On 12/11/13 19:29, Daniel Polak wrote:
==== Original message from Kapetanakis Giannis at 8-11-2013 13:38
I would like to discuss some suggestions about VPN to multiple road
warriors.
So far we're using OpenVPN, but I want to change that or at maybe
offer L2TP/IPsec in addition to OpenVPN.
Have you considered using isakmpd?
Yes my test implementation was with isakmpd and npppd. The problem is
the authentication on the ipsec path.
I don't want to use the same PSK for every-one.
Playing around with npppd was straight forward and I was quite
impressed with it. Good job.
EAP-TLS would also be a very nice feature to have.
What I'm wondering is what you guys do to setup the ipsec path of the
tunnel.
One option is to use a unique pre-shared key for all clients. But this
is probably insecure since
it opens MITM attacks. Isn't it?
Best option would be is to use a PKI infrastructure for your clients.
Isn't that a pain in the ass for users (user registration, key
deliveries etc).
How do you guys manage this for best user experience and compatibility
with most OSes?
PKI is a bit of a PITA but it is doable. You could use a PKCS#12 package
to deliver the certificates to the client.
Daniel
Agree with you that PKI is a PITA especially for the users.
I'm thinking a solution with either OpenCA or Dogtag where user would
ideally
login, generate and download their certificate...
However the whole process is much more difficult for the end user than
New Connection -> Define Connection type -> Enter username/password -> done.
IKEv2 looks promising but don't know if it's supported in something else
except windows 8.
I want to cover windows XP,7,Vista,8, MAC OSx (xxx) and varius flavors
of Linux + smart phones.
The only type that works in all these is PPTP but this suxxx a lot in
terms of security...
G
