[TriLUG] redhat and freeswan vs net appliances

Turnpike Man turnpike420 at yahoo.com
Tue Mar 11 11:01:04 EST 2003 

--- Jon Carnes <jonc at nc.rr.com> wrote:
> On Tue, 2003-03-11 at 09:20, Turnpike Man wrote:
> > I would like FreeSwan to
> > work such that multiple sites can be connected via a 24/7 IPsec vpn.  My
> > scenario is this: global headquarters in RTP, remote offices in California,
> UK,
> > Sweden, and India.  
>
> Three hours isn't bad for a really secure and robust site-to-site VPN
> setup.  Of course, these days, the Net-appliances have put me out of the
> VPN business.  The VPN-enabled Linksys boxes are just over $100 each and
> they do a super job (and work fine with OpenBSD as well).

A buddy of mine in GA uses FreeBSD, loves it... anyway, are these
net-appliances able to connect multiple sites via IPSec?  Also, what are you
giving up by using these devices... can they sit behind a firewall that has the
IPSec ports opened to the Net-app such that you still maintain full control and
logging over traffic coming in and out of your nework?

Cost is also of large concern here... $100 a pop and you can connect globally
and securely, ok, I might be sold on that; presuming above firewall question is
yes.


> 
> >The RR from NC to TX is just me and a friend trying to get
> > it to work.  I use iptables to protect my network from RR.  Is Freeswan the
> > right tool or is PPTP via SSH just as viable?  Security is obviously of
> > importance (and I have to make sure our guy in Sweden doesn't convince the
> > owners to go with M$ ISA!)
> 
> Sorry, I meant PPP via SSH (Jeremy caught that!).  

Ya, saw his howto... still a bit complicated for me to learn on my own I think.

> PoPToP is a little more complex to setup (than ppp via ssh) but it works
> fine.  PPTP is not really designed for site-to-site VPN so it has some
> routing issues, but they can be overcome.

PPTP seems like it would be the most simple solution for remote user access b/c
PPTP clients are abundant and usually easier to configure for the joe user who
just thinks things magically work.  My users complained about the difficulty of
setting up our old IPSec vpn clients, so for now I have an M$ PPTP running
which works beautifully for those joes.  Many people were having problems with
home routers not supporting IPSec vpn connections as well, though not my fault,
of course the fingers were pointed at me!

With an IPSec vpn solution connecting global office locations, it would make
sense to me to force users into an IPSec client connection again for remote
access, if they are working from home for instance.  No sense in running IPSec
for connecting offices and not connecting users with it... plus PPTP just means
more holes in a firewall.

laters,
David

> 
> Take care - Jon Carnes
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com

More information about the TriLUG mailing list