On 1 Dec 2007, at 05:37, visc wrote:
On 30-Nov-07, at 2:13 AM, Khalid Schofield wrote:
Hi,
I'd like to make a VPN Concentrator using openbsd. I want users to be
able to authenticate using usernames and passwords and to either nat
the users or give them an ip from our main dhcp server via a bridge.
If I have say a mac user at home wanting to connect into my network
using the built in mac os client how should I set up the vpn server?
Will it auth using usernames and passwords or is certificates only
simple way to authenticate to the vpn server?
How would I know which is better to use for this application out of
PPTP or IPsec?
Any and all input welcome.
Khalid
I'm embarking down the same path for what it's worth, but I'm
actually doing it to eventually get rid of my Cisco 3005. My main
structure though is ipsec between static fixed devices/locations and
I don't need to worry about supporting PPTP or L2TP over IPSEC, or
supplying addresses- yet.
I think Brian A. Seklecki's response:
`That's a tall order. In Cisco-land a VPNC3000k will run you $5k
plus SMARTNet. You'll need isakmpd(8) policies. You'll need
dhclient-server relay support. You'll need XAuth authentication
(Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all
together with LDAP and PKI.
Kind of hit the nail on the head of my worries as well.
I knew it wouldn't be a 5 minute job but it's going to be worth it.
I'm busy enough now making a secure network between offices using an
OpenBSD box as the hub, but when I need to start adapting for "Road
Warriors" things may get tricky.
Well I'm sure we can chat on here and get a good idea of how to embark
on the project. The OpenBSD kernel has support for the hardware crypto
cards :P
For example, your Mac user at home, assuming Tiger's built in client
I use the standard mac client with my m0n0wall firewall's vpn service
at home.
(I'm not clear on Leopard's new VPN protocols), can only use PPTP or
L2TP over IPSEC. I don't know if it's even possible to support all
protocols easily on an OpenBSD concentrator, so I plan to push my
Road Warriors into using clients such as VPN Tracker or The Greenbow
client, though open source alternatives would be preferable. In my
perfect world it would be isakmp/ipsec only for me and to hell with
clients. Too bad that can't always happpen...
Standardizing on one client is a good idea and the technical users
will find a way to get it working with what ever they want.
So, anyway, lots of ramble for little benefit, but at least I know
somebody else is doing it...
Indeed! I'm glad to hear from someone else who thinks this idea isn't
mad!
