Author: Rafael 'Dido' Sevilla Date: To: Philippine Linux Users' Group (PLUG) Technical Discussion List Subject: Re: [plug] VPN design from a newbie's point of view
Michael Tinsay wrote: > Based on my experience, Openswan is (a) pretty easy to
> configure, and
Not as easy as OpenVPN in my experience.
> (b) I haven't had the need to patch a
> kernel for it, though I'm using a 2.4 kernel with
> KLIPS, as I prefer to have an ipsec0 interface.
Lucky you that you already have a patched kernel. I suppose many modern
distributions already incorporate the kernel patches necessary for IPsec
> Haven't tested it where one endpoint is behind a NAT.
I have. Out of the box it doesn't work at all. There are supposed to
be patches for OpenS/WAN to provide NAT traversal capability, but I've
experienced other problems with them, e.g. trouble with path MTU
discovery. Since in my experience I have almost never gotten a routable
IP address while traveling as a road warrior, any VPN protocol that has
trouble dealing with network address translation is completely worthless
as far as that is concerned.
> There is no openvpn client for windoze and wince. If
> you're planning to have Windows and WinCE/PocketPC VPN
> roadwarriors, openswan is the choice between the two,
> though there are other alternatives like PPTP.
False. There is an OpenVPN client for Windows, apparently they've had
one ever since. We have used it, and while it does have some
limitations compared to the GNU/Linux client, it works well enough for
our Windows-based road warriors.
And whatever you do, stay away from MPPE/MS-PPTP. The security record
on that protocol is horrible, to say the least.