[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Fri Jun 17 14:58:30 2005 -->
- <!--x-from-r13: genafnz ng irelfrpheryvahk.pbz (Pbo Fbkra) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] IPSec client for Linux? -->
- <li><em>date</em>: Fri Jun 17 14:58:30 2005</li>
- <li><em>from</em>: transam at verysecurelinux.com (Bob Toxen)</li>
- <li><em>in-reply-to</em>: <[email protected]></li>
- <li><em>references</em>: <<a href="msg00565.html">[email protected]</a>> <<a href="msg00616.html">[email protected]</a>> <[email protected]></li>
- <li><em>subject</em>: [ale] IPSec client for Linux?</li>
> > > If I had a solution for that, I think I could stop using windows. On
> > > Windows, I'm currently using a Cisco IPsec client to access a customer VPN
> > > and a Lucent IPsec client to access Lucent's network.
> > FreeS/WAN is the Open Source standard and it works as well as any IPSec
> > implementation does. (IPSec is garbage and hard to use but it
> > is STANDARD garbage and everyone supports it.)
> Define "garbage"?
IMO, you did define "garbage" in your reply to my previous post:
1. Royal pain over NAT devices (except when using the new NAT-T).
2. New protocols for no good reason (now fixed with ESPinUDP, in other
words now using UDP as it should have all along).
Frankly, I much prefer CIPE as a much better design, IMO.
> IPSec is the transport encryption and it's pretty damn solid and the
> basis for many modern VPN's even if they don't say so. XP uses IPSec
> now, instead of PPTP/GRE (which was pure junk). OpenVPN claims to be
> using ESPinUDP encapsulation, which appears to be IPSec, as the
> transport, as well, even if they do use SSL/TLS for their
> authentication. Now, I found the OpenVPN v1 to be a royal pain. Ever
> try setting that up for a mesh of more than a few boxes? Each tunnel
> has to have its own unique UDP port and a separate process and the
> transport runs in user space (so much for performance). OpenVPN v2 is
> better but still has a ways to go. They still don't have
> multi-connection server-to-server mesh working and IPv6 only works in
> client-to-client (v1) mode or tap (bridge) mode (gag).
> What most people mistakenly refer to as IPSec is really IPSec (the
> transport encryption) plus IKE (the Keying daemon/protocol). Most of
> the problems with IPSec have to do with IKE. IKE definitely has some
> problems. Some in the protocol, some in the implimentations. OpenSWAN
> or StrongSWAN used with RSA keys or X.509 certs is not too bad. IKE v2
> is on the horizon, but I'm not sure how much of an improvement it's
> going to be vis-a-vis setup. The protocol is going to be an improvement
> but the problem of interfaces will remain.
> IPSec (the transport) use to be a royal pain over NAT devices but
> that's pretty much cleared up with NAT-T (IPSec over UDP aka ESPinUDP).
> OpenSWAN, StrongSWAN, and IPSec-Tools all support setting up IPSec NAT-T
> and even forcing it where necessary.
> > I've had a number of clients have me set it up.
> I've set up lots of VPN's for lots of reasons. I haven't found
> OpenSWAN to be much more difficult than OpenVPN or CIPE, and I've found
> it to be significantly easier on the processor than userland VPNs and
> more robust. And I really don't trust SSL based VPNs (at least not the
> ones using SSL as the transport, such as stunnel). They could all use
> better management interfaces. OpenSWAN/StrongSWAN is definitely better
> than IPSec-Tools (aka setkey/racoon). While it might be argued that
> Racoon gives you a finer grained control over the VPN tunnels, very few
> people need that level of control and most that might try to exploit the
> features in Racoon that can't be accomplished with Pluto (from OpenSWAN)
> would probably just hurt themselves.
> > > I know that FC3 has a IPsec client. Has anyone ever gotten it to work?
> > > --
> > > Wishing you Happiness, Joy, and Laughter,
> > > Drew Brown
> > > <a rel="nofollow" href="http://www.ChangingLINKS.com";>http://www.ChangingLINKS.com</a>
> >
> > > (posted for a friend)
> >
> > Best regards,
> >
> > Bob Toxen, CTO
> > Horizon Network Security
> > "Your expert in Firewalls, Virus and Spam Filters, VPNs,
> > Network Monitoring, and Network Security consulting"
> >
> > <a rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a> [Network & Linux/Unix Security Consulting]
> > <a rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My 5* book: "Real World Linux Security"]
> > <a rel="nofollow" href="http://www.verysecurelinux.com/sunset.html";>http://www.verysecurelinux.com/sunset.html</a> [Sunset Computer]
> > bob at verysecurelinux.com (e-mail)
> Mike
> --
> Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | <a rel="nofollow" href="http://www.wittsend.com/mhw/";>http://www.wittsend.com/mhw/</a>
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Bob
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00680" href="msg00680.html">[ale] IPSec client for Linux?</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00565" href="msg00565.html">[ale] IPSec client for Linux?</a></strong>
<ul><li><em>From:</em> groups at ChangingLINKS.com (ChangingLINKS.com)</li></ul></li>
<li><strong><a name="00616" href="msg00616.html">[ale] IPSec client for Linux?</a></strong>
<ul><li><em>From:</em> bob at verysecurelinux.com (Bob Toxen)</li></ul></li>
<li><strong><a name="00653" href="msg00653.html">[ale] IPSec client for Linux?</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00668.html">[ale] OT: Job opening, need a BA asap</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00670.html">[ale] OT: Sr. SWE opening w/ Scyld in Annapolis</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00677.html">[ale] Recording from radio device ( /dev/radio ) ?</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00680.html">[ale] IPSec client for Linux?</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00669"><strong>Date</strong></a></li>
<li><a href="threads.html#00669"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>