[vox-tech] VPN question

Rick Moen rick at linuxmafia.com
Mon Sep 27 21:15:10 PDT 2004


Pete, this useful post seems relevant to your question.


 From: Gordon Heydon <gordon at heydon.com.au>
 To: Brian May <bam at snoopy.apana.org.au>
 Cc: luv-main at luv.asn.au
 X-Mailer: Ximian Evolution 1.4.6
 Date: Tue, 28 Sep 2004 14:01:14 +1000
 Subject: Re: [luv] VPN, Linux and Windows

Hello,

On Tue, 2004-09-28 at 13:44, Brian May wrote:

> I am attempting to set up a VPN between a Windows computer and a Linux
> computer. A method that included encryption would be preferred.  Ideally,
> I don't want to patch the Debian kernel either.  (It has KAME IPSEC but
> not OpenSWAN/FreeSwan patches).
>
> So far I have tried:
>
> IPSEC/L2TP:
> Pros
> * Windows XP has built in support.
> Cons
> * has problems working behind masquarading, unless masquering supports it.
> * Complicated. There appear to be two layers: IPSEC transport mode, and
>   L2TP. L2TP is easy, but I had issues with IPSEC.
> * For some weird reason IPSEC won't work on this computer.  (Windows
>   ignores the ISAKMP packets.)  Same setup as on another computer that
>   worked.
>
> OpenVPN
> Pros:
> * Windows packages available.
> Cons:
> * Last stable version didn't work, upgraded to 2.0-beta11 on both
> ends.
> * Evidence of extreme curruption on packets.
>   - Messages on Windows:  Bad LZO decompression header byte: 40
>   - tcpdump -i tun0 gets totally confused.
>
> So what is easiest way of doing this? Has anyone here done anything like
> this?

It all depends on what you are trying to achieve. I have done a lot of
work with VPNs, and for me it have come down to 2 rules.

1. If you are connecting 2 networks together, use IPSEC, and try not to
have Windows in the mix. If you need to, I have found that SSH Sentinel
is an extremely good package, and is free to use for non-commercial use.

2. If you are connecting a single point to your network, then use PPTP,
which isn't as secure, but works very well under Windows, and most
versions of Windows.

I have found that most businesses will accept PPTP, but this is because
this is pushed by Microsoft, and for some reason they think this equals
security.

Because VPNs and tunnelling for Linux are still in their infancy, you will
find that, to get a good solution, you will need to patch the kernel, no
matter which way you go.  It is a good idea to use some of the security 
patches with the kernel, anyway, so I would recompile the kernel if I
wanted added security.

Gordon.



More information about the vox-tech mailing list