Re: VPN software
Wow!! great overview .. AFter all of that... Which do you recommend and
why? Do any of them interoperate with each other? My CISCO client runs
fine over TCP with ipchains NAT.
Re: VPN software
Wed, 28 Nov 2001 13:48:34 -0800 (PST)
Andrew Pritchard said:
Is there a Debian package to set up a VPN? Or am I going to have to
go down the Free SWAN route?
vtun is available in woody and easily compiles in potato.
i started using it about a week ago and it works great. i
would strongly reccomend against any IPSec software including
freeswan if your using NAT of any kind. IPSec is an absolute
nightmare with NAT. i speak from personal experience trying
to get freeswan to talk to another freeswan server for a good
15 hours during a weekend about a year ago. works fine without
NAT but with it ....ugh. very bad experience. i use cisco
vpn 3005s at the company im with and it supports NAT very well
by encapsuating all IPSec packets into UDP packets which easily
travel through NAT gateways. note that this behavior is not
consistant with the RFCs/specs, this is a special thing that
cisco does. at the same time it probably breaks compadiblity
with any client software trying to connect to it that does
not support this feature.
freeswan is not alone in being hard to NAT. it is a problem
with the protocol itself. but it was designed that way
intentionally(from what ive read on the specs, theres docs
on freeswan's website) for security reasons. security is great
but if i can't use it, kind of defeats the purpose for me.
i have also tried sonicwall with similar NAT difficulties.
PPTP is in the same boat as far as difficult to work with NAT.
and contrary to seemingly popular belief(at least among those
ive talked with) IPSec is NOT a TCP or UDP protocol. it uses
UDP for a brief point during initial connection then switches
over to another IP protocol(protocol #59 or something).
ive read that vpns over tcp are bad because it can be more
unreliable. i guess it depends on the situation, i have also
been using vpnd(not packaged i dont think) for about 2 years
with not too many problems. it operates over TCP. vtun
can operate over TCP or UDP(i have it running over UDP
you can see more info on how cisco does their IPSec nat
by searching for ipsec nat on their website. cisco also
offers vpn clients for linux, have not tested them myself
freeswan is not easy to setup(at least it wasn't at the time),
and i saw several reports of freeswan servers flooding ip
addresses long after the connection ended because the server
did not know the connection was gone(that may be fixed now).