Open VPNs On Unix That Support Windows Clients? 189
Adam Schumacher writes:"At work, I've been investigating the possibility of migrating our proxy/ftp/VPN server from NT4 to Linux. Proxying and FTP are obviously no problem, but I am at a bit of a loss as to what to recommend as our VPN server. We need transparent and secure tunneling of our network traffic across the Internet to Windows 95/98/NT/2000 workstations. I know that there are commercial vendors offering VPN solutions that interoperate beautifully between Windows and Linux, but these carry a hefty pricetag, upwards of several thousand dollars. I would much rather go with an Open Source solution. What experience have you had with setting up a VPN between a Linux server and Windows clients? Can you recommend any particular products I should investigate further? In the event that we do have to go with a commercial solution, would you recommend one product over another? Why? Bear in mind that this machine will control access to our entire internal network, so I need a product that has been proven to be robust and secure. Immature code need not apply."
Re:Translation (Score:1)
Re:IPsec and PGP.net (Score:1)
OpenBSD with IPSec is a no brainer. It is simple to set up, works great, and never goes down. Plus, IPSec is a standard, works with lots of other implementations. The OpenBSD folks have done an amazing job with IPSec. It is awesome.
PPTP for Linux (Score:1)
Re:[OT] A quick note... (Score:1)
SonicWall (Score:2)
Use ssh (Score:3)
Hrm (Score:5)
Freeswan not close to prime time (Score:2)
Once the VPN systems were in production with Freeswan, they were plagued by kernel panics, flaky startup and shutdown and many other problems.
Also, back then, there was a major problem with Windows clients connecting using DHCP addresses (all?!!), in that the way Freeswan is configured, it expects a static IP address at the other end of the tunnel.
These guys who are posting that Freeswan is any sort of panacea, or even a workable solution, either haven't used it for real or are using a dramatically different product than the one I used 4 months ago.
You can read my many cries for help on the mailing list archives I'm sure. Whatever your case, I wouldn't recommend Freeswan unless they have fixed the kernel panics, flaky startup and shutdown,and the dependency on fixed IP addresses.
My two cents. --Aaron Newsome
Freeswan needs much help (Score:3)
Once the VPN systems were in production with Freeswan, they were plagued by kernel panics, flaky startup and shutdown and many other problems.
Also, back then, there was a major problem with Windows clients connecting using DHCP addresses (all?!!), in that the way Freeswan is configured, it expects a static IP address at the other end of the tunnel.
These guys who are posting that Freeswan is any sort of panacea, or even a workable solution, either haven't used it for real or are using a dramatically different product than the one I used 4 months ago.
You can read my many cries for help on the mailing list archives I'm sure. Whatever your case, I wouldn't recommend Freeswan unless they have fixed the kernel panics, flaky startup and shutdown,and the dependency on fixed IP addresses.
I submitted this earlier as a reply, I hope the dupe engine doesn't flag me as bad.
My two cents. --Aaron Newsome
FreeS/WAN (Score:3)
Re:Some suggestions (Score:1)
There are tools out there that will let you tunnel PPP over SSH or SSL. Five minutes of config work and you have a completely transparent VPN (though granted one better suited for LAN-to-LAN VPN than remote client-type VPN like this question is asking about). Do a freshmeat search for vpnstarter (for SSH) or stunnel (for SSL) for more info.
Re:LAN to LAN VPN (Entirely Offtopic) (Score:2)
"This is not the VPN solution you're looking for."
--
PoPToP for cheap Windows support; IPsec otherwise (Score:3)
First of all, if you want a VPN with Windows clients and don't want to spend any money, use PoPToP. However, be aware: PoPToP doesn't work correctly with many broken versions of Windows, and the PPTP protocol has some serious shortcomings.
IPsec, while still not being particularly secure, is a somewhat better protocol. However, you'll need to purchase a commercial Windows client to use it (even with Windows 2000, which supports IPsec, you'll need a commercial client such as that from Network Associates to work without L2TP; I haven't heard of anyone making succesful use of l2tpd in this context). Via FreeS/WAN, a free, high quality client/server solution for linux is available, as well.
In any event, you'll want to use ipsec for your linux clients. Use it for your Windows clients also, if you can afford the commercial software.
OpenBSD, IPSec and Layer 2 (Score:2)
recently, at USENIX, I had the pleasure of talking to Jason Wright, who works at NETSEC.
Jason is also an OpenBSD developer, and rpesented a paper on something very interesting, which I am in the process of planning to deploy.
OpenBSD currently can bridge layer 2 over IPSec interfaces, which makes for a nice, transparent VPN.
those who are interested, I can point anyone to the paper that was written, its also available from the USENIX Association... http://www.usenix.org.
echoing other people's comments, OpenBSD , because of its IPSec implementation, is perfect for this scenario, in fact IMHO its really the only thing that will do this particular job this well.
And this is coming from someone adamantly pro-FreeBSD =)
-Pat
Re:There's a difference (Score:1)
But there are now differences between open source and free software (at least according to OSI and FSF, arguably the two big deciders even if neither term is really limited in usage).
The APSL is not free software, but it is open source, for example. There would be more, except the OSI stopped certifying new licenses (AFAICT) a long time ago.
What it comes down to for me is this: Open Source is unconcerned with the users; a good number of annoying licenses (from the user-programmer's PoV) have come into existance because of OSI's policies. Companies have essentially been able to progressively trim down the rights extended to licensees because of their willingness to extend the Open Source blanket to new licenses -- the new licenses are no longer written by hackers to make sure their software isn't misused, but by lawyers intent on making sure as little IP escapes as possible.
Their attempt and failure to trademark "Open Source" made it abundantly clear, as well, that companies didn't have to toe community lines to fit in -- Plan 9, an operating system that I really like, now refers to itself as Open Source even though their license has some of the nastiest clauses I've seen for end-user licenses ("if you bring an intellectual property claim against any Contributor you will lose your license to Plan 9," essentially and paraphrased although IANAL) which would make any business that relies on Plan 9 unable to protect their intellectual property (which, as it happens, includes enforcing the terms of the GPL on other software) since another entity could probably become a contributor to Plan 9 trivially (i.e., find a single bug, fix it, rape other company). A company wouldn't dare call their software Free Software (although possibly freeware or free) unless the license seemed free to the community; but the community doesn't matter to Open Source.
Free Software, OTOH, is all about users. The user's right to modify the code, the user's right to borrow the code, the user's right to learn from the code, and the user's right to be part of a community that shares the code. If nobody makes money from it, well, that's OK because people benefitted. If people do make money from it, well that's great because more people benefitted.
The point to this long rant is that, really, there is a difference between Open Source and Free software, whether the people who started it want to be different or not. That difference is how, at the end of the day, a person like me feels after contributing to both -- with free software, I've added something; with open source, something has been taken from me.
Danu Industries (Score:1)
T.
Re:Beware PPTP (Score:1)
I've heard very bad things about pptp, which PoPTop implments.
I believe the FAQ is talking about the MSCHAPV1 protocol, which is indeed very poor. You can convince the server to drop encryption altogether. I have -mschap_v1 in my options.pptpd file.
I also believe that the FAQ speaks about the Microsoft PPTP server, although looking through it again doesn't specifically say. I am confident that the PoPToP pptpd does not allow the clients to "talk it down" as the MS server allowed. To quote the article:
Passwords are protected by hash functions so badly that most can be easily recovered. And the control channel is so sloppily designed that anyone can cause a Microsoft PPTP server to go belly up.
These problems are allievated by MSCHAPV2 and PoPToP, this much I do know for sure. :-)
I too scoured all kinds of messages on PPTP security and came to the conclusion that it was all in lieu of MSCHAPV1 and not MSCHAPV2. The latter does allow provisions to fall back to MSCHAPV1 but I do not allow this in my configuration, as I have stated above.
Re:WTF?? (Score:1)
BTW, Google had 60,000 hits for "linux vpn".
Yeah, but "linux vpn pptp" had only 5000 :-)
Re:Translation (Score:1)
Hi, I'd like to move a server from NT4 to Linux. I'd like to stress that it is a server that is extremely vital to my company's business.
Actually the linux fileserver I'd installed performs much better and is far more reliable than the NT4 box we have here doing nothing but PDC. It used to run Exchange Server 5 (P2-233 I think) and crashed regularly. Meanwhile the poor linux box gets pounded for ever file and db access the office generates. Damn, I wish I had stayed with NT.
Just because it costs money doesn't mean it is better. The reverse of your little translation is just as true.
Re:PoPToP / MSCHAPv2 (Score:1)
So, what does that mean for the average user? Does this make the MSCHAPv2 authentication mechanism less secure than other password based protocols - let's say ssh?
Probably on the same as password-based protocols. As I said in a few earlier posts the PPTP configuration I've chosen is to force MSCHAPV2 and 128-bit encryption.
Re:WTF?? (Score:3)
1) Kernel patches (yay). There seem to be problems getting these patches to work with some distros (read: Red Hat) that have slightly-customized kernels
Only if you're dealing with some bonehead distribution that customizes the kernel instead of using kernel modules and a userland (or at least non-invasive) process to do whatever the hell it is they think is so important they should modify the kernel in the first place.
2) Windows only supports some real lame encryption out-of-the-box. To get 128 bit, you have to go through some real hoops to get the software from Microsoft, only to find it doesn't work.
Got some proof? I downloaded an easily-found file from MS' site, installed it and while I have not verified that it is indeed spitting out 128-bit encryption (anyone know a good way to actually test the wire?) pptpd/pppd won't talk to the client if I force 128-bit encryption on the server side and use weak encryption on the client.
3) Firewall/IPMasq causes even more fun, depending on which side of the firemasq the PPTP server is on.
Come on. This is getting silly. In my case I put the pptpd server on the firewall. I figure a VPN is an integral part of a firewall. Then I set aside a block of IPs and set up your masquerade rules to match. The hardest part of my whole firewall was making sure that my input chain didn't kill packets I didn't want gone. The forward chain is only three lines long.
4) Browsing windows shares over a VPN link is akin to black magic and seldom works.
I haven't had too much trouble. You mention that you're on the PoPToP list. Check out the Samba lists as well and read up on Samba and WINS. The key is a WINS server which is accessible to everyone (internal and VPN).
The rabbit I'm gonna have to pull out of my hat involves setting up a VPN'd subnet (using FreeS/WAN, pptpd is useless here) and making a couple servers on the inside of each end appear in the subnet as well, without munging things up too badly and without having each server step too much into the VPN. I may just set up coda and Samba on the firewalls and "fake" that they're the servers in question. It'll make security tighter in the end, I think.
PoPToP (Score:5)
Moretonbay [moretonbay.com], the company who gave us so much work on uCLinux has PoPToP, a Linux PPTP server.
I have set it up personally and included the MPPE and stateless patches which give excellent performance and 128-bit encryption.
You mentioned that immature code need not apply. I can't say how mature this code is but I have not had any problem with the encryption nor the actual VPN going down or otherwise futzing up.
PoPToP uses pppd + openssl with a custom daemon to set up Windows VPN connections. You can force MSCHAPV2 (V1 has problems with security, what else is new? :-), enforce 128-bit encryption, use PAP or CHAP, whatever you please. Since it is pppd which is authenticating, you can use PAM or whatever authentication methods you can use with pppd. Another important feature is that you can configure pptpd to assin IPs or have pppd do it for you. Configuring for MPPE and stateless compression was a bit of a pain but in reality it involved scanning the already big mailing list and applying the correct version of the patches.
Overall I am very pleased with PoPToP, even if my typing slows to 10WPM when I have to type the name. :-)
Some suggestions (Score:3)
2) Then, there's always SKIP. An invention of SUN, but still worth investigating. SKIP has higher throughput than IPSEC, and faster recovery in the event of a system failure anywhere down the chain. Again, it's available for Windows and Linux.
3) Thirdly, there's SSH, SCP, et al. This is OK, but it's main drawback as a -transparent- VPN is that it's not very transparent. It's at the application level, rather than the stack level, which means that it's going to be more visible to the average user.
4) Last, but by no means least, your favourite hound of hell and mine, Kerberos! It's possible to set Kerberos as both an authentication AND an encryption mechanism. The main drawback with this option is that applications would need to be aware of Kerberos before they could benefit.
All in all, I'd say IPSEC or SUN SKIP are your two best options, as they don't require any user intervention or special code in the application.
Securing PPTP (Score:3)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Little Caesars? You do pizza?"
Re:M$ PPTP is insecure (Score:1)
The protocol itself is okay, according to people who have a much better understanding of security matters than me (like Bruce Schneier). It's just that Microsoft's implementation of PPTP is brain-damaged. To quote from Counterpane's FAQ about the matter(emphasis mine):
Check Point Firewall-1 the best (Score:1)
M$ PPTP is insecure (Score:1)
I was wondering about this thing myself, so I did some reasearch. Basically, the situation is that there are Unix VPN servers/clients that implement IPSec protocol. IPSec is the industry standard for VPN. (read: it's secure). Microsoft did not want to go with the standard protocol (surprised?) and instead "innovated" PPTP. Well, PPTP is complete joke. It didn't take me long to find articles analyzing PPTP security. (I'm sure other
So anyway, there are PPTP servers for Linux, like PoPTop, and PPTP comes built into win9x/NT. You could certainly go with this solution, as it would be the easiest one. (PPTP is better than nothing, I guess). If you want real security though, the best thing to do is to put Linux VPN servers on both sides of the tunnel. This is not always possible though. If you have two or more offices that you want to connect, that's easy -- just put the VPN servers/firewalls in each of them. But if you have windows users with laptops, or people working from home, you'll have to resort to PPTP. Unless there is a free/cheap IPSec client for windows (which I am not aware of).
___
IPSec client for windows? (Score:1)
___
huh? (Score:2)
http://sunsite.auc.dk/vpnd/
___
Re:FreeS/WAN (Score:1)
FYI: the primary people working on FreeS/WAN are in Canada.
free s/wan (Score:2)
Re:Freeswan needs much help (Score:2)
it gets oodles of traffic and It Just Works.
IPSec Implementations (Score:2)
IPSec is one of the more interesting technologies out there at the moment. Essentially, it has the advantages of being implemented into multiple diffrent server platforms and client workstations.
For example OpenBSD [openbsd.org] supports it's natively and Linux can be made to support it with the FreeS/WAN [xs4all.nl] projects kernel patches which allow you the IPSec functionality.
Unforuntately, the problems lie with IPSec compatible clients for the Win32 platform:
Essentially, if you company uses Win9X and NT then you have no problems. The Link [openbsd.org] will show you a bunch of clients that will actually work under OpenBSD's implementation of IPSec. Some of which are actually quite good.
On the other hand Windows 2000 is VERY unsupported. In fact it is very hard to find a Windows 2000 implementation (other then the poor implementation in Windows 2000 itself). Quite a few promise an implementation in a few months, some even a few weeks, but that does little if you need it done now.
If you need to get VPN clients for Windows 2000. I have found two that support it, but have yet to be able to test it's implementation ability with OpenBSD (the companies current Firewall/NAT platform). The two I have found are listed below:
.
Now if anyone else knows of Windows 2000 compatible clients that work with IPSec then I would be very interested in knowing about them
FreeSWAN and NAI PGPNet work great. (Score:1)
http://www.freeswan.org
Here's your answer: (Score:2)
Client: NAI Labs PGP Client
Information On PGP Client:
http://www.pgp.com/asp_set/products/tns/pgpvpnc
To quote their page:
PGP MIT Freeware Downloads
PGP is the world's defacto standard for email encryption and authentication, with over 6 million users. PGP 6.5.1 MIT freeware supports RSA, PGP email and secure client-to-client connections using PGP certificates. It is available for non-commercial use only.
The commercial PGP VPN Client is available from Network Associates and is fully IPSec compliant with support for X.509 certificates from industry leaders such as VeriSign, Entrust and Net Tools, and VPN gateway support to create encrypted network connections to your company for secure remote access. The commercial client also includes PGPdisk for lightning fast disk, file and directory encryption and authentication in addition to technical support!
-------------------------------------------
Use the OpenBSD mailing list archives, man pages, and faqs for info on how to set up this scenario (VPNs with X.509 certificates).
Re:[OT] A quick note... (Score:1)
Re:There's a difference (Score:2)
The difference between Open Source and Free Software is just a matter of focus (focus on freedom or on open development), of ideology, and of degree of purism (some borderline licences might get more easily accepted by Open Source advocates than by Free Software ones), but the main idea is the same: software where you get the source code, and the right to use, modify, alter, compile and distribute (incl. for profit) under the same conditions.
Re:I have been screwing with this for a while (Score:1)
The plugin is called ttssh, and it's a tiny bit tricky to set up, but if you follow the instructions it will work.
Haven't looked at the license, but it is free for all uses, and comes with source code, as is TeraTerm.
For the server side, OpenSSH should work, although we use the F-Secure server.
Re:I built an extremely secure vpn using linux! (Score:1)
Re:PPP over SSH (Score:1)
That would force *everything* through the VPN, though, which might not be what you want.
Re:Open Source != free (Score:1)
Zero cost certainly isn't the most important part of an Open Source program, but it isn't the least important part, either. There's nothing wrong with using Open Source software just because it's free and good.
Re:Some suggestions (Score:1)
Re:WTF?? (Score:2)
Userland processes to fix kernel security bugs?
--
Re:Support (Score:1)
Re:Money issues (Score:1)
Re:Support (Score:1)
Solutions (Score:2)
Re:There's a difference (Score:1)
Open Source or Free Beer? (Score:3)
I think what you mean to say here is "I want someone to make me this thing for free." This is a great example of why RMS doesn't like the term Open Source. For 90% of the schmucks out there it translates to Free Beer, rather than the Free Speech he is speaking of. You want VPN software? Go write it and GPL it.
Re:Translation (Score:5)
I'm actually pretty shocked that you managed to score a rating of 4: Insightful off this one, but what the hell, I'll bite.
Is that not reasonable? I use OpenSSH, Snort, and nmap all the time at my place of business for security. For other purposes, I use Red Hat, Debian, Apache, Perl, PHP, MySQL, and PostgresSQL. All "high-powered, reliable software," as you put it. All free.
This may come as a shock to you, but I'm not in the habit of spending money on Open Source software unless I absolutely have to. Oh, I've certainly purchased the occasional RH distro CD because I wanted to install it at home, but at work, where I'm fortunate to have a decent net connection, I do net installs like crazy.
It's true that you can spend money on OSS. However, most people associate OSS with no charge, and not without reason.
The orignal poster stated that he would rather go with an Open Source solution rather than ones that "carry a hefty pricetag, upwards of several thousand dollars." I think that this is an important consideration for him. Since you didn't suggest any commercial solutions (or, in fact, OSS ones), I'll pose the converse question to you: what is your familiarity with VPN software, and what commercial solution would you say was the best?
I thought that the original post articulated his reasons for pursuing an Open Source package pretty nicely. On the flip side, your post seems to reflect a prejudice that only businessess with money to burn should have access to decent software. If you're of the opinion that Open Source software has no role in mission critical applications, fine, but just out of curiosity, why the hell would you read /.?
Security (Score:2)
Re:Security (Score:2)
ftp stream tcp nowait root
wuftpd and proftpd run as root through inetd and chroot to the user that logs in (E.g. ftp, your login, etc.)
There have been numerous postings on SANS and securityportal.com relating to wuftp weaknesses proftpd shares quite a lot of design with wuftp and so once every three of these flaws shows up in proftpd.
Re:configuration? (Score:2)
Re:Translation (Score:2)
You don't need to be a programmer to be a good sys admin, but it's getting too easy for people to take Free software for granted.
Re: (Score:2)
WTF?? (Score:5)
Is there an open Slashdot terminal in some public place? Because these "Ask Slashdots" are starting to seem more like "Ask A Random Question Without Searching First". This is getting REALLY lame.
Now, then. Go to Yahoo (yes, even Yahoo can find this, albeit through Google). Type "linux vpn". Find a link [moretonbay.com]. Follow it.
For those that aren't interested in enough to click, this is PoPToP, a Linux implementation of the server-side of MS PPTP. A secure implementation. Why PPTP? Because you want Windows clients and the only thing they do out of the box is PPTP. BTW, PoPToP is GPL'd....
--
LAN to LAN VPN (Slightly Offtopic) (Score:2)
You can use taptunnel [linux.exit.de] to connect multiple LANs together through an encrypted pipe.
It's also the best solution for playing multiplayer IPX games like starcraft between LANs.
Been There (Score:3)
We finally decided on OpenBSD [openbsd.org] although we considered Linux, Tru64, Solaris, NetBSD, FreeBSD, Irix, NT and Windows 2000. By considered, I mean we thought about it. But we finally decided on OpenBSD because throughout all the security bulletins that we've seen, this was the one that touted the best security, and was notably lacking in security bulletins.
We have been extremely satisfied with OpenBSD, and use it as a real bastion firewall, and as a transparent bridge to our production servers. It has an incredible amount of power, and is very versatile. Combined with Snort, Nessus, Nmap, IPF, and Perl (or any scripting language), it makes an wonderful IDS (Intrusion Detection System). I have yet to see a commercial system rival the power of this open source system in terms of complexity and diversity.
AltaVista Tunnel, some links (Score:2)
I found links to it on Tom Dunigan's VPN page [ornl.gov], which has a number of good links for the problem at hand.
A link to AltaVista tunnel info that does work is found on this Digital link in Russia [decsy.ru], which is oddly, in English.
Again, I haven't tried this myself, so caveat emptor.
Re:WTF?? (Score:3)
Sure, a search engine is generally where I start to find out about different solutions I might be looking to implement, but it is nice to hear discussion about various things as a 'Gee, that's cool!' discussion also.
VPND -- You are mistaken. (Score:2)
VPND (Score:5)
It is meant more to connect two subnets, rather than a single device to a network. Also, it does not run on windows. However, you can do what I do, and resurrect an old 486 to act as a gateway/firewall/vpnd server at home, and hook your windows box to it.
It is setup to re-establish broken connections. Even though I often lose connectivity between work and home, as long as the downtime is less than a tcp timeout, all of my tcp connections over the encrypted channel will actually remain up! Very nice.
Translation (Score:3)
Hi, I'd like to move a server from NT4 to Linux. I'd like to stress that it is a server that is extremely vital to my company's business.
It is so vital in fact that I'm prepared to spend no money on it at all. I want someone to give me high-powered, reliable software upon which I can bet my job, for free.
Why must Open-Source necessarily equal free?
Why does Open-Source necessarily equal best?
If it were my job on the line here, I'd find the best solution, not necessarily the one that meets my agenda.
Re:There's a difference (Score:2)
(rant)
Taco: Can't we move to a moderation system where people accumulate moderation points and can use them WHENEVER they want. Just put a cap on it so people who go on vacation don't come back to 1000 moderation points or something. I NEVER get moderation points when I want them, and only get them when there is nothing really of interest to me, or just flames or hot grits.
(/rant)
Re:Translation (Score:3)
Because that's what Open-Source advocates advocate. That's as opposed to Free Software which claims only to be Free, and only ethically best. I think the claim is valid that Open-Source is subtley distorting the spirit of Free-Software. It results in people asking questions like these. It's my impression anyway that Open-Source tries to sell itself as a panacea.
Re:Use ssh (Score:2)
Re:MODERATION ERROR (Score:2)
VPN over SSH, as recently featured on Linux.com (Score:2)
Re: (Score:2)
Re:VPND -- I'd be careful (Score:2)
I looked at the source code, as I had to port the program to OpenBSD [openbsd.org]. My first thought was that the person who wrote the code must've been some ASM programmer who took a 5-hour course in C. The entire body of main is the entire source file. Functional programming? What's that? The code is one big blob function. You can see blocks which are similar and could probably be handled by a separate function, but aren't.
My friend's first comment on waving him over to see the code was, "and you wanted to run that on your server?"
The code looks a lot like procmail's code [gimp.org], and is (IMO) a complete tear down and rewrite. I'm sure a lot can be salvaged from vpnd, but I find it hard to believe that the person who wrote code looking like that also did the strictest possible checking on all input/output code for security problems.
You might want to read the VPN section [linuxdoc.org] of the Linux Admin Security Guide [linuxdoc.org] for a listing of alternatives.
---
Re:www.freeswan.org ??? (Score:2)
Re:IPsec (Score:2)
Looks to be a v.good product; something that I'm looking at implementing myself.
j.
Re:Security of PPTP (Score:2)
Re:VPND (Score:2)
Re:FreeS/WAN compatible with various packages (Score:3)
Nortel has a policy of Freeswan compatibility, so you should be able to use their server or client to talk to a FreeSWAN linux box. Nortel's client software runs on Win95, Win98, and NT, and is free if you buy the Nortel hardware (formerly Bay, formerly New Oak.) I don't know if it's free if you don't buy a box from them. So far I've used the Nortel client only with Nortel servers, but it works quite well and has multiple options for keying, including SecureID.
Re:WTF?? (Score:2)
It's your decision to read it. Wander off quietly if you've got a problem.
Jesus, people are bitchy today.
Re:WTF?? (Score:2)
at a maximum of, say, 12 posts per day, each one being a paragraph, or 4 lines at most, the "wasting our time" argument is a bit weak.
Re:WTF?? (Score:2)
IPsec (Score:4)
Barring that, we've had good luck with VSgate by infoexpress [infoexpress.com] in huge (and I mean huge) enterprise environments. Bonus: they directly support Linux not only as a server platform but client as well.
You could also look for PoPToP, which is a reverse-engineered hack of Microsoft's "Point-to-Point Tunnelling Protocol" to make a Linux box able to be a server for it, but take a look at some past issues of Schneier's Cryptogram (don't know the specific one, sorry) for some scathing commentary on the brokenness of PPTP.
-=-=-=-=-
Re:Open Source or Free Beer? (Score:3)
Why should I?
Sun has already done this. It is called SKIP.
And it is under a BSD-esque license.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software or derivatives of the Software, and to
permit persons to whom the Software or its derivatives is furnished
to do so, subject to the following conditions:
http://skip.incog.com/src-form.html [incog.com] is the link in my old code version.
http://www.mirr or.ac.uk/sites/ftp.zedz.com/pub/crypto/programs/s
The code works between Unix boxen and between unix and windows. And, it has been rumored to work with IPsec, but given I do not have a windows box doing ipsec, I can neither confirm nor deny it.
So:
1) Sun DOES release code.
2) The world does not revolve about the GPL.
Re:There's a difference (Score:4)
> Software.
That depends who you are talking to.
When people originally started talking about OpenSource, the idea (as I understand it was) "Lets take the 'Free Software' concept and repackage it under a new name, because the word 'free' scares suits".
The basic idea being Open Source *IS* free software in the same way that Zantac is Ranitidine (same chemical, different name).
So when we talk about "OpenSource" we talk about how you have source code and all sorts of other things. When we talk about "Free Software" we call all those things 'side effects' and talk about freedom as the main concern.
That doesn't mean there is a difference, just a different focus. In original intent though, the "focus" is the only difference, and when not trying to sell suits on the idea, the two terms can be used interchangably.
It has come to pass that you can seem to tell a persons beliefs on the subject by which term they use. FSF types will ALWAYS talk about "Free Software" and disparage the term "OpenSource". Those who just care that the code exists and think that having source code is better for the technical reasons, will call it "OpenSource".
The entire criticizm of the term is the focus change. People like RMS argue that the focus shift is bad. The whole point of free software is freedom and focusing on the other benefits instead is diminishing the value of the work by removing the political association of it.
At the end of the day though...the two are the same in every way but terminology and connotation.
-Steve
Re:WTF?? (Score:4)
1) Kernel patches (yay). There seem to be problems getting these patches to work with some distros (read: Red Hat) that have slightly-customized kernels
2) Windows only supports some real lame encryption out-of-the-box. To get 128 bit, you have to go through some real hoops to get the software from Microsoft, only to find it doesn't work.
3) Firewall/IPMasq causes even more fun, depending on which side of the firemasq the PPTP server is on.
4) Browsing windows shares over a VPN link is akin to black magic and seldom works.
These are the most common issues I've seen (and I'm a lurker on the PoPToP list). To their credit, the gang that make this software have integrated it into a hardware box [moretonbay.com] (look for the NetTel) that does both PPTP and Firewall functionality. It's pretty inexpensive at $399US, and I'm pondering just buying that instead of hacking around on my own.
IPsec and PGP.net (Score:2)
www.freeswan.org ??? (Score:4)
UNI-BOX (Score:2)
We only use Linux boxes to connect the different offices together. Inside it's still a full blown Windows NT 4 deal.
My $0.02
There's a difference (Score:3)
Please remember that Open Source != Free Software. Open Source does not specifically require the software to be free, an example of this is Solaris. Free Software (in the FSF sense of the term) however, requires the software to be free, open source and a bunch of other things (concerning distribution, etc.)
Sorry for bitching, but I think that at least the people at /. (and those submitting to /.) should have the terms straight.
Why not buy something that works "beautifully"? (Score:2)
Do you really need the source code to your VPN software? If so, that sounds like the "immature" code you want to avoid in the first place.
Re:WTF?? (Score:3)
Router's\Firewall with VPN built in (Score:3)
Re:PoPToP for Linux (Score:2)
IPSEC is better, but I don't know if there is a free client avaiable for Windows.
PoPToP for Linux (Score:3)
Re:WTF?? (Score:2)
As far as I know, Slashdot does not exist in order to save a few people time by wasting a great many people's time. If the answer to a question is either easy to find elsewhere, or of little interest to most people here, I would hope it didn't make the front page.
So FascDot's complaint seems perfectly valid in principle. Whether it is valid in fact is another issue. Apparently, while the question at hand was interesting to some (you, for instance), it was not to others (some of whom modded FascDot up). By all means, voice your opinion on the question; it's a very legitimate point of debate.
Re:WTF?? (Score:2)
Jesus, people are bitchy today.
I'm certainly not complaining; I simply disagree with TangentMan123's view. And it's not very reasonable to take a "like it or leave it" attitude about a site which is principally user-driven. I might say that someone who tried to squelch discussion would be the better one to wander off quietly... but it takes all types. :-)
Re:WTF?? (Score:2)
And interestingly as well, do the wasting-our-time arguments waste more of our time than the things they're complaining about? :-)
Anyway, my argument was mostly about regarding Slashdot as a search engine. I think that's a crummy attitude, because it looks at the other users simply as a means to a personal end. Alhough I can see where you might have thought I was just bitching about irritating questions, I actually don't have much of a problem with the status quo.
Well... guess we beat that horse to death...
Similar Problem (Score:2)
For the most part, this isn't a problem since Windows is the dominant desktop platform around our office. With home networking kicking in with a lot of my folks, they're finding a need to have a single routable IP solution at home for multiple boxes AND having VPN support for them. I also have one remote office that presently has to have unique routable IP's for each client. To further complicate matters, that remote office has a couple of Macs tossed into the mix.
I've been looking about for a reasonable server side solution that I can deploy to a number of locations to handle the chit chat between it and this Checkpoint firewall. If I can get either Linux or a flavor of BSD to act as a proxy and VPN solution, freeware will get migrated into my office setup for the first time.
Aside from getting this to work at all, I do have support concerns. Between Linux and BSD, I've at least spent some time using Linux but there's apparently stability concerns with S/Wan. OpenBSD looks interesting, but I have zero BSD experience at this point in time. All the support and configuration falls squarely into my lap to implement.
I had rather hoped to find something that was a Windows based solution, mostly since that's what all my remote users are using. Not too many folks want to go out and purchase a seperate PC just to handle network proxying. Granted, this isn't nearly as much of an issue as the remote office is, as I can easily get another PC to deal with this there.
Bottom line: I need a solution that proxies non-routable IP addresses to the internet while providing for VPN support to a Checkpoint firewall.
Re:IPsec (Score:2)
To automate all this, you need a key exchange protocol like IKE which can handle all of these tasks for you. I personally work for a VPN company that implemented and released IPsec software/hardware before IKE had become a standard, and so we have our own protocols for establishing the Security Association for the IPSec tunnel. Our setup protocol is pretty darn good (IMHO), but it's not an open standard, so it only works between our own products. IKE is a feature likely to be added to a future release of our products.
In general regards to the big question, I think an IPSec client that supports IKE is the way to go, since both are now open standards (mostly in the range RFC2401 through RFC2409). There are already open source projects on the BSDs and Linux to support IPSec/IKE, and most VPN vendors are also moving towards it. (Check FreeS/WAN for Linux and isakmpd for BSD)
From my highly biased standpoint, I think my company's product is pretty good and we have a nice client for WinXX if you're willing to work with your key server being on an NT machine. The server can work from behind a firewall with only a few UDP ports forwarded, which is also nice.
The opinions expressed in this email don't imply or assert anything about those of my employer in any way shape or form, either for or against anything I said. Everything in this post is entirely my own opinion and beliefs.
Swan and Munitions (Score:2)
SafeNet (Score:3)
Re:VPND (Score:2)
Re:There's a difference (Score:3)