Andrew Pritchard said: > Is there a Debian package to set up a VPN? Or am I going to have to > go down the Free SWAN route?
vtun is available in woody and easily compiles in potato. i started using it about a week ago and it works great. i would strongly reccomend against any IPSec software including freeswan if your using NAT of any kind. IPSec is an absolute nightmare with NAT. i speak from personal experience trying to get freeswan to talk to another freeswan server for a good 15 hours during a weekend about a year ago. works fine without NAT but with it ....ugh. very bad experience. i use cisco vpn 3005s at the company im with and it supports NAT very well by encapsuating all IPSec packets into UDP packets which easily travel through NAT gateways. note that this behavior is not consistant with the RFCs/specs, this is a special thing that cisco does. at the same time it probably breaks compadiblity with any client software trying to connect to it that does not support this feature. freeswan is not alone in being hard to NAT. it is a problem with the protocol itself. but it was designed that way intentionally(from what ive read on the specs, theres docs on freeswan's website) for security reasons. security is great but if i can't use it, kind of defeats the purpose for me. i have also tried sonicwall with similar NAT difficulties. PPTP is in the same boat as far as difficult to work with NAT. and contrary to seemingly popular belief(at least among those ive talked with) IPSec is NOT a TCP or UDP protocol. it uses UDP for a brief point during initial connection then switches over to another IP protocol(protocol #59 or something). ive read that vpns over tcp are bad because it can be more unreliable. i guess it depends on the situation, i have also been using vpnd(not packaged i dont think) for about 2 years with not too many problems. it operates over TCP. vtun can operate over TCP or UDP(i have it running over UDP currently). you can see more info on how cisco does their IPSec nat by searching for ipsec nat on their website. cisco also offers vpn clients for linux, have not tested them myself yet though. freeswan is not easy to setup(at least it wasn't at the time), and i saw several reports of freeswan servers flooding ip addresses long after the connection ended because the server did not know the connection was gone(that may be fixed now). hth nate