[vox-tech] VPN question

Jeff Newmiller jdnewmil at dcn.davis.ca.us
Mon Sep 27 18:28:47 PDT 2004


On Mon, 27 Sep 2004, Peter Jay Salzman wrote:

> I was given a laptop by the college I work at (well, loaned, actually).  It
> had Windows XP on it.  I just did a Debian net install on it, but it was
> really exhausting hearing people say:
> 
>    * You realize we won't support it, right?
> 
>    * It's against school policy to install your own software.
> 
>    * How are you going to check mail?  Read Word documents?  See ppt
>       presentations?
> 
> over and over and over.  I felt like Linux was a dirty word, and I had to
> smile, be polite and nod my head in agreement for over an hour to placate the
> people at IT.  The coolest person was the dean of IT, Mark, who was totally
> supportive.  Even though he doesn't use Linux himself, he was the only person
> who seemed totally cool to the idea.  I guess that's why he's in charge.  :)
> He's a good guy.
> 
> Anyhow, on to the question.  I'm going to be given access to a VPN.  I know
> nothing about VPNs.

You know that it means Virtual Private Network, right? Then you know more
than nothing.

> I'm hoping that there's a VPN protocol, and that it's not some propietary
> thing that I don't have a ghost in hell of connecting to with my home
> computers.  If it's a well known protocol, I'm sure there's a Linux client
> that I can use.

There exists Linux VPN software.  I don't like to think of them as
"clients", because they are more like software routers than browsers.

> Is VPN the kind of thing where every implementation is different and it has
> to be reverse engineered on an implementation by implementation basis (like
> parallel port scanners or certain P2P protocols) or is there one VPN protocol
> that uses the same authentication across implementations?

You want IPSec if possible, but that is like saying you want AVI... it is
a container for more specific implementation details, so you generally
need to know more than just the term "IPSec" to be sure it will work.

There is also PPTP, which M$ used to be big on, and which they screwed up
the first implementation of so you'll know how serious they are about
security if they are using PPTP v1.

Cisco provides their own "client" for various OSes, including Linux.  I am
pretty sure it is a variation of IPSec, because I have been able to
connect to a Cisco firewall from a Windows Cisco client inside my LAN, and
I know that forwarding VPNs through NAT usually requires special
kernel support, and the only support I have in my router is for IPSec.
However, due to the variety of encapsulated protocols available, you may
not be able to talk to a Cisco firewall without the Cisco client.

> And if VPN is standardized, what are some clients that people like?

I've been using a couple of IPCOPs recently ... kind of turns VPN into a
no-brainer.  I am about to embark on setting up a D-Link DFL-80 and
connecting to it.  IPCOP uses Free/SWAN for VPN, which has been pretty
popular for awhile, but is apparently superceded by openswan [1] (which
has a Wiki with some interoperability information [2]) and strongswan [3].

Disclaimer: I have not yet successfully connected to a commercial VPN
firewall remotely with other than their supplied VPN endpoint software...
mostly because extracting the information necessary to research the
connection has been impossible, as most firewall managers seem to operate
on the "security through obscurity" principle.

-----

[1] http://www.openswan.org/
[2] http://wiki.openswan.org/index.php/interperating
[3] http://www.strongswan.org/

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil at dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------



More information about the vox-tech mailing list