On Dec 1, 2007, at 12:37 AM, visc wrote:
On 30-Nov-07, at 2:13 AM, Khalid Schofield wrote:
Hi,
I'd like to make a VPN Concentrator using openbsd. I want users to be
able to authenticate using usernames and passwords and to either nat
the users or give them an ip from our main dhcp server via a bridge.
If I have say a mac user at home wanting to connect into my network
using the built in mac os client how should I set up the vpn server?
Will it auth using usernames and passwords or is certificates only
simple way to authenticate to the vpn server?
How would I know which is better to use for this application out of
PPTP or IPsec?
Any and all input welcome.
Khalid
I'm embarking down the same path for what it's worth, but I'm
actually doing it to eventually get rid of my Cisco 3005. My main
structure though is ipsec between static fixed devices/locations and
I don't need to worry about supporting PPTP or L2TP over IPSEC, or
supplying addresses- yet.
I think Brian A. Seklecki's response:
`That's a tall order. In Cisco-land a VPNC3000k will run you $5k
plus SMARTNet. You'll need isakmpd(8) policies. You'll need
dhclient-server relay support. You'll need XAuth authentication
(Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all
together with LDAP and PKI.
Kind of hit the nail on the head of my worries as well. I'm busy
enough now making a secure network between offices using an OpenBSD
box as the hub, but when I need to start adapting for "Road
Warriors" things may get tricky.
For example, your Mac user at home, assuming Tiger's built in client
(I'm not clear on Leopard's new VPN protocols), can only use PPTP or
L2TP over IPSEC. I don't know if it's even possible to support all
protocols easily on an OpenBSD concentrator, so I plan to push my
Road Warriors into using clients such as VPN Tracker or The Greenbow
client, though open source alternatives would be preferable. In my
perfect world it would be isakmp/ipsec only for me and to hell with
clients. Too bad that can't always happpen...
I haven't been following this thread, but I saw your post and thought
I'd add some bits for you to consider. First, you mention that Mac OS
X only supports PPTP or L2TP over IPSec. This is not true. I've used
OpenVPN (via tunnelblick) and the Cisco VPN client. OpenBSD has
solutions that will support both of those clients. Would it be nice
to have XAUTH support? Sure, but don't hold your breath.
---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
