Re: Big VPN
Hello! W licie z wto, 02-03-2004, godz. 22:57, Richard Atterer pisze: Does each of these 100 LANs need to connect to *any* other LAN, or just to your LAN? Are the LANs real LANs or do you only want to connect single road warrior machines to your LAN? Generally I need possibility to connect from every LAN to every LAN. It can be up to few simultenous connections, but there is no rule. All LANs are real LANs with few till tenths of peers. Of course not all of them have to talk to others, and for sure not at the same time. Generally I expect about 10 outgoing simultenous connections per LAN. What's wrong with IPSec with X.509 certificates? You can give out a signed certificate to all people who should get access to your network, and remove individual people from the allowed list if necessary. IPSec works with all OSes as clients. The only downside (IMHO) is that the server can be fairly complex to set up for this kind of scenario. I don't know IPSec so good, so one question: if I will add new node (LAN), do I need to update configuration of all others about it ? This is my biggest concern... http://www.freeswan.org/ - you've seen this already I guess :) http://www.natecarlson.com/linux/ipsec-x509.php http://www.ipsec-howto.org/ - new kernel 2.6.0 IPSec http://ipsec.math.ucla.edu/services/ipsec.html http://lugbe.ch/action/reports/ipsec_htbe.phtml http://vpn.ebootis.de/ THX! best regards Jarek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, Mar 03, 2004 at 09:39:06AM +0100, Jaros?aw Tabor wrote: I don't know IPSec so good, so one question: if I will add new node (LAN), do I need to update configuration of all others about it ? This is my biggest concern... I'm not so sure about this - anybody else? But I think it's possible - with X.509 certificates, shouldn't you be able to 1) Set up one root CA (certificate authority), which issues certificates and a revocation list 2) Sign the individual LANs' certificates with that CA's key 3) Tell all IPSec routers in your LANs to trust certificates with a signature by the root CA 4) Now, when one LAN A connects to another B for the first time, A can send its own signed certificate. B allows the connection to be set up due to the fact that A's certificate carries a signature of the CA. This means that each of your 100 LANs only needs a copy of the root CA's certificate in order to connect to any other LAN. You must maintain a CRL (certificate revocation list) to be able to remove certain LANs from your big VPN without updating all nodes. See the PDF which is the first link on http://www.strongsec.com/freeswan/, sections 3.1 and 3.2. HTH, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
What is Racoon like in terms of configuration ease? I've used FreeSWAN and wilst it's not the easiest to set up, once you've got your head around it, it does make sense. Racoon makes sense from the start;) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
Hi, CCing the list again because other people might have cleverer ideas. I hope you don't mind, Jaroslaw. On Wed, Mar 03, 2004 at 11:36:27AM +0100, Jaros?aw Tabor wrote: That's OK. But what about routing ? How to inform other nodes, about new subnet ? I think, that this will require some kind of dynamic routing and IPSec on demand. But, as I see from freeswan and openswan doc, this isn't supported. Hmm, you are right... The only solution I see ATM is to pre-configure an appropriate amount of subnets on each LAN's IPSec router in advance, say 200. :-/ LAN number n gets the network 10.0.n.0/24, and its IPSec router is set up as ipsecn.mydomain.net. Later, when network number 42 has been set up to use 10.0.42.0/24, you only need to update the DNS entry of ipsec42.mydomain.net and all other LANs should be able to use it. (New IPSec links will be set up on demand once anyone tries to connect to the new network.) Obviously, an alternative would be to have one central node which acts as as a router between any two LANs. This will be much easier to maintain, I don't know if the resulting single point of failure and possibly lower performance are a problem for you. Each of the 100 LANs would just route all 10.0.0.0/16 addresses to the central node, and only the central node would be trusted, so you don't have to mess with CAs etc... Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
W licie z ro, 03-03-2004, godz. 12:07, Richard Atterer pisze: Later, when network number 42 has been set up to use 10.0.42.0/24, you only need to update the DNS entry of ipsec42.mydomain.net and all other LANs should be able to use it. (New IPSec links will be set up on demand once anyone tries to connect to the new network.) This looks interesting. I didn't see in doc anythig about on demand connections. Doc states that during startup, all tunnels are started, making startup very long. Additionally, I don't need all tunnels permanently open, when there is no trafic. Every LAN need to have possibility to connect to another, but may never use most of them. Typically, there will be few outgoing connections per LAN. Obviously, an alternative would be to have one central node which acts as as a router between any two LANs. This will be much easier to maintain, I don't know if the resulting single point of failure and possibly lower performance are a problem for you. Each of the 100 LANs would just route all 10.0.0.0/16 addresses to the central node, and only the central node would be trusted, so you don't have to mess with CAs etc... Not acceptable due to the traffic and reliability. best regards Jarek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, Mar 03, 2004 at 08:54:38AM +0100, Dariush Pietrzak wrote: FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x Right! I shouldn't write mail at 01:25 after midnight :-) I used freeswan for years but I'm switching to racoon so I don't follow freeswan (or openswan) anymore. Sorry for inconvenience. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, 3 Mar 2004 12:07:23 +0100 Richard Atterer [EMAIL PROTECTED] wrote: Hi, CCing the list again because other people might have cleverer ideas. I hope you don't mind, Jaroslaw. On Wed, Mar 03, 2004 at 11:36:27AM +0100, Jaros?aw Tabor wrote: That's OK. But what about routing ? How to inform other nodes, about new subnet ? I think, that this will require some kind of dynamic routing and IPSec on demand. But, as I see from freeswan and openswan doc, this isn't supported. Tinc does full mesh :) You only need to add the new subnets to one other node to make it work on all subnets, it keeps an internal routing table. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, Mar 03, 2004 at 01:25:46 +0100, Milan P. Stanic wrote: FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. For Kernel's 2.6.0 and higher, Openswan uses the built in IPsec support. Only the userland component of Openswan is required to use Openswan with a 2.6 series kernel. [...] Note: you will need setkey from the ipsec-tools package, available from http://ipsec-tools.sourceforge.net; (From http://www.openswan.org/code/openswan-2.1.0rc1.tar.gz's README) The way I read it is that the userland part of Openswan works fine with 2.6, it's just that with a 2.6 kernel its IPSec kernel part is used rather than an Openswan or FreeS/WAN one as was the case with 2.4 (which didn't have an IPSec kernel part by default). Ray -- Those who are willing to trade their liberty for security deserve neither. Benjamin Franklin
Re: Big VPN
think an acceptable user-land alternative might be openvpn. I would I don't think openvpn would easily handle such large number of connections, it would be also a configuration nightmare. tinc was designed to handle such scenario, but I wouldn't use anything user-land for ~100 lans, no metter how maintainable the configuration is. I guess best bet is kernel 2.6.x and racoon-based key management. Oh, and btw, if you're going to use FreeS/WAN, better look at http://www.openswan.org, they've got the good code. ( and backwards compatbile, if you've got frees/wan based network and want to upgrade to 2.4.25 you're out of luck with free s/wan - they migrated to 2.x with never kernel, and it means you need to upgrade your userland tools, and probably tune configuration a bit. Openswan works nicely with upgrades ). -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Big VPN
FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Big VPN
Hello! W liście z wto, 02-03-2004, godz. 22:57, Richard Atterer pisze: Does each of these 100 LANs need to connect to *any* other LAN, or just to your LAN? Are the LANs real LANs or do you only want to connect single road warrior machines to your LAN? Generally I need possibility to connect from every LAN to every LAN. It can be up to few simultenous connections, but there is no rule. All LANs are real LANs with few till tenths of peers. Of course not all of them have to talk to others, and for sure not at the same time. Generally I expect about 10 outgoing simultenous connections per LAN. What's wrong with IPSec with X.509 certificates? You can give out a signed certificate to all people who should get access to your network, and remove individual people from the allowed list if necessary. IPSec works with all OSes as clients. The only downside (IMHO) is that the server can be fairly complex to set up for this kind of scenario. I don't know IPSec so good, so one question: if I will add new node (LAN), do I need to update configuration of all others about it ? This is my biggest concern... http://www.freeswan.org/ - you've seen this already I guess :) http://www.natecarlson.com/linux/ipsec-x509.php http://www.ipsec-howto.org/ - new kernel 2.6.0 IPSec http://ipsec.math.ucla.edu/services/ipsec.html http://lugbe.ch/action/reports/ipsec_htbe.phtml http://vpn.ebootis.de/ THX! best regards Jarek
Re: Big VPN
On Wed, Mar 03, 2004 at 09:39:06AM +0100, Jaros?aw Tabor wrote: I don't know IPSec so good, so one question: if I will add new node (LAN), do I need to update configuration of all others about it ? This is my biggest concern... I'm not so sure about this - anybody else? But I think it's possible - with X.509 certificates, shouldn't you be able to 1) Set up one root CA (certificate authority), which issues certificates and a revocation list 2) Sign the individual LANs' certificates with that CA's key 3) Tell all IPSec routers in your LANs to trust certificates with a signature by the root CA 4) Now, when one LAN A connects to another B for the first time, A can send its own signed certificate. B allows the connection to be set up due to the fact that A's certificate carries a signature of the CA. This means that each of your 100 LANs only needs a copy of the root CA's certificate in order to connect to any other LAN. You must maintain a CRL (certificate revocation list) to be able to remove certain LANs from your big VPN without updating all nodes. See the PDF which is the first link on http://www.strongsec.com/freeswan/, sections 3.1 and 3.2. HTH, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Big VPN
Milan P. Stanic was heard to utter, at roughly 03/03/04 00:25: On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote: On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote: If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. And what about the ipsec system in the 2.6 kernel (KAME) and the racoon daemon for initial key exchange? It does the same work as freeswan but it is still developped.. FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. As others have mentioned, v2 of both FreeSWAN and OpenSWAN work with the native IPSEC strack of 2.6.x. You do need the ipsec-tools package too. I'm not sure but I think that Herbert Xu (Debian kernel maintainer) added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in the kernel 2.6.x Herbert also added the backport of the native IPSEC stack from 2.6 to the Debian kernels from 2.4.22 onwards IIRC. It's certainly in 2.4.25. I've not tried these kernels and the native IPSEC in combination with FreeSWAN yet but intend to do so soon. Racoon is in FreeBSD for few years and is actively developed. What is Racoon like in terms of configuration ease? I've used FreeSWAN and wilst it's not the easiest to set up, once you've got your head around it, it does make sense. Ronny -- Technical Director Amazing Internet Ltd, London t: +44 20 8607 9535 f: +44 20 8607 9536 w: www.amazinginternet.com
Re: Big VPN
What is Racoon like in terms of configuration ease? I've used FreeSWAN and wilst it's not the easiest to set up, once you've got your head around it, it does make sense. Racoon makes sense from the start;) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Big VPN
Hi, CCing the list again because other people might have cleverer ideas. I hope you don't mind, Jaroslaw. On Wed, Mar 03, 2004 at 11:36:27AM +0100, Jaros?aw Tabor wrote: That's OK. But what about routing ? How to inform other nodes, about new subnet ? I think, that this will require some kind of dynamic routing and IPSec on demand. But, as I see from freeswan and openswan doc, this isn't supported. Hmm, you are right... The only solution I see ATM is to pre-configure an appropriate amount of subnets on each LAN's IPSec router in advance, say 200. :-/ LAN number n gets the network 10.0.n.0/24, and its IPSec router is set up as ipsecn.mydomain.net. Later, when network number 42 has been set up to use 10.0.42.0/24, you only need to update the DNS entry of ipsec42.mydomain.net and all other LANs should be able to use it. (New IPSec links will be set up on demand once anyone tries to connect to the new network.) Obviously, an alternative would be to have one central node which acts as as a router between any two LANs. This will be much easier to maintain, I don't know if the resulting single point of failure and possibly lower performance are a problem for you. Each of the 100 LANs would just route all 10.0.0.0/16 addresses to the central node, and only the central node would be trusted, so you don't have to mess with CAs etc... Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Big VPN
On Wed, Mar 03, 2004 at 08:54:38AM +0100, Dariush Pietrzak wrote: FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x Right! I shouldn't write mail at 01:25 after midnight :-) I used freeswan for years but I'm switching to racoon so I don't follow freeswan (or openswan) anymore. Sorry for inconvenience.
Big VPN
Hi all! I know that this list isn't the best place to ask, but I'm reding this list for years. I hope You will forgive me :) I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. Finally, the questions: Did someone sucessfully build such network ? If yes, how? Do You know any other VPN solution for this problem? If my idea isn't so bad, how to add secure authentication for OE solution. Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? best regards Jarek PS: Sorry, for my poor english, I'm not a native speaker. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
Jaroslaw Tabor wrote: Hi all! I know that this list isn't the best place to ask, but I'm reding this list for years. I hope You will forgive me :) I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. Finally, the questions: Did someone sucessfully build such network ? If yes, how? Do You know any other VPN solution for this problem? If my idea isn't so bad, how to add secure authentication for OE solution. Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? You might want to check tinc (http://tinc.nl.linux.org) best regards Jarek PS: Sorry, for my poor english, I'm not a native speaker. me neither :) Gr, Ivo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote: I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. If I understand this solution right there is no authentication at all. With OE that may be true. For a VPN you shouldn't configure OE, but use one of the authentication methods in IPSec, like RSA digital signatures, or a shared secret. http://en.wikipedia.org/wiki/IPSEC provides a nice overview of IPSec. HTH, Ray -- AJ: Geeez, Erwin. He wasn't even ARMED. Erwin: I don't care. I have lots of ammo and he was wearing a TIE. http://ars.userfriendly.org/cartoons/?id=20010209 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote: On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote: I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. And what about the ipsec system in the 2.6 kernel (KAME) and the racoon daemon for initial key exchange? It does the same work as freeswan but it is still developped.. jacques -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Jaroslaw Tabor wrote: I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. PPTP is also believed not to be quite insecure, see http://www.schneier.com/pptp-faq.html (NB old!). A small number of people believe it's OK these days due to some improvements made by Microsoft http://www.schneier.com/paper-pptpv2.html, but I still wouldn't recommend it. Does each of these 100 LANs need to connect to *any* other LAN, or just to your LAN? Are the LANs real LANs or do you only want to connect single road warrior machines to your LAN? I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I don't think it is the right thing for you, yes. Its main objective (in my eyes) is to protect general internet traffic from people who are not willing/able to do man-in-the-middle attacks, i.e. from people who just sniff on the wire. At least that's what it boils down to as long as no secure DNS is available... I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. What's wrong with IPSec with X.509 certificates? You can give out a signed certificate to all people who should get access to your network, and remove individual people from the allowed list if necessary. IPSec works with all OSes as clients. The only downside (IMHO) is that the server can be fairly complex to set up for this kind of scenario. Secure DNS doesn't exist today, does it? Finally, the questions: Did someone sucessfully build such network ? If yes, how? Well, since I'm in the mood of handing out URLs today ;-), here are some useful pages I found about IPSec setups involving both Linux and Windows clients. http://www.freeswan.org/ - you've seen this already I guess :) http://www.natecarlson.com/linux/ipsec-x509.php http://www.ipsec-howto.org/ - new kernel 2.6.0 IPSec http://ipsec.math.ucla.edu/services/ipsec.html http://lugbe.ch/action/reports/ipsec_htbe.phtml http://vpn.ebootis.de/ Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? 100 VPN connections isn't /that/ much, I think FreeS/WAN or the 2.6.0 IPSec should be able to handle it. (Maybe ask the developers to ensure it does.) PS: Sorry, for my poor english, I'm not a native speaker. me neither :) Ditto. :-) ü, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
Richard Atterer wrote: On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Nice, the first article is based on a alpha version (pre-beta) of tinc, you didn't include the official answer. This sounds alot like FUD, are you the author of a compeditive product? Gr, Ivo PS. cc: to tinc mailinglist -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote: Richard Atterer wrote: On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Nice, the first article is based on a alpha version (pre-beta) of tinc, you didn't include the official answer. IMHO, the key words in Richard's posting are ``[not] enough expertise'', and ``a track record''. The idea that the [conceptual] flaws will be fixed in The Next Release [TM], although quite common amongst the people, is a mere instance of a proof by wishful thinking. Clueless authors will always produce crappy software, regardless of how long they've been in the business. This sounds alot like FUD, are you the author of a compeditive product? Occasionally, I author thoughts and speeches that require the audience to use their brain. Does it count? HAND. Jan. -- ``You know those mail clients: MS Outlook, mail(1), or even telnet(1). All of them suck. This one just sucks less.'' pgp0.pgp Description: PGP signature
Re: Big VPN
On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote: Richard Atterer wrote: On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Nice, the first article is based on a alpha version (pre-beta) of tinc, you didn't include the official answer. This sounds alot like FUD, are you the author of a compeditive product? What about the second link? Perhaps you could have pointed us to TINC's reply to Gutmann's (the second link) criticisms rather than simply claiming this is FUD. Unfortunately, I can only point to the google cache of the TINC's response since the machine (nl.linux.org) that hosts TINC's website has been rooted. Anyway, here's the google cache of the response: http://www.google.ca/search?q=cache:tinc.nl.linux.org/security Gutmann's criticisms, slightly expanded over his original posting, can be found here: http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt I'm personally in favour of an IPsec VPN using openbsd or linux 2.6. I think an acceptable user-land alternative might be openvpn. I would have to do more investigation of Gutmann's claims before feeling comfortable with the other user-land alternatives: tinc, cipe or vtun. Yours, Luca -- Luca Filipozzi gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote: On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote: If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. And what about the ipsec system in the 2.6 kernel (KAME) and the racoon daemon for initial key exchange? It does the same work as freeswan but it is still developped.. FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. I'm not sure but I think that Herbert Xu (Debian kernel maintainer) added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in the kernel 2.6.x Racoon is in FreeBSD for few years and is actively developed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
Jan Minar wrote: IMHO, the key words in Richard's posting are ``[not] enough expertise'', and ``a track record''. The idea that the [conceptual] flaws will be fixed in The Next Release [TM], although quite common amongst the people, is a mere instance of a proof by wishful thinking. Clueless authors will always produce crappy software, regardless of how long they've been in the business. It's not about releases, it's about auditing a product before the authors accually have made their minds up about where the product is going. Tinc started out as a idea on using the tap device for something useful. It migrated to a pretty nice vpn solution. Even linus made some pretty bad coding errors when he started out with linux, if you want to imply that when software, or a part of it was once flawed, you shouldn't trust the author ever, you shouldn't use linux at all. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
In article [EMAIL PROTECTED] you wrote: I'm personally in favour of an IPsec VPN using openbsd or linux 2.6. For a distributed Installation with up to 100 sites, I strongly recommend to go with a small SOHO Router appliance. Because they are easy to replace with UPS delivery, they are more robust than PC Hardware, and have less mechanical parts. Depending on your topology, a simple commercial concentrator in the main office, may also be much better than implementing a Linux solution, as long as you do not have reasonable experiences. I tink the OP made himself clear, he has none. There might be good reasons to go with an OpenBD or Linux 2.6 IPSec Installation, in that case go for it. If you do not need the programmable features, and you do not have experiences in Linux Networking and IPSec, safe the money for endless work hours to get it up, running. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, Mar 03, 2004 at 01:33:17AM +0100, I.R. van Dongen wrote: Jan Minar wrote: IMHO, the key words in Richard's posting are ``[not] enough expertise'', and ``a track record''. The idea that the [conceptual] flaws will be fixed in The Next Release [TM], although quite common amongst the people, is a mere instance of a proof by wishful thinking. Clueless authors will always produce crappy software, regardless of how long they've been in the business. It's not about releases, it's about auditing a product before the authors accually have made their minds up about where the product is going. They made the minds quite early. They just had not enough expertise to implement it. Now are the supposed auditors going to handhold the tinc people every time they will add some more code? If not, have the tinc people enough expertise to do it right, now? Tinc started out as a idea on using the tap device for something useful. It migrated to a pretty nice vpn solution. One thing is a fast prototyping, when I implement a phony MIC, for example, and I comment it as such, and another thing is a hotch-potch coding, when I get pieces together just to look like a valid MIC. AFAICT, the tinc people did the latter. I tend to presume this coding practice is still present with them. Note that we are not talking feature completeness, but that the actual implementation of (alleged) general features, e.g. confidentiality, and authenticity, was flawed. Even linus made some pretty bad coding errors when he started out with linux, if you want to imply that when software, or a part of it was once flawed, you shouldn't trust the author ever, you shouldn't use linux at all. The same goes for Linux. Although it might have been a major leap from 2.2 to 2.4 and to 2.6, the overall experience is still the same: some things work, some have problems that have to be tracked down and repaired manually, some won't even compile. And I have to reboot time to time. I presume this will be the case with 3.0, 3.2, 3.4, too. The rule of thumb is the things just don't change. Because great amount of the code doesn't change after initial testing, because the authors' attitude seldom changes, because it would require incompatible changes to the underlaying protocols, etc. FWIW, J. -- ``You know those mail clients: MS Outlook, mail(1), or even telnet(1). All of them suck. This one just sucks less.'' pgp0.pgp Description: PGP signature
Re: Big VPN
On Wed, Mar 03, 2004 at 01:25:46 +0100, Milan P. Stanic wrote: FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. For Kernel's 2.6.0 and higher, Openswan uses the built in IPsec support. Only the userland component of Openswan is required to use Openswan with a 2.6 series kernel. [...] Note: you will need setkey from the ipsec-tools package, available from http://ipsec-tools.sourceforge.net; (From http://www.openswan.org/code/openswan-2.1.0rc1.tar.gz's README) The way I read it is that the userland part of Openswan works fine with 2.6, it's just that with a 2.6 kernel its IPSec kernel part is used rather than an Openswan or FreeS/WAN one as was the case with 2.4 (which didn't have an IPSec kernel part by default). Ray -- Those who are willing to trade their liberty for security deserve neither. Benjamin Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
think an acceptable user-land alternative might be openvpn. I would I don't think openvpn would easily handle such large number of connections, it would be also a configuration nightmare. tinc was designed to handle such scenario, but I wouldn't use anything user-land for ~100 lans, no metter how maintainable the configuration is. I guess best bet is kernel 2.6.x and racoon-based key management. Oh, and btw, if you're going to use FreeS/WAN, better look at http://www.openswan.org, they've got the good code. ( and backwards compatbile, if you've got frees/wan based network and want to upgrade to 2.4.25 you're out of luck with free s/wan - they migrated to 2.x with never kernel, and it means you need to upgrade your userland tools, and probably tune configuration a bit. Openswan works nicely with upgrades ). -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Big VPN
Hi all! I know that this list isn't the best place to ask, but I'm reding this list for years. I hope You will forgive me :) I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. Finally, the questions: Did someone sucessfully build such network ? If yes, how? Do You know any other VPN solution for this problem? If my idea isn't so bad, how to add secure authentication for OE solution. Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? best regards Jarek PS: Sorry, for my poor english, I'm not a native speaker.
Re: Big VPN
Jaroslaw Tabor wrote: Hi all! I know that this list isn't the best place to ask, but I'm reding this list for years. I hope You will forgive me :) I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. Finally, the questions: Did someone sucessfully build such network ? If yes, how? Do You know any other VPN solution for this problem? If my idea isn't so bad, how to add secure authentication for OE solution. Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? You might want to check tinc (http://tinc.nl.linux.org) best regards Jarek PS: Sorry, for my poor english, I'm not a native speaker. me neither :) Gr, Ivo
Re: Big VPN
On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote: I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. If I understand this solution right there is no authentication at all. With OE that may be true. For a VPN you shouldn't configure OE, but use one of the authentication methods in IPSec, like RSA digital signatures, or a shared secret. http://en.wikipedia.org/wiki/IPSEC provides a nice overview of IPSec. HTH, Ray -- AJ: Geeez, Erwin. He wasn't even ARMED. Erwin: I don't care. I have lots of ammo and he was wearing a TIE. http://ars.userfriendly.org/cartoons/?id=20010209
Re: Big VPN
On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote: On Tue, Mar 02, 2004 at 21:41:34 +0100, Jaroslaw Tabor wrote: I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. And what about the ipsec system in the 2.6 kernel (KAME) and the racoon daemon for initial key exchange? It does the same work as freeswan but it is still developped.. jacques
Re: Big VPN
On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Jaroslaw Tabor wrote: I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. PPTP is also believed not to be quite insecure, see http://www.schneier.com/pptp-faq.html (NB old!). A small number of people believe it's OK these days due to some improvements made by Microsoft http://www.schneier.com/paper-pptpv2.html, but I still wouldn't recommend it. Does each of these 100 LANs need to connect to *any* other LAN, or just to your LAN? Are the LANs real LANs or do you only want to connect single road warrior machines to your LAN? I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I don't think it is the right thing for you, yes. Its main objective (in my eyes) is to protect general internet traffic from people who are not willing/able to do man-in-the-middle attacks, i.e. from people who just sniff on the wire. At least that's what it boils down to as long as no secure DNS is available... I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. What's wrong with IPSec with X.509 certificates? You can give out a signed certificate to all people who should get access to your network, and remove individual people from the allowed list if necessary. IPSec works with all OSes as clients. The only downside (IMHO) is that the server can be fairly complex to set up for this kind of scenario. Secure DNS doesn't exist today, does it? Finally, the questions: Did someone sucessfully build such network ? If yes, how? Well, since I'm in the mood of handing out URLs today ;-), here are some useful pages I found about IPSec setups involving both Linux and Windows clients. http://www.freeswan.org/ - you've seen this already I guess :) http://www.natecarlson.com/linux/ipsec-x509.php http://www.ipsec-howto.org/ - new kernel 2.6.0 IPSec http://ipsec.math.ucla.edu/services/ipsec.html http://lugbe.ch/action/reports/ipsec_htbe.phtml http://vpn.ebootis.de/ Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? 100 VPN connections isn't /that/ much, I think FreeS/WAN or the 2.6.0 IPSec should be able to handle it. (Maybe ask the developers to ensure it does.) PS: Sorry, for my poor english, I'm not a native speaker. me neither :) Ditto. :-) ü, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Big VPN
Richard Atterer wrote: On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Nice, the first article is based on a alpha version (pre-beta) of tinc, you didn't include the official answer. This sounds alot like FUD, are you the author of a compeditive product? Gr, Ivo PS. cc: to tinc mailinglist
Re: Big VPN
On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote: Richard Atterer wrote: On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Nice, the first article is based on a alpha version (pre-beta) of tinc, you didn't include the official answer. IMHO, the key words in Richard's posting are ``[not] enough expertise'', and ``a track record''. The idea that the [conceptual] flaws will be fixed in The Next Release [TM], although quite common amongst the people, is a mere instance of a proof by wishful thinking. Clueless authors will always produce crappy software, regardless of how long they've been in the business. This sounds alot like FUD, are you the author of a compeditive product? Occasionally, I author thoughts and speeches that require the audience to use their brain. Does it count? HAND. Jan. -- ``You know those mail clients: MS Outlook, mail(1), or even telnet(1). All of them suck. This one just sucks less.'' pgppSQ3etPmVh.pgp Description: PGP signature
Re: Big VPN
On Wed, Mar 03, 2004 at 12:18:32AM +0100, I.R. van Dongen wrote: Richard Atterer wrote: On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Nice, the first article is based on a alpha version (pre-beta) of tinc, you didn't include the official answer. This sounds alot like FUD, are you the author of a compeditive product? What about the second link? Perhaps you could have pointed us to TINC's reply to Gutmann's (the second link) criticisms rather than simply claiming this is FUD. Unfortunately, I can only point to the google cache of the TINC's response since the machine (nl.linux.org) that hosts TINC's website has been rooted. Anyway, here's the google cache of the response: http://www.google.ca/search?q=cache:tinc.nl.linux.org/security Gutmann's criticisms, slightly expanded over his original posting, can be found here: http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt I'm personally in favour of an IPsec VPN using openbsd or linux 2.6. I think an acceptable user-land alternative might be openvpn. I would have to do more investigation of Gutmann's claims before feeling comfortable with the other user-land alternatives: tinc, cipe or vtun. Yours, Luca -- Luca Filipozzi gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D
Re: Big VPN
On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote: On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote: If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. And what about the ipsec system in the 2.6 kernel (KAME) and the racoon daemon for initial key exchange? It does the same work as freeswan but it is still developped.. FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. I'm not sure but I think that Herbert Xu (Debian kernel maintainer) added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in the kernel 2.6.x Racoon is in FreeBSD for few years and is actively developed.
Re: Big VPN
Jan Minar wrote: IMHO, the key words in Richard's posting are ``[not] enough expertise'', and ``a track record''. The idea that the [conceptual] flaws will be fixed in The Next Release [TM], although quite common amongst the people, is a mere instance of a proof by wishful thinking. Clueless authors will always produce crappy software, regardless of how long they've been in the business. It's not about releases, it's about auditing a product before the authors accually have made their minds up about where the product is going. Tinc started out as a idea on using the tap device for something useful. It migrated to a pretty nice vpn solution. Even linus made some pretty bad coding errors when he started out with linux, if you want to imply that when software, or a part of it was once flawed, you shouldn't trust the author ever, you shouldn't use linux at all.
Re: Big VPN
In article [EMAIL PROTECTED] you wrote: I'm personally in favour of an IPsec VPN using openbsd or linux 2.6. For a distributed Installation with up to 100 sites, I strongly recommend to go with a small SOHO Router appliance. Because they are easy to replace with UPS delivery, they are more robust than PC Hardware, and have less mechanical parts. Depending on your topology, a simple commercial concentrator in the main office, may also be much better than implementing a Linux solution, as long as you do not have reasonable experiences. I tink the OP made himself clear, he has none. There might be good reasons to go with an OpenBD or Linux 2.6 IPSec Installation, in that case go for it. If you do not need the programmable features, and you do not have experiences in Linux Networking and IPSec, safe the money for endless work hours to get it up, running. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
