Re: VPN questions
Hello Chris PPTP works also behind NAT and key is 128 bit long. In most parts 12b bit are enough. PPTP is also a vpn solutions. Am Wed, Oct 27, 2004 at 12:28:10PM -0400 Chris Shenton schrieb: Aaron P. Martinez [EMAIL PROTECTED] writes: I suggest looking at openvpn, it is a ssl based vpn that is fairly easy to set up. I might shy away from freeswan as it is for the most part out of development, only one more rollup and that's it. Any suggestions for something compatible with Cisco's 3080 VPN product? Something that will work from behind my home NAT box, ideally? -- Regards Martin Schweizer [EMAIL PROTECTED] PC-Service M. Schweizer GmbH; Gewerbehaus Schwarz; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgpuiTWobCz2g.pgp Description: PGP signature
Re: VPN questions
On Wed, 2004-10-27 at 03:38, Erik Norgaard wrote: Hi, I am looking at how to implement VPN but I'm getting confused as to how IPSec, IKE, OpenSSL, FreeSWAN, racoon etc. all fit into the picture. I am looking at two scenarios, and I have two questions. 1) Standard IPSec tunnel: ++ IPSec/VPN ++ LAN---| FW |---| FW |---LAN ++ ++ In this scenario: Can CARP/pf handle VPN/IPSec connections incase the master unit fails? (I am assuming that both ends have fixed public routable ip's). 2) VPN for mobile users ++VPN+-+ LAN---| FW |---| FW? |---[mobile unit] ++ +-+ For mobile users I can't be sure where they are, their ip, or if they are behind NAT/firewall, nor can I trust the network until the mobile unit. IPSec breaks behind NAT, are there other altertives than ssh-tunnels I should take a look at? (which? :-) I suggest looking at openvpn, it is a ssl based vpn that is fairly easy to set up. I might shy away from freeswan as it is for the most part out of development, only one more rollup and that's it. Thanks, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN questions
Aaron P. Martinez [EMAIL PROTECTED] writes: I suggest looking at openvpn, it is a ssl based vpn that is fairly easy to set up. I might shy away from freeswan as it is for the most part out of development, only one more rollup and that's it. Any suggestions for something compatible with Cisco's 3080 VPN product? Something that will work from behind my home NAT box, ideally? Thanks. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: VPN questions
Any suggestions for something compatible with Cisco's 3080 VPN product? Something that will work from behind my home NAT box, ideally? There is nothing that I know of, I have a 3000 at work and wanted to do the same thing. There is a cli client for the 3000 in ports that I did manage to get working at one time, its not site to site though. Thanks. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] CONFIDENTIALITY NOTE: This electronic transmission, including all attachments, is directed in confidence solely to the person(s) to whom it is addressed, or an authorized recipient, and may not otherwise be distributed, copied or disclosed. The contents of the transmission may also be subject to intellectual property rights and all such rights are expressly claimed and are not waived. If you have received this transmission in error, please notify the sender immediately by return electronic transmission and then immediately delete this transmission, including all attachments, without copying, distributing or disclosing same. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN questions
On Wed, 27 Oct 2004 11:47:43 -0500, Michael Clark [EMAIL PROTECTED] wrote: Any suggestions for something compatible with Cisco's 3080 VPN product? Something that will work from behind my home NAT box, ideally? There is nothing that I know of, I have a 3000 at work and wanted to do the same thing. There is a cli client for the 3000 in ports that I did manage to get working at one time, its not site to site though. The Cisco 3000 is a difficult beast in this case. I have a site to site VPN between the Cisco and an OpenBSD host which works fine, I assume it would also work for FreeBSD. The challenge however, is that for site to site (known as Lan to Lan in the Cisco) a static IP must be used, this mode does not support a dynamic client that I know of. You can connect a dynamic client to the Cisco using the Base Group, but their PSK structure for dynamic clients basically requires that you use the same PSK for all clients, not exactly ideal. I believe you can use certificates to get around this, but I've not tried. The Cisco client itself uses XAUTH to allow user/pass type authentication and can then be pointed to a backend authentication service (RADIUS, AD, etc) - if there is some software for FreeBSD that can do XAUTH you would be much closer to getting this to work - I don''t think such a thing exists however. If you have a static IP from your ISP and want to use Lan to Lan, I'm pretty sure that would work (though I'm currently battling this specific scenario on the FreeBSD side trying to get NAT working on the VPN itself to masquerade the LAN behind the VPN). As a Hint, you'll want to use aggressive mode and some identifier for the client other than the IP (I use an email address). I've resigned to having a few different VPN concentrators for clients to connect to as each seems to have it's own specific strengths and weaknesses and our company has a wide variety of clients connecting. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN questions
On Oct 27, 2004, at 3:38 AM, Erik Norgaard wrote: Hi, I am looking at how to implement VPN but I'm getting confused as to how IPSec, IKE, OpenSSL, FreeSWAN, racoon etc. all fit into the picture. I am looking at two scenarios, and I have two questions. 1) Standard IPSec tunnel: ++ IPSec/VPN ++ LAN---| FW |---| FW |---LAN ++ ++ In this scenario: Can CARP/pf handle VPN/IPSec connections incase the master unit fails? (I am assuming that both ends have fixed public routable ip's). 2) VPN for mobile users ++VPN+-+ LAN---| FW |---| FW? |---[mobile unit] ++ +-+ For mobile users I can't be sure where they are, their ip, or if they are behind NAT/firewall, nor can I trust the network until the mobile unit. IPSec breaks behind NAT, are there other altertives than ssh-tunnels I should take a look at? (which? :-) Thanks, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 Take a look at mpd in the ports tree for the mobile connections. I use it on a regular basis, and it is really easy to setup. Also, unlike poptop, mpd supports encryption. My particular setup is for 128-bit encryption and I allow 3 different connections at once. HTH - Eric F Crist Secure Computing Networks PGP.sig Description: This is a digitally signed message part