[ale] Poptop

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 14 08:45:32 EST 2006 

On Mon, 2006-03-13 at 12:22 -0500, Christopher Fowler wrote:
> I have need for WinXP to VPN into a Linux server.  Is poptop my only
> choice?  I'm looking for something that a dumb user can easily configure
> on the XP side, OSS, and can work when both end points have private
> addresses and going through firewalls.

	Windows XP supports IPSec.  In fact, while I think it supports both the
older pptp and IPSec, I believe that their "newer / modern" default is
to prefer IPSec (and IPSec NAT-T) over pptp, which is really the legacy
stuff now.  Check out the OpenSWAN list and archives.  Someone has
posted a configuration utility and howto for setting up the certificates
and getting XP to talk to OpenSWAN.

	AFA "dumb user" and "easily configure", I guess that all depends on the
value of "dumb".  X.509 certificates are typically easier for the user
because you are frontloading a lot of work into the creation of the
certificates that you just hand to them.  To make it easier, you are
most certainly going to have to do more work on your end so you can
"dumb down" their end to a cookbook howto.  Can be done...

	Last point...  "Both endpoints have private addresses and going through
firewalls..."  Would you like the sun and the moon on a platter with
that as well...  ESP stands for Encrypted Security Payload, not
ExtraSensory Perception.  It depends.  You are rapidly depleting your
options.  IPSec NAT-T (IPSec over UDP) will work this way but one end
must have a passthrough that will allow the other end to contact it.
Again, check the OpenSWAN list and archives.  If you want something that
will "blindly" work over arbitrary NAT devices on both ends and private
addresses at either end, you are going to have to have a server on
public addresses in the middle to act as a relay.  There are a limited
number of protocols which incorporate a technique called "STUN" (I
forget the RFC) which allow for a server in the middle to mediate direct
client to client over NAT's at both ends (only the setup traffic goes
through the server) and neither IPSec or OpenVPN (or l2tp) are amongst
them (SIP has that ability as does Teredo for IPv6).  So, if you don't
want to diddle with your NAT configuration on at least one end, your
options are extremely limited (time to learn IPv6 and Teredo - Both of
which XP understands).  You are going to have to have something that
will answer two and passthrough from a global unicast address.
  
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list