stated that he would rather go with an Open Source solution rather than ones that "carry a hefty pricetag, upwards of several thousand dollars." I think that this is an important consideration for him. Since you didn't suggest any commercial solutions (or, in fact, OSS ones), I'll pose the converse question to you: what is your familiarity with VPN software, and what commercial solution would you say was the best?
I thought that the original post articulated his reasons for pursuing an Open Source package pretty nicely. On the flip side, your post seems to reflect a prejudice that only businessess with money to burn should have access to decent software. If you're of the opinion that Open Source software has no role in mission critical applications, fine, but just out of curiosity, why the hell would you read /.?
But with Open Source projects, most of the time you can reach the author directly, the people who made the code, not just some helpdesk.
New things are always on the horizon
We use Free S/Wan set up with these wonderful docs. .Ok that one is not open source, but it's quite cheep at about 700 ATS (50 US$) per copy.
We now communicate with the Linux-Firewall with PGPnet
We also use some Linux-Laptops (old 486 and Pentium) as router. They also have freeswan on it. Hope this helps
-- MicAttAck
Religon is an insult to human dignity.
If this box will have proxy, ftp, and VPN on it all at once and have access inside and outside I would consider not putting the ftp server on this box. FTP servers are usually best put some cold place all by themself. What with all the various problems that have occured with PROftpd, wuftpd, etc. I would hesitate giving a process like that root level access on my vpn =)
I think he was clear. He wants somethign that supports windows VPN clients.
Congrats on the Translation. I too was ticked off to see the question being "If you guys want me to use Linux, give me your best damn software for free, otherwise I'll use Windows and pay thousands and thousands of dollars".
Not to flame, but I think this guy never programmed a line of code in his life.
Granted, not everyone's a programmer, but when people turn to Linux because they _expect_ free (as in beer) software, that kinda yanks my krank.
You don't need to be a programmer to be a good sys admin, but it's getting too easy for people to take Free software for granted.
Alternatively, for other readers who are prepared to spring for a commercial solution, V-One's SmartGate product springs to mind. It also implements IPsec and is supported on RH6.0.
Counterpane, Bruce Schneier's company, has a few papers on PPTP and IPsec on their website.
If you have a Cisco PIX or a 7100 or 7200 router you can set up a PPTP server which does MPPE on that which will authenticate against a RADIUS server. Set up the RADIUS server on your windows domain controllers so the users can just use their domain login. If you have Win2k domain controllers, you can control who has access to the vpn with the allow dialin flag.
Since you're running a proxy, I doubt you have a PIX, but if you do happen to have a 7100 or a 7200 this would work great, you can also use L2TP on the router, not sure about the firewall though. You can run PPTP on other cisco products, but you won't get the MPPE encryption with most of them. I use a couple of them set up on routers right now and they work excellent. I have tried using the PPTP server built into the PIX and it sucks, I think they basically put it in as a marketing gimmick.
As far as proxy servers go, I set up a Linux box with Squid and Dante. It has an uptime of over 200 days right now and I haven't had any trouble with it... except for this custom app that does http posts and the proxy likes to munge up the content-length header which screws up the app.
Need Free Juniper/NetScreen Support? JuniperForum
Hi
One of my friends set up a VPN between two windows
networks, without even using an extra machine. He run linux under vmware (which is not free) on two windows machines. Then he run cipe on linux. Works fine.
yours
arne
---
(This is not anonymous Coward but Arne using galeon)
Copyright 1998 arne Verbatim copying and distribution is permited as long as this message is preserved
(I have an answer to the question at the end of my rant)
Is there an open Slashdot terminal in some public place? Because these "Ask Slashdots" are starting to seem more like "Ask A Random Question Without Searching First". This is getting REALLY lame.
Now, then. Go to Yahoo (yes, even Yahoo can find this, albeit through Google). Type "linux vpn". Find a link. Follow it.
For those that aren't interested in enough to click, this is PoPToP, a Linux implementation of the server-side of MS PPTP. A secure implementation. Why PPTP? Because you want Windows clients and the only thing they do out of the box is PPTP. BTW, PoPToP is GPL'd....
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Although this is not the VPN solution you're looking for, it is very cool.
You can use taptunnel to connect multiple LANs together through an encrypted pipe.
It's also the best solution for playing multiplayer IPX games like starcraft between LANs.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
We finally decided on OpenBSD although we considered Linux, Tru64, Solaris, NetBSD, FreeBSD, Irix, NT and Windows 2000. By considered, I mean we thought about it. But we finally decided on OpenBSD because throughout all the security bulletins that we've seen, this was the one that touted the best security, and was notably lacking in security bulletins.
We have been extremely satisfied with OpenBSD, and use it as a real bastion firewall, and as a transparent bridge to our production servers. It has an incredible amount of power, and is very versatile. Combined with Snort, Nessus, Nmap, IPF, and Perl (or any scripting language), it makes an wonderful IDS (Intrusion Detection System). I have yet to see a commercial system rival the power of this open source system in terms of complexity and diversity.
I've heard good things about the AltaVista tunneling software from some people who were looking at a very similar situation. It appears to be abandoned, although it may just be hiding.
I found links to it on Tom Dunigan's VPN page, which has a number of good links for the problem at hand.
A link to AltaVista tunnel info that does work is found on this Digital link in Russia, which is oddly, in English.
Again, I haven't tried this myself, so caveat emptor.
"The future's good and the present is nothing to sneeze at." - Roblimo's last
I'm a leaf on the wind. Watch how I soar.
5319157 bytes received in 656 secs (7.9 Kbytes/sec)
Which works out to be 63 kb/s.
I have a cable modem at home and a dsl connection at work. It's a bit slow for remote X sessions, but it's ok for telnet traffic. I don't do much in the way of file transfers.
Just a lowly 486DX2-66. It probably would be a good bit faster with a Pentium, though. I should probably just knock the key size down to 128 or 256, but it just sounds so much cooler to say "I use 576-bit blowfish encryption".I'm a leaf on the wind. Watch how I soar.
Simply accessing the internet without using the encrypted channel from either site is blindingly fast, I assure you. The 486 is plenty quick enough for simply firewall/masquerading duty.
I'm a leaf on the wind. Watch how I soar.
I'm a leaf on the wind. Watch how I soar.
It is meant more to connect two subnets, rather than a single device to a network. Also, it does not run on windows. However, you can do what I do, and resurrect an old 486 to act as a gateway/firewall/vpnd server at home, and hook your windows box to it.
It is setup to re-establish broken connections. Even though I often lose connectivity between work and home, as long as the downtime is less than a tcp timeout, all of my tcp connections over the encrypted channel will actually remain up! Very nice.
I'm a leaf on the wind. Watch how I soar.
Again we have a good example of the (Read More) not being used... everything after the first paragraph could have been hidden in the story, so one post doesn't eat close to a page in Netscraper.
[/OT]
Nortel has a decent VPN solution, but hasn't provided us with a whole lot of Linux support (read: none)... I haven't seen a lot of good multiplatform VPN clients. Sorry...
"It's tough to be bilingual when you get hit in the head."
Hi, I'd like to move a server from NT4 to Linux. I'd like to stress that it is a server that is extremely vital to my company's business.
It is so vital in fact that I'm prepared to spend no money on it at all. I want someone to give me high-powered, reliable software upon which I can bet my job, for free.
Why must Open-Source necessarily equal free?
Why does Open-Source necessarily equal best?
If it were my job on the line here, I'd find the best solution, not necessarily the one that meets my agenda.
I agree wholeheartedly. And I'd mod you up if I ever got moderation points when I fscking wanted them.
(rant)
Taco: Can't we move to a moderation system where people accumulate moderation points and can use them WHENEVER they want. Just put a cap on it so people who go on vacation don't come back to 1000 moderation points or something. I NEVER get moderation points when I want them, and only get them when there is nothing really of interest to me, or just flames or hot grits.
(/rant)
It's 10 PM. Do you know if you're un-American?
Not to give moderators too much credit, but it *might* have been somebody trying to be funny. I have to admit it made me laugh.
Check this out. I've had it working flawlessly for a while now. There isn't much out there that isn't more proven or secure than ssh. Give it a try, it's the best of what's out there.
Interested in open source engine management for your Subaru?
Comment removed based on user account deletion
This is what Check Point recommends for setting up a VPN between a Firewall1 ver. 4.1 firewall. I am planning to upgrade to 4.1 & experiment this week...
I checked into VPND somewhat recently to see if it'd be a nice way to link a few LANs which have faily powerful (min 200Mhz) firewalls which could be used to tunnel traffic.
I looked at the source code, as I had to port the program to OpenBSD. My first thought was that the person who wrote the code must've been some ASM programmer who took a 5-hour course in C. The entire body of main is the entire source file. Functional programming? What's that? The code is one big blob function. You can see blocks which are similar and could probably be handled by a separate function, but aren't.
My friend's first comment on waving him over to see the code was, "and you wanted to run that on your server?"
The code looks a lot like procmail's code, and is (IMO) a complete tear down and rewrite. I'm sure a lot can be salvaged from vpnd, but I find it hard to believe that the person who wrote code looking like that also did the strictest possible checking on all input/output code for security problems.
You might want to read the VPN section of the Linux Admin Security Guide for a listing of alternatives.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Some people seem to be recommending PPTP and PoPTop... I've used it before, its a great piece of software. PPTP isn't secure though. Counterpane did an analysis of it. Offline password cracking is possible with PPTP... Counterpane's reccommendation (see the link): "At this point we still do not recommend Microsoft PPTP for applications where security is a factor".
Using this at our site to do VPN with several other Linux boxen. It's IPSec compliant, so PGPNet, W2K, and others have all been noted to work with it. It's a pretty good solution.
Nine-hundred-seventeenth! Hahahaha, I'm farther off than both of you combined. ph3@r m3 sux0rs!!! ;)
Friends don't let friends misuse the subjunctive.
This is kind of OT[*], but can aleph_aleph exist?
[*] So maybe the original thing was offtopic too. Sue me.
Friends don't let friends misuse the subjunctive.
Yeah, PPTPv1 is very broken, but PoPToP also implements PPTPv2 which I understand is a massive improvement. You can force v2-only connections too.
Looks to be a v.good product; something that I'm looking at implementing myself.
j.
Absit Invidia
Mudge and Schneier analyzed PPTP and found half a dozen major things wrong with it. The symmetric encryption algorithm it uses, RC4, is quite strong, but has a one rule aboutusing it safely - Never use the same key twice. PPTP violates this two or three different ways, and has some leftover Microsoft Wimpy Password Algorithm cracks that provide a couple of other ways in, and there may be some other holes as well. (Then there's the usual security principle of "Never plug anything sensitive into a Windows machine":-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Nortel has a policy of Freeswan compatibility, so you should be able to use their server or client to talk to a FreeSWAN linux box. Nortel's client software runs on Win95, Win98, and NT, and is free if you buy the Nortel hardware (formerly Bay, formerly New Oak.) I don't know if it's free if you don't buy a box from them. So far I've used the Nortel client only with Nortel servers, but it works quite well and has multiple options for keying, including SecureID.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Barring that, we've had good luck with VSgate by infoexpress in huge (and I mean huge) enterprise environments. Bonus: they directly support Linux not only as a server platform but client as well.
You could also look for PoPToP, which is a reverse-engineered hack of Microsoft's "Point-to-Point Tunnelling Protocol" to make a Linux box able to be a server for it, but take a look at some past issues of Schneier's Cryptogram (don't know the specific one, sorry) for some scathing commentary on the brokenness of PPTP.
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
We have to networks (each of them have around 5 M$ clients, and 1 Linux box as firewall). I installed FreeS/WAN on both machines -- the documentation is pretty good -- and in NO time all network neighborhoods showed the Win-clients of the other network. I understand that the recent releases even have improved road warrior support! I don't know anything about the other programs mentioned here, but I know for sure that Linux (and FreeS/WAN) makes an excellent VPN gateway.
my € 0.2
-8<--
Sounds like a nice product. Too bad I can't use their web site (http://www.ire.com/) with Netscape Communicator 4.7 on Linux. Sounds like a great product.
I really shouldn't have used someone else's email address for this account.
We use OpenBSD here at work, and it works beautifully. We have 2 networks, one on each coast of the US. Each routes through a different ISP to the internet. Computers on both networks are primarily Windows, with a smattering of mac and linux, and it works very very well. There's even a very nice HOWTO for it included with the OpenBSD distro. We use it to not only route via a VPN, but also to do some masquing for us and it works great....
That's my $0.02(US)
Why is it that it's a penny for your thoughts, but you have to put your two cents in? Somebody's makin a penny. --Steven
No...because when OpenSource was coind it was INTENDED to have the exact same meaning as "Free Software" but without the 'political focus' for the stated reason of "convincing suits"
So this is a case more of "Is it a square or an equilatteral rectangle?"
-Steve
"I opened my eyes, and everything went dark again"
> Free Software: Binaries you don't have to pay
> money for. If it breaks, you must bug the author
> (if you can find him)
This is usually called "FreeWare". When people talk specifically of "Free Software" it usually means Something where source code is available under a GPL/BSD/Artistic/etc licence.
-Steve
"I opened my eyes, and everything went dark again"
> Please remember that Open Source != Free
> Software.
That depends who you are talking to.
When people originally started talking about OpenSource, the idea (as I understand it was) "Lets take the 'Free Software' concept and repackage it under a new name, because the word 'free' scares suits".
The basic idea being Open Source *IS* free software in the same way that Zantac is Ranitidine (same chemical, different name).
So when we talk about "OpenSource" we talk about how you have source code and all sorts of other things. When we talk about "Free Software" we call all those things 'side effects' and talk about freedom as the main concern.
That doesn't mean there is a difference, just a different focus. In original intent though, the "focus" is the only difference, and when not trying to sell suits on the idea, the two terms can be used interchangably.
It has come to pass that you can seem to tell a persons beliefs on the subject by which term they use. FSF types will ALWAYS talk about "Free Software" and disparage the term "OpenSource". Those who just care that the code exists and think that having source code is better for the technical reasons, will call it "OpenSource".
The entire criticizm of the term is the focus change. People like RMS argue that the focus shift is bad. The whole point of free software is freedom and focusing on the other benefits instead is diminishing the value of the work by removing the political association of it.
At the end of the day though...the two are the same in every way but terminology and connotation.
-Steve
"I opened my eyes, and everything went dark again"
If I were you, I'd try out IPsec and PGP.net. IPsec is included with the default OpenBSD install(if you can install Debian you can install OpenBSD) and PGP.net is a component of the free Windows PGP client. They interoperate just fine with eachother, and the client will work on a standalone computer or as a gateway for a VPN linking two LANs into a WAN.
Free music from Jack Merlot.
The other option is to install a client-server VPN package such as Infoexpress. With this, each windows client runs a simple program that automatically connects to the server to establish the appropriate tunnel. Although Infoexpress is commercial, it is very versatile and robust. It's definitely worth of consideration.
I've heard very bad things about pptp, which PoPTop implments. For a sample see this FAQ. Please consider an IPSec solution like FreeSwan for linux or Kame the BSD equivalent.
Oh yeah, almost forgot, if you go the IPSec route, you might want to look at PGPnet, included in PGP from version 6.5. I think you might need the commercial version to get support for secure gateways in addition to secure hosts.
I believe W2K includes supports IPSec, not sure if it can act as a VPN server or if it's compatible w/ freeswan/kame, though of course, it should be.
Check out this place...it would be installed on a linux server. It probably is going to work best with the Windows 2000 VPN clients and even then I could be wrong :) Chris
We only use Linux boxes to connect the different offices together. Inside it's still a full blown Windows NT 4 deal.
My $0.02
StarTrek.org Free Webmail
Most of my clients use LDAP for authentication too, and I have yet to find a Contivity-like server on Linux that will support a LDAP-aware Windows client for tunnelling all protocols.
The most that I have been able to find is Socks and the server can run on Linux, and it also supports Kerberos. The Socks Windose client can be setup to tunnel all TCP and UDP ports to the Socks server.
Now, if someone could make Vtun LDAP-aware and make a windows client....
Jehreg
A recent high profile site compared linux to windows, as far as gaming, user friendlyness, and support. Linux is free software, and it kicked Microsoft Windows' ass in support, and Windows is payware.
Eat the troll.
Lars -
Driver issues are touchy. Vendors giving out specs for fear of ip theft is big (nvidia) and also Big Money threats (microsoft) prevent it. Not to mention brain damaged devices (winmodems)
I have a gravis Xterminator gamepad that I bought and paid for, installed thier latest drivers in windows 98, and had problems. I emailed thier "support" several times detailing the problem with only an auto-generated reply each time. That support sucks. The Xterminator is supported in the linux kernel, so I am happy.
I also assume when you say gaming, that you mean DirectX gaming. Gaming is great when you avoid DirectX like the plague. Quake1/2/3 provide me with enough gaming right now, and they all run on linux.
Lars -
If you're going to do this you need a client on the windows side which will let you enforce security policy on the clients which connect to the VPN gateway. There are no Open Source products which will do this for you. You will probably need Checkpoint's FW-1.
The alternative is to simply not allow machines at people's homes to connect to your VPN gateway. Only do VPN when its gateway-to-gateway between satellite offices. No road warriors, no home users, and no need to support PPTP.
If you are looking to impliment PoPToP I urge you to take a very very long look at the security of the clients which are going to be connecting to the PoPToP server. You are probably going to make your network less secure, not more secure, by supporting PPTP on your VPN gateway.
When choosing a VPN for remote access, remember that IPSec solutions (such as FreeS/WAN) do not like it if the client is behind a Network Address Translation device. Since many home networks share a single IP address among many computers by using NAT, IPSec VPNs may not be your best choice.
Has anyone been able to get FreeS/Wan talking to Cisco?
(Although I must admit that you are correct when you are referring to the official Open Source definition and I agree that it would have been better to give a different example.)
Please remember that Open Source != Free Software. Open Source does not specifically require the software to be free, an example of this is Solaris. Free Software (in the FSF sense of the term) however, requires the software to be free, open source and a bunch of other things (concerning distribution, etc.)
Sorry for bitching, but I think that at least the people at /. (and those submitting to /.) should have the terms straight.
--Neal
--Neal
Go IETF!
If there is a product that works really well, why not purchase it? The cost probably gets you not only the software that you need, but also a manual, tech support, etc.
Do you really need the source code to your VPN software? If so, that sounds like the "immature" code you want to avoid in the first place.
Have you considered getting 2 routers with VPN built in? being a small company here we use a cheap easy to setup product that is a firewall\router all in one. The current model we are using is the WebRamp 700s. Were small and it works well for us. http://www.webramp.com
It's good enough for windows clients out in the wild...
IPSEC is better, but I don't know if there is a free client avaiable for Windows.
BlackNova Traders
PoPToP is an open source implementation of PPTP under Linux. I've used it. It's solid. It rocks.
BlackNova Traders
why not put a linux box between the windows/linux sides? you could have a VPN between the two linux boxes, and use samba or something from there. would make life easier, anyway.
Am I the only person that noticed that Adam equated Open Source with free? He doesn't want to pay for the VPN support, so he wants an Open Source solution? That's not right! I'm surprised this Ask Slashdot got submitted.
Refrag
I have a website. It's about Macs.
I'm not going to reply to your last sentence, because I know you were just razzing the populace here.
.sig (are they stored as .sig files on the Slashserver?) makes the point that even what would normally be considered pirated music by the RIAA helps promote artists. The Foo Fighters aren't the only ones that have benefitted from my Internet research of new music. However, Metallica is the only band that has made me decide against purchasing their music (I was going to get their Cunning Stunts DVD, until the crap they pulled).
At any rate, the Foo Fighters MP3s that I auditioned before buying the CD were from Napster. I think my
Refrag
I have a website. It's about Macs.
I've got a very similar problem concering a VPN solution. My company has a Checkpoint firewall with VPN support that we've been quite happy with running on NT. The main problem that I've been running into is the software for client side only supports Windows platforms and the client must have a routable IP address.
For the most part, this isn't a problem since Windows is the dominant desktop platform around our office. With home networking kicking in with a lot of my folks, they're finding a need to have a single routable IP solution at home for multiple boxes AND having VPN support for them. I also have one remote office that presently has to have unique routable IP's for each client. To further complicate matters, that remote office has a couple of Macs tossed into the mix.
I've been looking about for a reasonable server side solution that I can deploy to a number of locations to handle the chit chat between it and this Checkpoint firewall. If I can get either Linux or a flavor of BSD to act as a proxy and VPN solution, freeware will get migrated into my office setup for the first time.
Aside from getting this to work at all, I do have support concerns. Between Linux and BSD, I've at least spent some time using Linux but there's apparently stability concerns with S/Wan. OpenBSD looks interesting, but I have zero BSD experience at this point in time. All the support and configuration falls squarely into my lap to implement.
I had rather hoped to find something that was a Windows based solution, mostly since that's what all my remote users are using. Not too many folks want to go out and purchase a seperate PC just to handle network proxying. Granted, this isn't nearly as much of an issue as the remote office is, as I can easily get another PC to deal with this there.
Bottom line: I need a solution that proxies non-routable IP addresses to the internet while providing for VPN support to a Checkpoint firewall.
The line must be drawn here. This far. No further.
!rant! I fail to understand why people get so rude and sarcastic here when someone asks a valid question. !rant!
Anyway, I've been going through the samething here at work. We're software developers with not alot of extra money to be throwing around at every whizbang VPN hardware solution that exists. And yes, there's plenty of them.
Regardless, we need some type of VPN solution as we have folks that a) don't work in the office, or b) work primarily at home.
So, what do we do? it's simple. We use the built-in VPN solution that ships with NT. Mock me if you will, but it works. It's not secure, no - you're right, but some security is better than no security.
When I say, "it works" - I mean.. it works. The off-site employees plugin in the appropriate information into dialup networking and when they connect to the office - they connect. They see our machines, and we see their machines. It's slow, it's crude, but it works.
Now, that doesn't mean we like it, or enjoy using it, but it works. We're currently in the process of eliminating NT from our network in favor of linux solutions. We're doing this on a fairly grand scale. Not only are we removing those machines, but we're removing other things as well - such as Visual Sourcesafe (feh!).
But - now, we've run into the same problem that the poster is inquiring about. What about VPN?
Well, no problem..(or so I thought). As one of the few people around actually helping push the NT boxes out of the office and applauding the arrival of the linux boxes, I happily jumped onto the web and started investigating what solutions were available for me. What did I discover? oh - there's plenty of things available - all of them although very noble in their attempts - do not do what we need.. not exactly, anyway.
What do we need? we need simplicity - that's what we need. We need our employees to be able to click the little dialup networking icon, connect to the office, and have it seem like they were here in the office. To be able to see our machines, and for us to see their machines.
Forget about all the other ways it can be done. The fact is - the people that need VPN don't want to waste their time futzing with setting up extra hardware in their house. They want simple.
The only thing that comes close is PoPToP and unfortunately, at this time it doesn't come close enough. I could go into detail why it doesn't come close, but if you subscribe to the mailing list, or try to implement it yourself, you'll see why it's not ready for primetime.
Many people are bitching about the guy wanting something for free and blah, blah. Well, folks - the solution ships free with NT, and it works. When you finally convince the headcheeses to junk the NT solutions and move over to linux (it takes a lot of convincing) you can't come back a day later and say, "oh, btw, we need an extra (insert dollar amount) for this VPN hardware solution." Because you know - they'll just come back and say, "That worked just fine with NT."
So, this has just been alot of babble really. This issue just hits home with me because I've been dealing with it so much. We tried multiple times with PoPToP, but it just wasn't consistent, or reliable in operation.
We found a solution, though. We kept the linux boxes, and just left the NT box around to be the VPN gateway. We'll probably upgrade that machine to Windows 2000 in the near future, though. Windows 2000 has even better VPN built-in.
To the poster, if you don't find anything that works for you, and you can budget a hardware solution, I recommend you look into the same hardware solution we looked at, but cannot afford. It's called, "Intraport." The company was recently acquired by Cisco. Here's a link.
I'm done now.
I suggest you check out such sites as http://www.l0pht.com , as I believe they have a PPTP sniffer availible in the L0phtcrack section, including, and limited to, the source code.
This
A fairly mature package I've seen is S/WAN (Swan), avaliable from www.freeswan.org. Its in version 1.5 and is being activly devepoped. A good source for this type of software is munitions.org. They have a software section containing many VPN / cryptography related packages. Good luck!
Amateurs built the arc, professionals built the Titanic
I constantly hear about how one disadvantage of free (beer) software is that it doesn't have support, hence companies like RedHat and Linuxcare will offer that. Personally, I prefer the ldp to any commercial support I've ever recieved. Of course my experience is only with crappy consumer-level support, never with enterprise-level support, which I assume is much better. And if you are a programmer with a lot of time on your hands, like me, then source code is the best documentation there is.
This is somewhat off-topic, but other closed-source VPN solutions were proposed, and I thought people entertaining them should consider Aventail. (Disclosure: I no longer work there- but I used to. I have no financial interest at all) Their product is based on open standards (SOCKS5), is modular as hell, and runs on many flavors of *nix, including Linux, of course. There is a server piece for NT. The client side runs on Winbloze as well as the *nices. What I appreciated most was how little the client mangled the client machine. Very small footprint, very well-behaved. I used to have to support all these winsock apps that were mutually exclusive and it drove me up a tree. This doesn't do that. The client is rules-based, and you can set it up to ignore (not set up VPN) for some things, and to set up a VPN for others. Many clients force you to be either in or out of the secure tunnel. Aventail's products don't. Also- the VPN is set up at the session level, allowing access based on individuals, not nets. Very good for untrusted extranets.
My previous job involved this stuff - you should look into IPSEC - We had some kit from TimeStep/NewBridge/Alcatel called "Permit/Gate". They have a Hardware box (2 port Ethernet VPN Encryption Gateway) and a WIN95/98/NT client too. Some of my customers use to use OpenBSD but as IPSEC is "opensource" you could [should?] interoperate *most* IPSEC implementations, and aparently KAME/FreeSwan have been involved in the Bakeoffs for testing IPSEC too (all vendors are suppose to do this for interoperability testing). A pure TimeStep solution works a treat but I knew someone who used their WIN client with their OpenBSD for example to get WIN clients into the network. Sounds like this might be the GO for you!
There are unfortunately no Open Source Windows VPN clients. A good alternative however is SafeNet's client. Though not open source, you can get a pack of 10 licenses for about $80, last I checked. Cisco rebrands and sells this very product but charges about 10 times as much for it. SafeNet's VPN client works with FreeS/WAN which can be loaded on Windows 95/98/NT and possibly 2k. DO NOT use Windows 2000's built in IPSec, is has a major bug in that when told to operate in 3DES mode is suddenly drops to single DES without so much as telling you. When inter-operating with FreeS/WAN the connection barfs, I consider this a great feature of FreeS/WAN :-). FreeS/WAN no longer supports single DES as it is too easily brute force cracked. If there is enough interest in this sort of thing, I could see the company I work for producing an Open Source windows VPN client. www.protectix.com
- Set up an ssh link between two routers A (your local router running Linux or your free operating system of choice with support for SSH and packet filtering) and B (the remote router where the rest of the VPN lives).
- Run pppd on top of ssh.
- Tell all the other machines in the local area to use A as the router for all addresses within the VPN.
- Set up router A with ipchains to forward all connections from the local VPN over the PPP-on-SSH system to router B.
- Set up router B (another linux box) to forward all packets from A to their correct addresses on the remote systems.
This should work with all operating systems that support TCP/IP (last time I checked that was mostBuy a Netwinder from Rebel.com ..... it will do everything for you!
sulli
sulli
RTFJ.
sulli
sulli
RTFJ.
Just remember you get what you pay for. Free software doesn't always give you the support that you would get from one that costs money.
I put one of these together last week. I read the VPN-2 FAQ.t ml
http://howto.tucows.com/LDP/HOWTO/VPN-HOWTO-2.h
The only bad thing about this is you need linux boxes on both ends to establish the vpn. That means that this is more of a solution for people with linux boxes or those setting up permanent vpns between sites.
The system consists of two boxes
server vpn machine-located behind firewall of corporate netowrk, able to connect out via ssh to client vpn machine
client vpn machine-located at remote site,connected directly to internet. Serves as gateway for remote network
Here's how I did it.
1. VPN server behind the firewall connects to vpn
client network router outside the firewall via SSH. Authentication is via client certificates
only (more on this in the howto).
2. PPP is tunneled through the SSH connection to make the client machine think it is a subnet attached to the server machine's behind-the-firewall-network.
3. The default route for the vpn client network goes through the ppp connection to the vpn server. The only route on the Internet attached interface is to the vpn server's firewall. That way nothing can connect to the vpn client gateway or even strobe it if not coming from the corporate network firewall.
4. All boxes on the vpn client network are now behind the firewall and have a default route that must pass through it. I was suprised at how little a performance degradation this caused!
This has the advantage that on either side of the VPN tunnel you can have unlimited clients sending any kind of protocol they want. You can also use fairly cheap linux boxes for this purpose without loss of too much speed. The downside is you need one machine for the server and another one for each remote network that you are establishing. PTPTP scares me because it needs the windows box to be secure which I feel is difficult to do. This solution is a network based security model that is much more efficient and secure.
We'd looked at SSH but there are latency issues. We've been running a VPN between 2 linux Masq'ing gateways for a few months now using CIPE & DSL(http://sites.inka.de/sites/bigred/devel/cipe.h tml) and it's worked well. It's basic; you just set the endpoints & get the routes straight (the hardest part), but if you have static ips on each end it's great. Windows clients can browse Net Hood no sweat.
Fifteenth!
Umm... I was trolling, but also making fun of Enoch Root's #5 first post and self-degredation. If anything, it should have been hit with an Offtopic, not a Troll.
I recommend FreeSwan from www.freeswan.org. It is an IPSec gateway, so you have to use Windows 2000 clients, but it works well and if you configure correctly ipchains the machine is almost invisible on the Internet.
CDSA ought to be changed a bit so that one can make a CSM which is more suitable for packet encryption. Basically the encryting function ought to be a very lightweight function which is then encapsulated to make the CSM. This way you can use various ciphers with ipsec, SSH, etc. which are also available to CDSA and may have platform optimizations
---
>80 column hard wrapped e-mail is not a sign of intelligent
>80 column hard wrapped e-mail is not a sign of intelligent
>life
I'm surprised Apple hasn't released any G4 optimized ciphers for use in VPNs. Any block cipher can be AltiVec optimized, and those stand-alone VPN routers are expensive. I'm sure Apple could sell quite a few G4s as VPN routers and/or secure servers.
---
>80 column hard wrapped e-mail is not a sign of intelligent
>80 column hard wrapped e-mail is not a sign of intelligent
>life
FreeS/WAN + PGPNet from pgp.com seems to work (30 day free trial works). I haven't found any open source clients for windows...i dont think you will either. FreeS/Wan is great for tunnling traffic between two networks, and it seems to work with windows clients. I have read many reviews that have claimed that win2000 works without any third party software. as for Win95/98/nt, PGPNet should solve the problem. check out the compatibilty list at www.freeswan.org, it should get you started in the right direction. As for PPTP, I did some research and it is adviced that PPTP (even version 2) not be used where security is important. I dont know if this applies to PopTop as well, maybe somebody could enlighten me? -J.Sidhu@TAOS
Anyone had any success using a Netopia R7100 w/ PPTP, MS-CHAPv2, and MPPE to link a non-routable LAN with another non-routable LAN via poptop or whatever (the server has, of course, a real ip address)?
I know we all have a little bit of nerd in us, and that nerd says "Why not build this solution from OpenSource? You are a wuss if you buy one" Well, if this guy is looking for a solution for a corporation that will fullfill the needs of a large number of users, then buying a Nortel solution instead of building one probably wouldn't be such a bad idea. If you have a rinky-dink network, and you want to set up vpn tunnels to a few users who really don't care when it goes down, then its not a big problem. But if you have hundereds of users who are using this VPN for functionality, and connectivity in a situation where loss of either hinders their ability to do work and ultimately costs the company money, then it would be better to outsource this solution to a vendor so when there is an outage that vendor deals with it by contract, and if he/she didn't you'd have them by the short curlys. Besides, a network to that scale would require a ton of support, which would require hiring on new people, where in the long run that might be more expensive than outsourcing the whole project. But that is just something to think about.
Check out this site http://www.vpnet.com/
I never used it but I've heard good things about it!