Embedded Linux VPN Router Near Release

An anonymous reader writes "A new open source project aims to build a VPN router that supports all major routing protocols on a standardized hardware platform running embedded Linux. The "Linux Router Project - LR101" started in mid-2003 and plans a first release in January 2004. It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables, an other open source software, all compiled from source."

Smoke my cock and call me a playa

[(TK11)Dessimat0r]

_ MM MM MMNMMMM MMMMMMMMM MMMMMMMMMMMMMMMM MMMMMM MMMNM MM M Fuck your mother
_ M_M_r'_.',._.',.',._.__________________.',._.',.', ___r_@MM Fuck your mother
_MM_W_M'_.',._.',.'---|Trollkore_Forever!|---,_'_. _`__7M_X_M Fuck your mother
_M,___M'_.',._.',.', _'------------------'_,_'_.',____M__B_0 Fuck your mother
_M_W__M'_.',._.',.',._.',.',._.', ',._.',._,_'_.',___WM__0_MX Fuck your mother
_M2_S_M_;_,_Xi'_.',. .',.',._.',.',._.', ',._.',.',___M7__ii@ Fuck your mother
_MS_@MM_X0'_.',._.',.',____S_____;i'_.',._.',.',__ ____MM__M_M Fuck your mother
_MWMMM'_._`__a0BMMMZ.',._`__XB_rS___.MMMMMMMMMB'_. ',___M__M_M Fuck your mother
_MM_MM____MMMMMMMMMMMMMMMMr'_._`_:MMMMMMMMMMMMMMMM MW___MM_MiS Fuck your mother
_ MMM2__MMMM.____.MMMMMMMMMM __ XMMMMMMMMMMMMMMMMMMMM._BM:MX Fuck your mother
_ MMM__MMMMM|._. |MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMM__MMMM Fuck your mother
_MMZ__BMMMMM||o| |MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMB____MM Fuck your mother
_M____MMMMMM'----'MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMW_WM__M Fuck your mother
WM__i_MMMMMMMMMMMMMMMMMMMMMMM _M MMMMMMMMMMM.____.MMM,_____M0 Fuck your mother
MX__r_MMMMMMMMMMMMMMMMMMMMMM'_._` MMMMMMMMMM|._. |MMM'_._`_MM Fuck your mother
MZ____7MMMMMMMMMMMMMMMMMMMM __._Z_ MMMMMMMMM||o| |MMM__X___ZM Fuck your mother
MM__Z__MMMMMMMMMMMMMMMMMM; __MM_MM_ WMMMMMMM'----'MM__a____M0 Fuck your mother
_M__,r___XMMMMMMMMMMMMM ___:MMM_MMM:_ MMMMMMMMM MM____7____M Fuck your mother
_MM'_.',____,M0'_.',_____,,MMMB_MMMM_,____ZMMM:___ raW_____MM Fuck your mother
_ M_____ii_X___7__S_,2____SMMMM_MMMM'_.',______2:r'_ .',___M Fuck your mother
_ MM'_.',._.',._,_'_._`_8:MMMMM_MMMMM_;__;ii.',._,_' _._`_MM Fuck your mother
__ MM'_.',._.',.',______;WMMMMM_MMMMM_M'_.',._.',.',_ __.MM Fuck your mother
____ MMM'_.',._.',.',_____MMMMM_MMMMM'_.',._.',.',___XM MM Fuck your mother
____ 0MMMMr'_._,_'_.',____BMMM@_ZMMM;'_._,_'_._`__aMMMM M Fuck your mother
'_._` MMMMMM_M_,__;'_._,_'_._`_i'_._,_'_._`_i____MMMMaMa Fuck your mother
'_._` M__BMMMM_2_ZM__@r___Z'_.',___,,__._'___M__;M@___M Fuck your mother
'_._` MM___M2MMM8M___Z___XM___X,____M._r_____MMMM@____M Fuck your mother
'_._` MM___M___ZMMMMMMMMMMMiMMM_____WMSMMMMMMM_ZM____MM Fuck your mother
'_._`_ MW__MM__W__X___M___iMaXMMMMMMBM_S__7__:_MM____MX Fuck your mother
'_._`_ MM__XMM2MM_M___M___,r__M' ._`_r__B_aMBM_M2___iM Fuck your mother
'_.',__ M2__M__@__MMMMMMMMMr _M__M._MM_ZMZMM_;MM____MM Fuck your mother
'_.',___ M___MMM0_Z___M_ _MMB7MM2MM_M__S_____MW_____M Fuck your mother
'_.',___ M_____SMMMMWSM_ __i__M___a_M___M:MMB_S____MM Fuck your mother
'_.',___ MM'_.',___2XMMMWMMMM0MMMMMMMMMMMM__r_____2M Fuck your mother
'_.',____ MM_:'_.',______;_____8'_.',._.',.',____MM Fuck your mother
'_.',_____ XMMM'_._`_.aM'_._`__, ____;;:'_._`__MMM Fuck your mother
'_._,_'_.',__ WMM'_._,_' ._`_B__M__ _a.',._`_MMMr Fuck your mother
'_.',._.',.',__ MMM_:__,____M.__XS2,_____ZMMMX Fuck your mother
'_.',._.',.',___ rMMMZMM___;____B_____rMMMM Fuck your mother
'_.',._.',._,_'_._` irXS2MMMMMMB8ZMMMMX: Fuck your mother

TROLLKORE HEAD, I'M IN YOUR BED
I'M FIZZY FIZZY WIZZY, I'M OFF MY HEAD

Re:Smoke my cock and call me a playa

I'M OFF MY HEAD

That much is obvious ...

All of that can be accomplished with OpenBSD too.

I frankly don't see the point in using bloated Linux.

Well, good luck with this project, guys

Good luck selling that, when anyone in China/India/Taiwan can download the source, load it onto one of their boxes and sell it for 50% of the original price.

Open source software is ridden with bugs by definition, as the companies need to sell the support licenses to stay in business. If Red Hat et al. produced a perfect end-user operating system close to Windows XP, no one would bother to buy the support licenses and this would put the company out of business. Red Hat not only confirms the bugs and end-user difficulties, it relies on them for their business model.

The same with this company. How many want to bet that you can't set up this VPN router straight out of the box, but are required to go through through mangled .config files to set it up correctly, and end up buying support license anyway?

The only market for this is some screwed up and corrupted country like Argentina or Nigeria, where they would get the software for free, use it in the government, while the son of the government official would be the president of the firm, providing "support licenses" and receiving generous check for "free" software.

Re:Well, good luck with this project, guys

But Redhat already HAS done that.

Re:Well, good luck with this project, guys

[billyforgot]

...thats really funny... true...but funny

Re:Well, good luck with this project, guys

[Rosco+P.+Coltrane]

The only market for this is some screwed up and corrupted country like Argentina or Nigeria, where they would get the software for free, use it in the government

In Nigeria, the government official in charge of IT is waiting for you to help him unlock those $20M from that deceased german businessman, in order to have funds to buy routers ...

Re:Well, good luck with this project, guys

> perfect end-user operating system close to
> Windows XP

Bwahahahahahahahahahahaahahahahahaha

Excuse me... I just shat myself.

Re:Well, good luck with this project, guys

I almost did as well.
Nothing that open source community produced so far is not even remotely close to WinXP, leave alone the possibility of their shit being 'perfect'.

Re:Well, good luck with this project, guys

[Mongo222]

By this logic Windows must be the most buggy software of all since Microsoft makes more money supporting it than all it;s competitors combined! Bigger profits through crappier software!

Re:Well, good luck with this project, guys

[Mongo222]

You'd honestly use WinXP as a router? I pray to god that you aren't responsible for network infrastructure at any company with sensitive data. This product has lead it's producer to start limiting it's patches to once a month mass bug updates because otherwise patching was causing it's uses too much downtime and man power. Your position is laughable.

Re:Well, good luck with this project, guys

Nothing that open source community produced so far is not even remotely close to WinXP, leave alone the possibility of their shit being 'perfect'.

So something that the Open Source community has produced is remotely close to WinXP? What, exactly? Are you insinuating something?

Go be a witless fuck somewhere else.

Embedded?

man, i'd sure like to embed something into that osdn personals chick in the red outfit!

Re:Embedded?

Santa works for osdn now?

Re:Embedded?

Yeah, gotta love chicks that have DSL.

PS: Not ADSL.

Devo lyrics come to mind:

Whip it, whip it good!

HA

[pheared]

It would be nice if they have High Availability on their feature list. Some nice solid appliances like this would be interesting.

Re:HA

[iaredam]

Does anyone know the pricing of the hardware? If this is an inexpensive combo I would gladly get rid of the Linksys/cisco vpn hardware for something which is more flexible in configuration. Granted the Linksys line of routers uses embeded linux, you can't actually change the software easily.

Re:HA

[happymattu]

I was outsourced to a company who is working on a similar ALL IN WONDER gateway, VPN, ADSL / CABLE, VOIP networking device that packs a mean punch. I worked on the NAT configuration, IPTABLES, and consulted on the firewall. All my work was done on Embedded UcLinux (BRECIS) and compiled from source in C (MIPS GCC) to ROM. Huge scale project and the first rev is allready out, and the following 1.2 rev will be out Q1 or Q2 2004.

Re:HA

[bbdd]

i have several locations with the symantec 200 routers (pdf link) with dual wan ports.

i would love to replace them with an ipcop type of open source / flashdisk / bootable cd / etc firewall that supports dual wan ports.

would be nice with a dmz as well, so that would be 4 nics total. 2 wan with failover, dmz, and lan.

Re:HA

would be nice with a dmz as well, so that would be 4 nics total. 2 wan with failover, dmz, and lan.

I recommend a Cisco 7603 for small remote office setups like that. Granted, I'm a Cisco whore and make my money by selling overpriced hardware, but I need to eat man.

Re:HA

[happymattu]

It is open source, buy the parts and throw together your own !

Re:HA

[monkeydo]

Right, and since when are BGP and OSPF, "All major routing protocols?"

Re:HA

Ugh! The 200R. I will never buy another piece of Symantec or Nexland hardware. Ever. What a steaming pile of shit. Our IT consultant waited so damn long to install it that we couldn't return it even tho it would lock up for no reason at all. It was so bad I installed an X10 module on the power supply so I could kick-start it from my desk. It works now but it took them over a year to give us a firmware update that works.

Re:HA

Yo momma got high availability. You feel me?

Re:HA

[Wavicle]

I just recently did a bunch of research on pricing stuff for doing embedded-systems-like projects on an Epia. Here's what I came up with:

Epia CL 10000 (1GHz C3 Nehemiah core with two LAN ports, I don't like that this requires a cooling fan, but it is the only dual lan configuration with a hardware RNG) $215

128MB PC2100 DDR (far more memory than is needed, and far more power consumptive than a "typical" embedded system, but the board requires DDR ram and finding something smaller than 128MB PC2100 is hard and more expensive) $21

IDE-to-CF adapter (you don't really want to use a mechanical hard drive, do you?) $29

128MB CF Card $29

150 Watt Power Supply (smallest I could find in a single AC input package, unfortunately it requires forced air cooling) $20

So that's $215+$29+$29+$25+$20 = $318 + S&H + Tax (if any)

It doesn't include the cost of the case, or your time to design a system that fits on the 128MB compact flash card, and draws a lot of power relative to your typical embedded system device. I didn't find a case I particularly liked for this set up, what I really wanted was a case that would allow me to replace the fans on the cpu and psu with a single super-quiet 120mm fan case.

Honestly I don't think that, as typical embedded systems like this go, the EPIA is a good choice. If you have an embedded kiosk system, I think it is great, but for something like a hardware router it is overkill.

A better solution may be a soekris board, which is designed for the embedded network appliance market, if it meets your processing requirements. The Soekris 4801-50 board has a 266MHz 586-class processor with 3 onboard lan ports, 128MB SDRAM and a CF adapter (and several other goodies) with a peak power load of 15W all for $235 in a package smaller than the EPIA.

The soekris board isn't good for much else though.

Re:HA

[Jon+Chatow]

You sure that the CL6000 doesn't have an RNG, but the CL10000 does? 'Cos the 6000 is fanless, after all - it would only cost a dozen or so dollars less, but ...

Re:HA

[Wavicle]

I'm fairly certain that only the Nehemiah core has Padlock, and the CL6000 doesn't have a Nehemiah core. Too bad though. If they had a fanless Nehemiah core mini-itx with the CLE266 mpeg accelerator, I'd think that'd be the most popular board around.

Re:HA

[Octorian]

But this device has one big feature you neglected to mention, that all of the "common low-end gateway boxes" seem to lack almost completely...

Dynamic routing
(BGP, OSPF, etc.)

Seriously, how can you call something a "router" when it doesn't even support any useful "routing protocols"?

But...

[wo1verin3]

Does it run Linux? :)

Clarification needed.

[Mourgos]

Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project? Wouldn't a linuxfromscratch installation - with only the bare minimums - be a better idea? Just a thought.

Re:Clarification needed.

[wo1verin3]

It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables...

Yes.

Re:Clarification needed.

Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project?

Too me, stripped down implies it isn't whole anymore.

Re:Clarification needed.

[Mourgos]

I full blown distribution! I could have never imagined the idea of a router with a rootkit installed. I bet it's not gonna be long till this happens.

Re:Clarification needed.

Too me, stripped down implies it isn't whole anymore

You're not whole anymore either?

Ummm...

all compiled from source.

As opposed to compiling it from a binary?

Warning !

[Krapangor]

Contributing to this OSS project might be illegal for US citizens due to cryptography export laws.

Re:Warning !

Your sig is fucking bollocks.

Re:Warning !

[Tony+Hoyle]

If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

Re:Warning !

[BdosError]

Crypto export laws were relexed a long time ago (during the Clinton administration).

Just goes to support what I've observed about people who claim Mensa membership.

Re:Warning !

His sig *is* bollocks: do you really think a mensa member would hang around on Slashdot? They're much too snobbish for that ...

Re:Warning !

Posting stupid comments to Slashdot might be illegal too, but it didn't stop you.

Re:Warning !

[Homology]

If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

Indeed, export of cryptographic technology from USA is hampered with strong restrictions. So many Open Source projects are quite careful to avoid breaking laws by having (much) development done outside USA, and also letting release builds be done outside US as well.

For instance, OpenBSD has offered strong encryption for several years. The OpenBSD project is located in Canada, and a lot of development/release builds are done outside US. As Integrated Crypto shows :

Hence the OpenBSD project has embedded cryptography into numerous places in the operating system. We require that the cryptographic software we use be freely available and with good licenses. We do not directly use cryptography with nasty patents. We also require that such software is from countries with useful export licenses because we do not wish to break the laws of any country. The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden.

When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting. In the past our release binary builds have been done in Canada, Sweden, and Germany.

Angle of tinfoil hat for best reception?

I upgraded my tinfoil alien detection hat from CPM to Linux recently but I cannot find the optimal angle for reception. Any ideas?

Re:Angle of tinfoil hat for best reception?

[frodo+from+middle+ea]

Any Ideas

Yes, get your head out of your a55 first.

Re:All of that can be accomplished with OpenBSD to

I just read in another guys troll that BSD is dying. As long as trollers are a good source of accurate information, I'm sticking with Linux, thank you.

Just use OpenBSD

OpenBSD is better suited for this purpose, especially on older hardware no longer desireable for desktop use.

Anyone with half a brain can set up an OpenBSD Firewall/Router!

Re:Just use OpenBSD

I couldn't agree more. It's the logical choice.

Isn't it missing something?

[Rosco+P.+Coltrane]

Where's PPTP? for a VPN router, it's kind of desirable ...

Re:Isn't it missing something?

[bzzzt]

According to the "tech details" page it's shipping with the Poptop pptp server...

Re:Isn't it missing something?

[Frennzy]

From TFA:

Version 0.3.9 des RootFS verfugbar What has been done? First, there are many changes in the LR101 Scripts; second, IP-Tables has been updated to 1.2.9 and a configuration interface, start it with command lrconfig , is available, now. DHCP has been tested, unfortunately PPPoE and PPtP not yet. If somebody could test this, please do so! ... please set the DEBUG Level in /etc/LR101/ppp/options.pppox0 to 9 and send the log ( /var/log/messages ) to support_at_linux-it-solutions.de. Thank you!

Re:Isn't it missing something?

[Rosco+P.+Coltrane]

Oh ok, nevermind then, I didn't see it in their main list.

Thanks.

RH 8 ?????

[MajorDick]

Im serious RH8 was the biggest pice of scrap from RH since 5.0. (and Im a Redhat fan)I understand development cycles have to start somewhere, and RH 8 was probably release when it started, But hasnt enough time passed to replace it with a more solid distro.

Why not a WRV54G?

[greygent]

Or, just buy a Linux-based Linksys WRV54G for well under $200 with most, if not all the features of this project. No, I don't mean the WRT54g, I mean the WRV54G. Excellent piece of gear, VPN, firewalling, dmz, wireless (wep/wpa), snmp, yadda yadda.

Re:Why not a WRV54G?

[MonTempIar]

Well you could probably save some money if you got a similar Linksys router without the wireless capabilities of the one you linked to.

Re:Why not a WRV54G?

[CaptnMArk]

too bad these don't have a serial (for console) and USB2 ports (for external disk)

Re:Why not a WRV54G?

[no+soup+for+you]

WRV54G has max of 50 users. That might be a big deal for them, might not.

>= to

[bobbinFrapples]

Snapgear?

Compiled from source...

[Binestar]

all compiled from source.

As opposed to say, a Linksys Router, which we all know is compiled from Cheerios. =)

Re:Compiled from source...

That's what they use the cereal port for!

RH8?

[Jeffrey+Baker]

Using a full blown RH 8 installations eems like an odd thing to do. Lots of people are using Soekris computers as routers, firewalls, access points, and VPNs, but they are generally run off stripped BSD or Linux installations with hardly any extraneous crap. Mine is running a very bare Debian installed into a 256MB compact flash.

Soekris

Re:RH8?

Using a full blown RH 8 installations eems like an odd thing to do.

I don't see where anyone said they used a full blown version. The images I see are all too small to hold that much.

Re:RH8?

[kervel]

i was considering to buy a soekris, but when i added up all costs (shipping, ...) it turned out to be not worth the money. Soekris is silent okay, and powersaving okay, but the slow CPU limits the use to routing/firewalling/VPN/... and you can buy cheaper equipment for that.

Re:RH8?

[NevDull]

If you had read the article, you'd have seen that they are using 32MB CF. Do you really think they're running "a full blown RH 8 [sic] installations"?

Please check one:
[ ] I can't read
[ ] I choose not to read
[ ] I read the article, but I think that a full install of RedHat fits in 32MB
[ ] Please forgive my Debian zealotry

Re:RH8?

[Stinking+Pig]

I tried to check number one and now I've got a black mark on my monitor! This is all your fault you insensitive clod!

Re:RH8?

[funky+womble]

Routing/etc is a pretty common use for this kit, but plenty of other projects are well-suited, often much better than more common PC hardware due to some unusual features - the Elan chip on the net45xx has a high-res timer supported by FreeBSD, particularly nice for accurate timing (NTP or for other reasons)... The programmable 'error' LED could be used for indicating web hits on a personal homepage, show new email (some drivers support Morse code, so you could even indicate the sender's name), or various more useful things. There are 8 general-purpose I/O lines on the 45xx (12 on the 48xx) which gives a lot of options for control systems (home/greenhouse, lighting/heating/fans, model/robot controls, who knows...). The hardware watchdog timer on-board is quite a rare feature on kit this cheap too, and this and the unique serial-BIOS can be a lifesaver on remotely-installed kit.

Obviously they're not general-purpose computers (I doubt you'd want one for a file/DB server...) but there's still a lot that can be done with them, and the feature-set isn't available on some of the other small systems around the same price point (e.g. Nagasaki, VIA EPIA, Bonatech lex) - though of course, these have some features not built-in to Soekris boxes (e.g. onboard sound). Mind you, for e.g. a simple firewall or wireless AP, I don't think there's another small+silent PC that can compete with the price of a 4501 since the recent drop in price.

If you're in Europe, ordering from kd85.com reduces shipping costs (though in the UK, it may well still be cheaper to buy from the US, since the exchange rate is good at the moment, and shipping isn't all that expensive, though you do have to budget for VAT and around ~10 handling fee to Airborne/UPS, so a group-buy might make sense).

Re:RH8?

JFC, that's the lamest attempt at humor I've seen here in quite some time.

And that's saying a lot.

Please go back to your anime pr0n irc channel discussion, or whatever.

Re:RH8?

[malarkey]

now I've got a black mark on my monitor!>

just white it out.

All compiled from source?

I want a router where all the binaries were hand assembled, myself.

A different LRP

Is this the same Linux Router Project that was run by that crazy, paranoid survivalist guy? Or is that still dead?

Re:A different LRP

[GoneGaryT]

Don't know about the mental health of the author, but I did try LRP a couple of years ago on an old PC with 5 NICs plugged into it. It almost worked, AFAIR. Last time I looked, LRP had been abandoned.

I presume that this is a shiny, all-new LRP?

Re:A different LRP

The successor to the LRP project is LEAF
leaf.sourceforge.net

Re:A different LRP

[versus]

The successor to the LRP project is LEAF

We use it at our 50+ PC routers.

Open source software, all compiled from source?

Open source software, all compiled from Source! What will they think of next?

Not to be confused with...

[ScottSpeaks!]

...the Linux Router Project, a floppy-based 386-compatible micro-distro which served as the basis for (among other things) Coyote Linux.

Re:Not to be confused with...

[fataugie]

That's all well and good, but LRP was shutdown after Diesel Dave decided to call it quits. It was news on slashdot a few months ago (too lazy to link to it).

LEAF is the successor (LEAF).

Re:Not to be confused with...

PLEASE mod up the LEAF comment!

LEAF is everything that Dave ever dreamed of, and more. (Minus the BS paranoia and political crap that Dave spewed from time to time.)

There are mini distros, Wireless distros, and everything 'just works'

Stay dead, LRP. Long live LEAF!

bah!

[maxbang]

I was doing this BEFORE it was cool.

Re:bah!

[elFarto+the+2nd]

....and its cool now?

Regards
elFarto

Use a $80 wrt54g to do the same

[Jim+Buzbee]

Custom firmware for the wrt54g does/will do pretty much the same thing. Progress is very quick. See the forum here:

sveasoft

Still No Shiva Support on Linux

[PingXao]

This isn't the project's fault, I know, but there is a "major", albeit proprietary, VPN protocol that's still not supported on Linux. It's Shiva's SST (Shiva Secure Tunnel). It was originally developed by Shiva, then sold to Intel where it became part of the NetStructure family. I should point out that these VPN gateways also support IPSEC, but some companies - like mine - only permit access using the SST flavor tunnel.

Shiva never had any Linux client software. Intel never developed any either. Then it got sold to HP/Compaq which never developed any Linux client software either. Recently it was sold yet again to a new company called - interestingly enough - Shiva. (No relation to the original company.) Like I said, the SST protocol is proprietary so the lack of support on Linux isn't the fault of the Linux VPN Router project or the FreeSWAN project either. Maybe all that's needed is for someone to contact Shiva/Intel/HP/Shiva to see if they'd be willing to open up the SST spec. I don't know. Unless the Shiva Secure Tunnel protocol offers major advantages over IPSEC I can't imagine any reason why they'd keep it secret. Maybe they're only still using it for backwards compatibility or something, because to me it sure looks like all new developement is geared towards IPSEC. If that's the case I guess I'm screwed. My company flat out refuses to open any IPSEC tunnels on their NetStructure VPN appliances.

Re:Still No Shiva Support on Linux

[mdouglas]

I administered a Shiva vpn server in 2000/2001. I would have preferred to use the open standard IPSEC vs the proprietary SST; however their IPSEC option would not support RADIUS authentication. That was the deciding factor for going with SST. Aside from that it wasn't a bad product.

Re:Still No Shiva Support on Linux

[TheCrazyFinn]

It actually predates Shiva.

It was developed by Infocrypt, which Shiva bought, and Shiva was in turn eaten by Intel.

SST is legacy, as LANRovers have had IPSEC support since at least version 6.7.

If your company doesn't use IPSec, it's probably going to get left behind when Intel finally dumps the old and crufty SST protocol.

Re:Still No Shiva Support on Linux

Damn, that sounds like a perfect example of why proprietary "standards" should be avoided at all costs. Shiva sells to Intell sells to HP sells to Shiva. Who wants their support to bounce around like that?

-1, Troll

Thou shalt not mention OpenBSD, particularly if thou art pointing out its superiority to Linux in this case, lest the moderators smite thee.

PPTP is UNdesirable

[billstewart]

The initial PPTP was a total botch, with seven major security flaws. Some of them have since been fixed, but it gives you some idea of the professionalism and quality that didn't go into the basic design. If you want to use a VPN for security, use IPSEC - and this project has FreeS/WAN IPSEC in it. If you really really want to use a VPN to transport lame non-IP legacy Microsoft LAN protocols, go pay Microsoft some money for one of their server projects, and charge the silly customer who's hiring you as a consultant because they don't want to upgrade to the 1990s for it. If you want to use a VPN to carry private IP addresses, but don't actually care about security, use IPSEC anyway, or use GRE tunnels.

Re:PPTP is UNdesirable

IPSEC is way to complex for using it for VPNs though. Personally I've always felt it's like using a howitzer to swat flies. It'd be better to come up with some new lightweight protocol for VPNs that just tunnels everything over a single TCP port. SSH is pretty damn close, but doesn't really qualify as a VPN. Look at Infoexpress's VTCP/Secure for an example of a cool VPN implementation. No annoying IKE traffic, no need to worry about intermediate firewalls opening up IP protocol 50, etc. It can tunnel over practically any port including through web proxies to get out of the foreign network back to your home base.

Re:PPTP is UNdesirable

[jbr439]

How about if I want to use my home linux box to access my employer's Microsoft based network?

Do I downgrade my home box to Windows? Ans: when hell freezes over.

Do I get my employer to use IPSEC? Ans: not if my employer is an "all microsoft, all the time" kind of place. [although with MS supporting IPSEC in some form, that is changing]

In other words, contrary to what some of the less thoughtful may think, PPTP client functionality is a must for some of us; and telling us why we should not be using PPTP is, shall we say, less than helpful.

Re:PPTP is UNdesirable

[YU+Nicks+NE+Way]

You do know that GRE tunnels are the generic name for PPTP, don't you?

Re:PPTP is UNdesirable

[asdfghjklqwertyuiop]

I agree, IPsec is an over engineered pain in the ass if all you want is a simple encrypted tunnel. For that I reccommend openvpn. It is mature, easy to work with and works exactly like you'd expect. And they even have a windows port going on...

Re:PPTP is UNdesirable

[asdfghjklqwertyuiop]

PPTP uses GRE tunnels, it isn't synonymous with them.

Re:PPTP is UNdesirable

[Octorian]

The best solution for this I've found so far, is a program called OpenVPN. The thing is easy to configure, runs on most 'nix platforms, tunnels over UDP (I'm sorry, but IP over TCP is stupid), and works wonderfuly.

Re:PPTP is UNdesirable

[teqo]

Thanks for the rant, Bill. PPTP, esp. when MS-compatible, is way less secure than IPSec. Today, the biggest problem with PPTP is the connection between password strength and encryption strenght (see Schneier's analysis on PPTPv2 for details), and as soon as this problem is worked-around (see for example the Designfragen discussion for some CS department WLAN, if you can read German), PPTP is 'middle secure'.

What makes PPTP a tempting VPN protocol is it's availibility among different plattforms. Although some plattforms offer built-in IPSec support, these implementations often differ in certain details which harms interoperability a lot. We have extensions like XAUTH, L2TP, DHCP-over-IPSec, not to mention the many different options to be configured, and even the new Mac OS X Panther release does strange things with it's IPSec-L2TP implementation. Yes, you get beer-free VPN IPSec clients in case you buy expensive iron, Cisco for example, but for many this is too much money...

PPTP is for poor man's VPN only, but if this is enough security for your setting (and you can increase this through tight password policies), you will have instant VPN access from all kinds of common plattforms, free and not free ones...

IPSec is great, but seldomly available and/or not trivially deployable. PPTP is less secure, but it's out there... Life isn't always that simple.

why bother??

just check out astaro.org

linux distro and free for personl use...this has allready been done and astaro rocks!!

Vaporware

[wideBlueSkies]

Very offtopic, but I can't resist:


An anonymous reader writes "A tired old game project aims to build a 3D FPS with undefined technology". "Duke Nukem Forever - DNF" started in mid-1997 and plans a first release "When it's done", according to product manager George Broussard. DNF is based on a yet to be defined 3D engine, though the team stated that "Development is progressing smoothly, we should have some screenshots up soon". The game when completed will support 4 player deathmatch, as per it's 1997 spec. However the team is looking to the future, and expects the game to run well under Windows Longhorn. Linux support may be planned for the future.


wbs.

Huh?

[] Cowboy Neal VP's my N.

"RealTek/NE2000 compatible NICs for the DMZ"

[pmsr]

Having programmed some of these "beauties" in connection with a microcontroller, i must say they are shooting themselves in the foot. The first word that comes to my mouth is YUCK! I know all these 3Com and Intel network cards are more expensive, but they save time and money in the long run.

/Pedro

Re:"RealTek/NE2000 compatible NICs for the DMZ"

[smnolde]

RealTek is RealCrap. You get what you pay for.

From /usr/src/sys/pci/if_rl.c on my FreeBSD system:
* The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is
* probably the worst PCI ethernet controller ever made, with the possible
* exception of the FEAST chip made by SMC. The 8139 supports bus-master
* DMA, but it has a terrible interface that nullifies any performance
* gains that bus-master DMA usually offers.
*
* It's impossible given this rotten design to really achieve decent
* performance at 100Mbps, unless you happen to have a 400Mhz PII or
* some equally overmuscled CPU to drive it.

This is my favorite comment:
* Here's a totally undocumented fact for you. When the
* RealTek chip is in the process of copying a packet into
* RAM for you, the length will be 0xfff0. If you spot a
* packet header with this value, you need to stop. The
* datasheet makes absolutely no mention of this and
* RealTek should be shot for this.

More funny stuff:
* The RealTek is brain damaged and wants longword-aligned
* TX buffers, plus we can only have one fragment buffer
* per packet. We have to copy pretty much all the time.

Re:"RealTek/NE2000 compatible NICs for the DMZ"

[evil_one]

The Realtek NE2000 compatable nic is NOT the same as the Realtek 8139. Typically the realtek ne2000 is an 8029. Very different chip.

Re:"RealTek/NE2000 compatible NICs for the DMZ"

[pmsr]

Yes, true! The smell is the same, though.

/Pedro

HA

Stop pushing your gun-fetish!

When I fly I feel safer if I know that there are no guns on board - legal or illegal.

before using ipsec...

[thanasakis]

..make sure that you have read this
Discusses some serious considerations before deciding to use ipsec and ike. And since ipsec/ike is the only serious solution in many cases, these concerns should not be taken lightly. For example did you know that the ike implementation in 2000/XP simply checks the signer of the servers certificate and not the actual identity that is signed? This means that any other user with a certificate which is signed by the same authority as you can impersonate the server.

The article is very lengthy, I know, but definitely worth your time.

Alternatives

[ScrewMaster]

There's a number of such projects out there ... Smoothwall is one. IPCop for another (although it is forked from Smoothwall.) I don't see this project as offering that much over similar ones.

Re:Alternatives

clarkconnect (the 1st such distro i believe to use iptapes/linux-2.4.x instead of 2.2.x ipchains)
astaro security linux
freesco

many others

nothing beats OpenBSD running in a soekris net4501 though :)

Stick that in your pipe and combust it.

[TheScienceKid]

I beg to differ, Sir/Madam. So stick that in your pipe and combust it! (Proud member of British Mensa, a Linux user for over two years now and my first AS exam is on the 8th Jan so I think I've made my point.)

Low IQ Mensa member, and proud of it.

[Futurepower(R)]

I was a Mensa member. (I haven't paid my dues in a long time.) I just barely passed the test to get into the club. So, I may be the Mensa member with the lowest IQ.

Where is the usable VPN client?

[Burz]

I would like to see something that would let me access existing VPN routers from home.

Should be but...

[agoliveira]

Well, I had the same idea but, unfortunatly, I had nothing but trouble using OpenBSD and I tried the last 3 releases.
Basicaly, I had complete system freezes when under heavy load and unstable network drivers (can't remember wich ones right now but the interface dropped at random times).
I don't know if was me but I used the same hardware with IpCop (VIA-M boards actualy) without a hitch so I decided to stick with it.
I will probably try OpenBSD again as I like the idea but at least for me, right now, it's a dead fish - pun intended ;)

Redhat ruined my interest

[superpulpsicle]

You had my attention up to the point where you mentioned "redhat". The company that doesn't care about their nonprofit distro. Whoopie, now you got a vpn on it.

No security in obscurity

[anti-NAT]

Your company is very naive then. They are probably using the "nobody else is using it, so it will be more secure" argument.

Give somebody who can make that decision the results of the following google search - security in obscurity

The first article in this Crypto-Gram also explains the problem - Secrecy, Security, and Obscurity

sub $50 cost needed

micro linux systems still need to be under $50 to really work and get widespread use.

An alternative: m0n0wall

[Jackson-The-Cat]

http://www.m0n0.ch/wall
If your interested in Linux or embedded VPN solutions, check out m0n0wall. Its excellent!

Its been done

[toaster13]

Umm...you guys do realize that www.snapgear.com has had embedded, ipsec/iptables equipped routers based on linux for years right? They're enterprise quality and I've had several deployed for over a year. This isn't new, nor is it exciting. Also, embedded implies that its not x86...or using a hard drive. This is a mini-itx based "router" running a distro that has no business being used as such.

Please stop calling this embedded

Calling Linux running on a PC "embedded" is insulting to some of us who really do embedded programming.

LEAF

you can reinvet the wheel or you could just use one of the router distros under the LEAF project

Usual BSD troll

"Use BSD.. uhh.. becuase I said so! Forget facts, reason, or logic, JUST USE IT!"

I'll tell you what *I* would like to see it use...

[NerveGas]

I'd like to see one based on this bad boy.

4 gigE ports, each on it's own PCI-X controller. Between the two Xeons and whatever amount of memory you through at it, one of these could *easily* handle a great deal of BGP sessions, load-balancing, failover, as well as VPN and encryption.

With a board like that, a couple of Xeons, and a gig of memory, these could out-perform some very, very expensive commercial routers.

steve

Re:An alternative: m0n0wall...et al

I'll have to agree about Mono, (which I'm using now) and point out that there are quite a few other options. Mono's Web-based admin interface should make anyone who's worked with Firewall-1 feel right at home.

It would appear that while the LRP labored on defining and then implementing The Ultimate Solution, the rest of the world may have caught up, if not passed them.

True.

[leonbrooks]

One of my clients spent AUD$1500 buying one of these and having me fit it out with a Flash disk as a router supporting BGP (and much other stuff, if he ever needs it there). The alternative was paying AUD$6000 and on up (several outfits seriously quoted him well clear of AUD$20,000 for new Cisco gear), and other than when the owner one day using shutdown -h instead of shutdown -r to try to cure a problem that in the event was being caused by something else, it's had a flawless, zero-maintenance run.

Andrew Warenczak, the guy who designed the box, is looking at making a half-height version, making 4 completely independent servers in one RU of 19" rack.

Can I shit in your mouth?

[MooKore+2004]

Yes. Give it to me, I want your yummy cowshit all over me!

Re:I'll tell you what *I* would like to see it use

Why waste money on Xeon and a electric bill?

Consider a more elegant and efficient approach. (I hate Xeons and Pentium 4s...Too much wasted heat.)

VPN/encryption hardware PCI card + Pentium-M 1.7Ghz + Radysis mATX mobo + 4-port Intel NIC.

The VPN/encryption hardware PCI card (see SafeNet or HifNET), relieves the CPU and allows the CPU to focus on other uses.

Heck, Soekris Engineering sell HifNET based ones in PCI and Mini-PCI form. So that low end CPU they sell can prove to be quite capable.