Benjamin Scott wrote:
> I am interested in hearing people's opinions on secure remote access (i.e.,
> VPN) solutions that work with Linux and Windoze, together.
Let's start with some definitions. VPN has become a fairly generic term
used to reflect any sort of remote access to a company. At a minimum,
VPN refers to two very different things: 1) Remote offices and other B2B
type connections, and 2) Roadwarriors and other B2D connections.
> The typical situation is that our customers have a main office with
> Linux-based server(s) and/or firewall(s), and want people outside the office
> (e.g., at home, on the road) to be able to access the main office network
> using the public Internet.
>
> Here is the catch: Most of these outside systems are Windoze 98 computers
> with DSL or cable links to the Internet. So we cannot just use FreeS/WAN or
> PPP-over-SSH or some other nice Unixy solution on that end.
This isn't really true. You *CAN* use FreeS/WAN on the server side. The
problem becomes the client side for the roadwarriors. However, if the
company is willing to shell out the $$ for the client software, then it
can be done. The commercial version of PGPNet can go for anywhere from
$15 to $75, depending on the vendor. It is not as straight forward as
FreeS/WAN to FreeS/WAN, and there is some key management that needs to
be done. It can be messy, but in skilled administratives hands, it's no
worse than SSH keys.
> I am aware of PoPToP and PPTP, and have in fact recommended that in some
> cases. The problem with this solution is that the Windoze end of the link has
> no firewall or other protection against outside attack. For some clients,
> this is an acceptable risk; for many others, it is not.
For a roadwarrior, it is my personal opinion that the best and easiest
solution is a dial-up 1-800# and a hunt group. You throw a Shiva LAN
rover in, get a few dial-in only lines, a hunt group, and your done.
Anyone can dial in no matter what OS they use, it's secure, and it's
accessable no matter where they are.
> So, ideally, I would like an all-in-one, hardware-based, VPN/firewall/NAT
> box on the Windoze end. It would protect the Windoze machine(s) with a
> firewall, provide NAT if needed, and link that end to the main office. At the
> main office end, again ideally, we would have Free Software (e.g., FreeS/WAN)
> running on the Linux box to handle that end of the VPN link. However, I would
> be willing to accept commercial Linux software and/or another embedded
> solution, if that is what it takes to make things work well.
This can be done. It's pretty easy, too. What you do is you give them a
small system running FreeS/WAN that has IPChains running on it as a
gateway. The gateway box will route all of the traffic comming from the
SOHO destined for the corporate network through the IPSec tunnel,
encrypted, and all other traffic will be NAT'd to the externel IP
address of the box and sent on it's merry way to the internet.
> Why not just use a Linux PC in an embedded role at the SOHO end? In some
> cases, that might actually be a good solution. However, there are cases where
> an embedded box, with no disks to fail or general-purpose OS to manage, is
> more appealing. Basically, we would be trading money and flexibility for
> ease-of-setup and ease-of-administration. Sometimes you want to do that.
There is a box called the NETTel from Lineo (formerly Moretonbay) that
is a "VPN router". It is basically an embedded device running Linux and
PoPToP. You might want to look into it @
http://www.lineo.com/products/nettel/ .
> One product we are looking at, for the simple reason that the customer is
> looking at, is a product from VPNet Technologies, Inc. Model VSU-100. The
> feature list sounds pretty nifty, but I have no idea how well it would in
> practice. Anyone have any experience with this company and/or product?
>
> http://www.vpn.com/products/vsu3.0.htm
Never heard of it or them..... But I do plan on looking into it now ;-)
Kenny
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
