[ale] IPSec client for Linux?

Michael H. Warfield mhw at wittsend.com
Thu Jun 16 17:43:26 EDT 2005


On Wed, 2005-06-15 at 18:40 -0400, Bob Toxen wrote:
> On Tue, Jun 14, 2005 at 03:36:53PM -0500, ChangingLINKS.com wrote:
> > Does anyone VPN in to their employer's network using anykind of IPSec client
> > for Linux?

> > If I had a solution for that, I think I could stop using windows. On
> > Windows, I'm currently using a Cisco IPsec client to access a customer VPN
> > and a Lucent IPsec client to access Lucent's network.  
> FreeS/WAN is the Open Source standard and it works as well as any IPSec
> implementation does.  (IPSec is garbage and hard to use but it
> is STANDARD garbage and everyone supports it.)

	Define "garbage"?

	IPSec is the transport encryption and it's pretty damn solid and the
basis for many modern VPN's even if they don't say so.  XP uses IPSec
now, instead of PPTP/GRE (which was pure junk).  OpenVPN claims to be
using ESPinUDP encapsulation, which appears to be IPSec, as the
transport, as well, even if they do use SSL/TLS for their
authentication.  Now, I found the OpenVPN v1 to be a royal pain.  Ever
try setting that up for a mesh of more than a few boxes?  Each tunnel
has to have its own unique UDP port and a separate process and the
transport runs in user space (so much for performance).  OpenVPN v2 is
better but still has a ways to go.  They still don't have
multi-connection server-to-server mesh working and IPv6 only works in
client-to-client (v1) mode or tap (bridge) mode (gag).

	What most people mistakenly refer to as IPSec is really IPSec (the
transport encryption) plus IKE (the Keying daemon/protocol).  Most of
the problems with IPSec have to do with IKE.  IKE definitely has some
problems.  Some in the protocol, some in the implimentations.  OpenSWAN
or StrongSWAN used with RSA keys or X.509 certs is not too bad.  IKE v2
is on the horizon, but I'm not sure how much of an improvement it's
going to be vis-a-vis setup.  The protocol is going to be an improvement
but the problem of interfaces will remain.

	IPSec (the transport) use to be a royal pain over NAT devices but
that's pretty much cleared up with NAT-T (IPSec over UDP aka ESPinUDP).
OpenSWAN, StrongSWAN, and IPSec-Tools all support setting up IPSec NAT-T
and even forcing it where necessary.

> I've had a number of clients have me set it up.

	I've set up lots of VPN's for lots of reasons.  I haven't found
OpenSWAN to be much more difficult than OpenVPN or CIPE, and I've found
it to be significantly easier on the processor than userland VPNs and
more robust.  And I really don't trust SSL based VPNs (at least not the
ones using SSL as the transport, such as stunnel).  They could all use
better management interfaces.  OpenSWAN/StrongSWAN is definitely better
than IPSec-Tools (aka setkey/racoon).  While it might be argued that
Racoon gives you a finer grained control over the VPN tunnels, very few
people need that level of control and most that might try to exploit the
features in Racoon that can't be accomplished with Pluto (from OpenSWAN)
would probably just hurt themselves.

> > I know that FC3 has a IPsec client.  Has anyone ever gotten it to work?
> > -- 
> > Wishing you Happiness, Joy, and Laughter,
> > Drew Brown
> > http://www.ChangingLINKS.com
> 
> > (posted for a friend)
> 
> Best regards,
> 
> Bob Toxen, CTO
> Horizon Network Security
> "Your expert in Firewalls, Virus and Spam Filters, VPNs,
> Network Monitoring, and Network Security consulting"
> 
> http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
> http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
> http://www.verysecurelinux.com/sunset.html                    [Sunset Computer]
> bob at verysecurelinux.com (e-mail)

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list