>From: "Des Dougan" <[EMAIL PROTECTED]>
> I had a conversation today with a Linux admin who is not familiar (yet) > with SME Server. The conversation turned to VPNs and he mentioned he's had > success with a GPL tool called CIPE (Crypto IP Encapsulation), available > from http://sites.inka.de/sites/bigred/devel/cipe.html > > Is anyone familiar with this? If so, how does it compare to FreeS/WAN in > levels of security, resource requirements and ease of use? > > It _sounds_ like it is a very useful tool, but as I have little experience > with FreeS/WAN, I can't really compare them. I've used it for a couple of years to connect about a dozen sites with no problems at all. It has a big advantage in some situations in that the tunnel runs over ordinary UDP packets and isn't bothered by NAT. It uses the 'blowfish' encryption method which has very low CPU requirements but it is hard to say how the security level compares to 3des since it has not had the same level of analysis. I haven't been able to find anything bad about it... I consider it one of those rare things that 'just works'. RedHat includes the module in their stock distribution, so it should just be a matter of finding the RPM to match your kernel. So far I haven't put it in an iptables-based SME version. With the ipchains versions it takes a custom template for /etc/rc.d/init.d/masq to allow traffic through the cipe interface without NAT. I can dig that up if anyone wants it - and I'd appreciate the iptables version if anyone else does it first. RedHat puts some of the cipe options under /etc/sysconfig and manages them with their network setup GUI and their init script picks the values up and adds them to the command line at startup. I modified the script to just use the values from the cipe options file and hardcoded things there, but it might be better to do it the RedHat way. --- Les Mikesell [EMAIL PROTECTED] -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Searchable archive at http://www.mail-archive.com/devinfo%40lists.e-smith.org
