Re: VPN software
Hanasaki JiJi said:
> Wow!! great overview .. AFter all of that... Which do you recommend
> and why? Do any of them interoperate with each other? My CISCO
> client runs fine over TCP with ipchains NAT.
depends on your OS requirements. vtun only officially
supports freebsd, linux and solaris i believe. vpnd only
officially supports freebsd and linux(a guy i know
ported it to BSD/OS though). vtun requires a kernel
driver for optimal performance(not sure if its required
period, it might not be..). vpnd does not require any
special drivers.
cisco vpn works decent on win32. i was browsing their
bug reports a couple days ago and saw that it does not
work with USB network adapters of any kind, specifically
they mentioned direcPC. the client is not capable of
any kind of routing so you cannot use the cisco vpn to
physically connect one network to another. the software
overrides all NAT settings if you have any on the
machine you run it on. it also makes the public IP
unreachable. it also tunnels all of your traffic
(including internet traffic) through the VPN connection.
which slows down the browsing experience for users
with a slow link. it is also not a persistant connection,
turn it on when you need it, turn it off when you dont.
cisco vpn supports radius accounting so it makes it very
easy to determine who is using it, when, how much
data they transferred. i like that very much. if
you want bi-directional mapping between 2 networks
the only way to do it with cisco vpns is with the
full decked out vpn box. they have smaller hardware
clients that are capable of one-way network mapping
for those that need it, for about half the price.
cisco vpn seems reliable for most any kind of traffic.
it can be hard to debug though. in about 6 months
of using it we only had 1 serious incident where
2 out of 4 of the vpn boxes were crashing CONSTANTLY,
within 5 minutes of booting they'd crash. nothing
had changed on them and the other 2 were fine..
cisco told us it was a known bug and we upgraded and
it was fine again(but what caused it to happen out
of nowhere ??). my boss rebooted a linux firewall
with 200+ days of uptime because he thought it
might be causing it(to be honest i was doubtful who
to blame..) caused a good 4 hours of WAN downtime
in the middle of a busy day. cisco tech support
is very responsive. another plus ..
vtun/vpnd on the other hand(if you have linux on
both ends) is fully bi directional, persistant connection,
has no radius accounting though you can have it run
scripts when a link is up/downed for crude accounting.
fully routable(i used vpnd for some time accross 4 56k
multilink modems during inital weeks after an office
move while we waited for the t1 to get installed).
vpnd/vtun have sofar(vtun been in use only 1 week,
vpnd about 2 years) have had in my experience a near
perfect reliability record. never has a machine
crashed from vpnd, links are stable, and since its
fully routable it is transparent. anywhere on my internal
network at home i can access any of the machines
at any of the 4 remote sites for my company like
i was at my desk in my office..(i have a 1Mbit/1Mbit
connection)
security is harder with vtun/vpnd. unless you personally
supply the boxes to run it on and monitor them, you
rely on the people running them to maintain good
security. there is nothing stopping an intruder on
that vpn connected machine from accessing the network
on the other side. as the vpnd instructions say
"if your machine isn't secure, don't bother with
vpnd" or something like that. cisco vpn makes you
authenticate every time, so if someone gained access
to the system it would be much more difficult to
abuse network access through the vpn.
i better stop here before i type another
page or 2 :) needless to say ive had a lot
of experience working with different vpns over
the past couple years ....good for the resume :))
nate
Reply to: