What's running on your laptop?
With the Shrew Soft VPN client (ike and ide-gtgui on ubuntu) packages,
you *might* get an IPSec connection going, but NAT on your laptop/remote
end will likely trip things up. I would recommend steering clear of IPSec.
OpenVPN is the VPN of choice for road warriors. On the home/server end,
I use IPCop. It's a full featured firewall distro that contains OpenVPN
(and IPSec) as well as a slew of other features. It will run nicely on
an old P-III system, with as little as 128M of RAM and a 1G HDD. Find an
old desktop system that's going to be scrapped, throw a 2nd nic in it,
and you're ready to roll. You'll need a switch behind it for your
LAN/Green subnet, but those are dirt cheap as well.
--
-Eric 'shubes'
On 06/24/2012 01:21 PM, Mark Phillips wrote:
Stephen,
Thanks....there are tons of options on the device. But I read that I
need a vpn server on my LAN.....other posts say no.....Most of the
information I found in forums is several years old, so I thought someone
with more experience than me could point me to a better manual. I read
this http://www.debian-administration.org/articles/489, but again it is
over 5 years old, so perhaps there is a better solution?
This is the manual page from the BEFSX41.....I am not completely sure
which options to use. Plus, I assume I may need something running on my
laptop - OpenVPN? Do I need a VPN server on my LAN, or something else,
to be able to login to my different machines?
Mark
*/VPN/**/Passthrough/*
This Router supports IPSec, PPTP, and PPPoE Passthrough. You can select
either*Enable*or*Disable*for these options.
------------------------------------------------------------------------
*/VPN/*
*Select Tunnel Entry*- Select the tunnels number you want to set up.
*Delete*- click this to remove any entries made for this tunnel you
selected.
*Summary*- Click this button to display the status of all the tunnels.
*IPSec VPN Tunnel*- Select*Enabled*to create a tunnel or*Disabled*to
close the tunnel.
*Tunnel Name*- Once the tunnel is enabled, enter an arbitrary name for
the tunnel you are about to create.
*Local Secure Group*
This allows you to grant local computer access to this tunnel.
Subnet This will allow all computers on the local subnet to access the
tunnel. Enter the IP Address and Mask to allow access to the tunnel.
IP Addr. This only allows the local computer with the specified IP
address. Enter the IP address you want to allow access to the tunnel.
IP Range This allows a range of local computers to access the tunnel.
Enter the IP address range allowed to access the tunnel.
* Remote Secure Group*
This allows you grant remote computers access to this tunnel.
Subnet This will allow all computers on the remote subnet to access the
tunnel. Enter the IP Address and Mask to allow access to the tunnel.
IP Addr. This only allows the remote computer with the specified IP
address. Enter the IP address you want to allow access to the tunnel.
IP Range This allows a range of remote computers to access the tunnel.
Enter the IP address range allowed to access the tunnel.
Host When this is selected, the settings will be the same as the Remote
Security Gateway.
Any This option will allow any IP address from a remote location to
access this tunnel.
* Remote Secure Gateway*
This sets the remote end of the VPN tunnel. You can either specify the
IP address, Domain, or Any.
IP Addr. Enter the IP address of the remote tunnel you will connect.
Domain This option lets you enter the fully qualified domain name. If
you do not have an IP address, you have an option to enter the domain of
the tunnel you are connecting to.
Any This will will allow any tunnel connection to be established.
*Encryption*
DES Data Encryption Standard (DES) is a type of encryption for this VPN
tunnel. If you select this option, make sure the other end of the tunnel
uses the same encryption type.
3DES Triple Data Encryption Standard (3DES) is a stronger type of
encryption for this VPN Tunnel. If you select this option, make sure the
other end of the tunnel uses the same encryption type.
Disable This option will not encrypt for this tunnel.
*Authentication*
MD5 Message-Digest Algorithm (MD5)- Generates 128-bit message digest
based on the input. If you select this option, make sure the other end
of the tunnel uses the same authentication type.
SHA Secure Hash Algorithm (SHA)- Generates 160-bit message digest based
on the input. If you select this option, make sure the other end of the
tunnel uses the same authentication type.
Disabled This option will not authenticate for this tunnel.
*Key Management*
In order for any encryption to occur, the two ends of the tunnel must
agree on the type of encryption. This is done by sharing a "key" to
encrypt code. You can select*Auto (IKE)*or*Manual*.
*Automatic Key Management*
PFS Perfect Forward Secrecy (PFS) ensures that the initial key exchange
and IKE proposal are secure. This must be the same for both end of the
tunnel.
Pre-shared Key Enter a series of number and letters that will be used as
your key. This must be the same for both end of the tunnel.
Key Lifetime Enter a number of seconds for the life of the key.After the
key lifetime expires, a new code will be generated. This much be the
same for both end of the tunnel.
*Manual Key Management*
Encryption key Enter a series of letters or numbers to generate an
encryption key. This must be the same for both end of the tunnel.
Authentication Key Enter a series of letters or numbers to generate an
authentication key.This must be the same for both end of the tunnel.
Inbound SPI Enter a series of letter or numbers to generate the Inbound
SPI. This must match the outbound SPI on the other end of the tunnel.
Outbound SPI Enter a series of letter or numbers to generate the
outbound SPI. This must match the inbound SPI on the other end of the
tunnel.
*Status*- This will shows if you are connected or disconnected from the
other end of the VPN tunnel.
*Connect/Disconnect*- This button will connect or disconnect the other
end of the VPN tunnel.
*View Log*- This will show you the VPN activity when connecting and
disconnecting.
Advanced Settings
Phase 1 is used to create a Security Association (SA), often called the
IKE SA. After Phase 1 is completed, Phase 2 is used to create one or
more IPSec SAs, which are then used to key IPSec sessions.
Operation Mode
Main This is for normal operation and is more secure.
Aggressive This is faster and less secure.
Username Some require username to establish a VPN connection.
Encryption Select the length of the key used to encrypt/decrypt ESP
packets. There are two choices: DES and 3DES. 3DES is recommended for
security.
Authentication Select the method used to authenticate ESP packets. There
are two choices: MD5 and SHA. SHA is recommended for security.
Group There are two Diffie-Hellman Groups to choice from: 768-bit and
1024-bit. Diffie-Hellman refers to a cryptographic technique that uses
public and private keys for encryption and decryption.
Key Lifetime Enter a number of seconds for the life of the key.After the
key lifetime expires, a new code will be generated. This much be the
same for both end of the tunnel.
*Phase 2*
Group There are two Diffie-Hellman Groups to choice from: 768-bit and
1024-bit. Diffie-Hellman refers to a cryptographic technique that uses
public and private keys for encryption and decryption.
Key Lifetime Enter a number of seconds for the life of the key.After the
key lifetime expires, a new code will be generated. This much be the
same for both end of the tunnel.
Other Setting
NetBIOS broadcast Check this to enable NetBIOS traffic to pass-through
the VPN tunnel.
Anti-replay Check this to enable the Anti-reply protection. this feature
keeps track of sequence numbers and packet arrival, ensuring security at
the IP packet-level.
Keep-Alive Check this to re-establish VPN tunnel connection whenever it
is dropped. Once the tunnel is initialized, this feature will keep the
tunnel connected.
If IKE failed more than x Times, block this unauthorized IP for y
seconds. Check this box to block unauthorized IP addresses. Complete the
on-screen sentence to specify how many times IKE must fail before
blocking that unauthorized IP address for a length of time that you
specify (in seconds).
On Sun, Jun 24, 2012 at 1:02 PM, Stephen <cryptwo...@gmail.com
<mailto:cryptwo...@gmail.com>> wrote:
Rtfm?
It really depends on what your options are in the vpn device are.
On Jun 24, 2012 1:00 PM, "Mark Phillips" <m...@phillipsmarketing.biz
<mailto:m...@phillipsmarketing.biz>> wrote:
I need to take my laptop on several road trips, and I need to
connect back to my home office LAN - all Debian machines. I am
on COX cable with a BEFSX41 router. The BEFSX41 has a VPN option
that I have never used. What do I need to add to my laptop
(Debian) to talk to my home office LAN securely (ie through a
VPN) using my BEFSX41? Obviously, I am a complete nube when it
comes to setting up VPN access to my LAN. I have googled for
some recommendations, but I have not found a good reference to
follow.
Thanks,
Mark
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
<mailto:PLUG-discuss@lists.plug.phoenix.az.us>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
<mailto:PLUG-discuss@lists.plug.phoenix.az.us>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
