[TriLUG] redhat and freeswan - was Debian vs Mandrake vs Redhat vs

Jon Carnes jonc at nc.rr.com
Tue Mar 11 10:37:15 EST 2003


On Tue, 2003-03-11 at 09:20, Turnpike Man wrote:
> I would like FreeSwan to
> work such that multiple sites can be connected via a 24/7 IPsec vpn.  My
> scenario is this: global headquarters in RTP, remote offices in California, UK,
> Sweden, and India.  

I've setup a couple of corporations this way.  Normally I use OpenBSD
because of the ease of setting up the VPN.  It takes about two hours to
install the system and another hour to get the VPN up and running.

Three hours isn't bad for a really secure and robust site-to-site VPN
setup.  Of course, these days, the Net-appliances have put me out of the
VPN business.  The VPN-enabled Linksys boxes are just over $100 each and
they do a super job (and work fine with OpenBSD as well).

>The RR from NC to TX is just me and a friend trying to get
> it to work.  I use iptables to protect my network from RR.  Is Freeswan the
> right tool or is PPTP via SSH just as viable?  Security is obviously of
> importance (and I have to make sure our guy in Sweden doesn't convince the
> owners to go with M$ ISA!)

Sorry, I meant PPP via SSH (Jeremy caught that!).  

In my testing, IPSec was a big winner on efficiency of throughput. I
measured the amount of bandwidth used verses the effective bandwidth of
the created tunnel (or VPN). If I remember correctly :
IPSec had an efficiency of ~88%
PPP via SSH had an efficiency of of ~68%
PPTP had an efficiency of of 65%  

I measured these using 300MHz P-II's attached to a 45Mb pipe on one end
and a 768Kb pipe on the other end - at various places around the world:
Netherlands, Australia, California.  

The pipe to Australia was a nightmare of dropped packets and latency
issues.  The IPSec tunnel handled that best of all, but I have to say
that the PPP via SSH also did very well (despite the theoretical papers
claiming that it should have cascaded into failure!).
> 
> Now for PPTP, I have yet to try to configure PoPToP, although I have looked at
> it.  

PoPToP is a little more complex to setup (than ppp via ssh) but it works
fine.  PPTP is not really designed for site-to-site VPN so it has some
routing issues, but they can be overcome.

Take care - Jon Carnes




More information about the TriLUG mailing list