Hi,
SSL VPN is a bit hyped but OpenVPN is a working solution if you need
it (Why did I say? Well, SSH VPN is a nice alternative that misses a
Windows client and GUI) - But I don't see a reason that SSL VPN is any
better than modern IPsec:
- IPsec is probably more secure than SSL VPN (at least better reviewed)
- IPsec is standards-based (SSL VPN is a term for vendor-specific VPNs)
- Modern IPsec is easy to configure and deploy (RFC 3456, ipsec.conf, ...)
- IPsec with NAT-T and UDP encapsulation works fine behind network barriers
- ...ok, we don't support non-standard TCP encapsulation of ESP traffic
- IPsec is more optimized and faster in the OpenBSD kernel
I recently implemented support for DHCP-over-IPsec (RFC 3456) in
dhclient(8) and dhcpd(8). This makes it very easy to run an OpenBSD
IPsec gateway with IPsec clients that automatically obtain VPN IP
address, internal DNS IP etc. via DHCP. In other words - this makes
it very easy to deploy many (Windows) clients with very minimal
configuration on the client side.
---snip---
RCS file: /cvs/src/usr.sbin/dhcrelay/dhcrelay.c,v
revision 1.32
date: 2009/09/03 11:56:49; author: reyk; state: Exp; lines: +142 -3
Add support for "DHCP-over-IPsec" by implementing RFC 3046 (DHCP Relay
Agent Information Option) and RFC 3456 (DHCP Configuration of IPsec
Tunnel Mode). This allows to configure various IPsec clients
dynamically via DHCP; dhcrelay needs to listen on enc0 and forward
requests to a DHCP server that supports RFC 3046, like I recently did
for dhcpd(8).
ok krw@
---snap---
I successfully tested it with the following Windows clients on Vista32:
- Shrew Soft (www.shrew.net) - free
- NCP (www.ncp-e.com) - non-free, OEM for many other vendors
- FortiClient - non-free legacy
- Any other clients with RFC 3456 support? Maybe for MacOS X?
It did not work or I did not test it with the following clients:
- Windows' native IPsec implementation(s) is (are) too complicated for
me. Too many clicks, buttons, or wizards for my taste. The free
Shrew Soft client is a great alternative (even if the maintainer is
not responding to my mails).
- The Cisco IPsec VPN client is not supported, it uses some
proprietary IKE modecfg extensions ("Cisco Unity") and kind of depends
on XAUTH (username+password authentication that is currently not
supported).
- The SafeNet SoftRemote client needed too many clicks to configure
the client and it does not support RFC 3456; I deinstalled it quickly
but I think it doesn't even support IKE modecfg.
- The SonicWall VPN client doesn't work, I don't know, it requires a
SonicWall box to configure the client policies - the web interface
will generate an XML file that you need to import in the Windows
client. What is the point of their client if you have to use their
VPN gateway?
Another option to automatically configure an IPsec client is IKE
modecfg. We have partial server-side support in isakmpd(8) but I'm
working on extending and fixing it; diffs are floating around in
developers' INBOXes.
reyk
On Mon, Sep 14, 2009 at 04:11:24PM -0300, Marcello Cruz wrote:
> If you want use IPSec, you can use Windows 2003 or 2008. The
> implementation on W2K8 needs some patches to work out. You can do it even
> if the Windows machine is going to be the central hub for the VPN.
>
> If you are interested, I have the following setups:
> 1) XP -> Internet -> OpenBSD -> LAN
> 2) LAN <-> OpenBSD <-> Internet <-> OpenBSD <-> LAN
> 3) XP -> Internet -> W2K3 / W2K8
> 4) Other variants are also possible
>
> All of them use IPSec.
>
> A few months ago I sent a message regarding this subject. You can read
> the conversation at
> http://www.mail-archive.com/misc@openbsd.org/msg74592.html.
>
>
> Rgds,
> Marcello
