Re: [SLUG] VPN Host recommendation

[Peter Barker]

Depends what you want to use the VPN for. I have set up access to a home 
server using openvpn and found it easy to use once set up - I don't use it 
very often though, only when not in Sydney. There was a series of articles in 
Linux Journal on setting it up.

Regards,
Peter Barker

On Wed, 6 Feb 2013 01:40:45 PM gonzo01 wrote:
> Info re recommended and/or experiences with VPN Host (non-business use)
> appreciated.
> 
> All new to me.
> 
> Thanks
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN Host recommendation

[peter]

> "gonzo01" == gonzo01   writes:

gonzo01> Info re recommended and/or experiences with VPN Host
gonzo01> (non-business use) appreciated.

Depends what you want --- can you clarify?  Do you want a VPN host
(e.g., a PPTP server) or did you mean VPS (virtual private server)?
If the latter, is this just for web, or do you want to have a machine
you totally control?

For example, I have a hosted web server at www.memebot.com (they'll
give you a basic virtual web server for free, but you can donate or pay
for extra services), and a Vserver with openhosting.com  that I use
as a mail exchanger.  I get the latter for $19 a month, because the
bandwidth and CPU I need are small (main issue is RAM for running
spamassassin).

In any case there are many many deals out there, and what you get
depends on what you pay for, and it's easy to buy stuff you don't
need.

So tell us what you need.

-
Dr Peter Chubb  peter.chubb AT nicta.com.au
http://www.ssrg.nicta.com.au  Software Systems Research Group/NICTA

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] vpn install problem

[Ben Donohue]

Hi Luke,

I've always found that using different network classes for VPN access 
seems to give me trouble free access.
Sounds weird but you might have in your routing setup classless network 
aggregation or supernetting which could be mucking things up.

Try using 172.16.1.0 network instead of one of the 192.168.x.x.
Also try using 10.1.1.0 network for another. You can still make them use 
a class C address or 256 addresses on these.
So in the end you would only have one range using 192.168.x.x and 
nothing else using any 192.168.x.x.
Also while troubleshooting don't use 192.168.0.x. Even though this can 
be used nowadays, there still could be equipment that doesn't like it. 
Use 192.168.1.x instead.


See how you go.
Ben



Luke Vanderfluit wrote:

Hi.

I hope there are people on this list with routing expertise.
My routing knowledge is limited.

Here's the problem.

I have set up a ubuntu box that acts as a VPN server.
It has pptpd running.
The VPN server has one ethernet i/f, eth0, its running ubuntu 9.04 
server.


The VPN is running on an 192.168.0.0 network and gives out ip 
addresses in the range of 192.168.101.200-245


I have the ADSL router on the 192.168.0.0 network portforwarding port 
1723 to the VPN box, which has ip of 192.168.0.14
It also has a static route that routes any traffic with destination of 
192.168.101.0 network to the VPN server


I can connect to the box from externally on the internet with an XP 
client.

The XP client is successfully given an IP address of 192.168.101.200.

The XP client has its gateway set to that of the remote network, so 
the VPN servers network gateway, which is, not surprisingly, 192.168.0.1
It can successfully ping the vpn box (192.168.0.14) but cannot get out 
on the internet throught the VPN.


When the connection is initiated a route is added to the VPN box for 
the 192.168.101.200 address, so that everything for that address goes 
out on ppp0. Similarly when the ppp0 interface is brought down the 
route is removed.


This is one way I have tried to solve the VPN problem.

However, I could also remove the static route from the ADSL router, 
give the machines that need to be accessed additional ip addresses in 
the 192.168.101.0 range and setup routes on the VPN server to cope 
with that, however I have not been able to get that working either...


Can anyone help me with this...

That would be cool.

Thanks in advance.

Luke Vanderfluit.

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] vpn problems at usyd

[Glen Turner]

On Mon, 2007-08-27 at 13:50 +1000, Antonio Cosimo Costantino wrote:
> It's the first time I write here since I came here in Sydney from Italy six 
> weeks ago so... let's start with a canonical (!) greeting... ciaociao 
> everybody!
> 
> When I started studying at usyd, the staff told us we (students) have access 
> to web resources via wireless connection. It's true, except discovering few 
> weeks later we need a  (cisco) vpn client and linux kernel 2.6 is not 
> supported!

I run vnpc with no dramas to a Cisco VPN concentrator. Maybe using
that rather than some GUIified front end will show the issue more
readily.

A lightly edited copy of an internal wiki for using a Cisco VPN
from Linux follows:


VPN

1. INTRODUCTION

Use the virtual private network where: you wish to use internal
computing systems from outside of the Example network; you do
not have unfiltered access to the Internet and wish to run a
protocol which is being filtered; from eduroam access points
which only allow VPN connections so the eduroam provider can
limit costs.

Example uses a Cisco VPN concentrator. This requires client software
which is peculiar to Cisco's IPsec VPN implementation. Other VPN
software will not work, including PPTP, L2PT and SSL.

...

3. LINUX

There is a choice of client software: Cisco Systems and VPNC. VPNC is
simpler to install and use.


3.1 VPNC INSTALLATION

For Red Hat or Fedora have the Extras repository enabled and

  # yum install vpnc

For Debian and Ubuntu have the Universe repository enabled and

  # apt-get update
  # apt-get install vpnc

VPNC's home page is

  

You need VPNC 0.4.0 or later. Don't even bother with earlier versions.


3.2 VPNC CONFIGURATION

Create the "Example" configuration file

  # (umask 077; touch /etc/vpnc/example.conf)

then edit it to add this text

  IPSec gateway example.edu.au
  IPSec ID Example
  IPSec secret ...
  NAT-Keepalive packet interval 290
  Rekeying interval 0
  Xauth username fab

replacing fab with your username.

Similarly, create the "Example always" configuration file

  # (umask 077; touch /etc/vpnc/example-always.conf)

then edit it to add this text

  IPSec gateway example.edu.au
  IPSec ID Example always
  IPSec secret ...
  NAT-Keepalive packet interval 290
  Rekeying interval 0
  Xauth username fab

again replacing fab with your username.

Most of the parameters come directly from those used to configure the
VPN endpoint and are discussed above. The rekeying interval is set to
0 to disable rekeying, as connections from laptops are not held up
long enough for discovery of the session key to be a concern. Versions
of VPNC before 0.4 had difficulty with rekeying. The NAT keep-alive
packet interval is set to 290 seconds. Most NAT boxes time out a
connection after 10 minutes of inactivity, so using a value just short
of 5 minutes presents two opportunities to re-start the NAT router's
inactivity timer for this connection.


3.3 VPNC USE

Bring up the VPN with

  # vpnc example.conf

  Enter password for [EMAIL PROTECTED]: *
  VPNC started in background (pid: 123)...

You can check the results by looking for routes to the tun0 interface
reported by

  $ route -n

or by checking the input and output counters on the tun0 interface

  $ ifconfig tun0

Bring down the VPN with

  # vpnc-disconnect


3.4 VPNC EXPERT USE

If you want the default route to be at the VPN endpoint then use

  # vpnc example-always.conf

  Enter password for [EMAIL PROTECTED]: *
  VPNC started in background (pid: 666)...


3.5 FAULT FINDING

Check your firewall settings. Ubuntu's firestarter (its recommended
firewall) blocks traffic from interfaces it does not know of when
configured.

"dmesg" will show errors related to the configuration of the kernel
module. "ifconfig" and "iproute" show network configuration.
"vpnc --no-detach --debug 1" will show detailed progress.

The VPN Concentrator sends messages to the Example central
syslog facility at ...

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] vpn problems at usyd

[Erik de Castro Lopo]

Antonio Cosimo Costantino wrote:

> It's the first time I write here since I came here in Sydney from Italy six 
> weeks ago so... let's start with a canonical (!) greeting... ciaociao 
> everybody!

Welcome.

> When I started studying at usyd, the staff told us we (students) have access 
> to web resources via wireless connection. It's true, except discovering few 
> weeks later we need a  (cisco) vpn client and linux kernel 2.6 is not 
> supported!

There is a Cisco VPN client available for 2.6 kernels, but only
as far as I am aware for x86 and x86_64 machines.

Here's the Cisco page:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/
http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html

It doesn't compile for some later kernel versions, but patches are
available here:

http://tuxx-home.at/archives/2007/05/29/T16_34_26/

Also found a howto:


http://www.longren.org/2007/05/17/how-to-cisco-vpn-client-on-ubuntu-704-feisty-fawn/

While I do use this vpn client, I don't use it for connection
to usyd.

Erik
-- 
-
Erik de Castro Lopo
-
"Microsoft treats security vulnerabilities as public relations
problems."  -- Bruce Schneier
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] vpn problems at usyd

[Sonia Hamilton]

* On Mon, Aug 27, 2007 at 01:50:05PM +1000, Antonio Cosimo Costantino wrote:
> It's the first time I write here since I came here in Sydney from Italy six 
> weeks ago so... let's start with a canonical (!) greeting... ciaociao 
> everybody!

Ciao ciao Antonio! Come stai?
 
> When I started studying at usyd, the staff told us we (students) have access 
> to web resources via wireless connection. It's true, except discovering few 
> weeks later we need a  (cisco) vpn client and linux kernel 2.6 is not 
> supported!
> 
> So, as I run Kubuntu 7.04, I installed KVpnc and everything related, then 
> loaded the standard profile to connect, but it looks like not want to work!!!

I'm not at USyd and haven't used the Cisco vpn client, but I've got a
feeling you're going to have to send a bit information to the list than
"it doesn't work" :) eg your configuration file, any error messages you
get from your logs, maybe a dump from tcpdump...

-- 
Sonia Hamilton   |  GNU/Linux - 'free' as in
.|  free speech, not free beer.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Lindsay Holmwood]

On 6/8/06, Sridhar Dhanapalan <[EMAIL PROTECTED]> wrote:

On Thursday 08 June 2006 12:36, "Lindsay Holmwood" <[EMAIL PROTECTED]> wrote:
> Semi-related - I stumbled across Hamachi, a "secure mediated peer to
> peer" zero-configuration vpn. It's free software, with Linux and
> Windows versions available at: http://www.hamachi.cc/

The "LICENSE (sic)" file inside the downloadable tarball indicates that
Hamachi is not free software. To take a snippet as an example:

"This License allows the End-User to install and use the Client.  Except as
expressly permitted in this License, the End-User may not decompile, reverse
engineer, disassemble, modify, rent, lease, loan, sublicense, distribute or
create derivative works based upon the Client in whole or part or transmit
the Client over a network."

Definitely not free :(



Oh! I stand corrected. I should be more attentive in my readings. :-)

Lindsay

--
http://slug.org.au/
http://lca2007.linux.org.au/
http://holmwood.id.au/~lindsay/
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Sridhar Dhanapalan]

On Thursday 08 June 2006 12:36, "Lindsay Holmwood" <[EMAIL PROTECTED]> wrote:
> Semi-related - I stumbled across Hamachi, a "secure mediated peer to
> peer" zero-configuration vpn. It's free software, with Linux and
> Windows versions available at: http://www.hamachi.cc/

The "LICENSE (sic)" file inside the downloadable tarball indicates that 
Hamachi is not free software. To take a snippet as an example:

"This License allows the End-User to install and use the Client.  Except as 
expressly permitted in this License, the End-User may not decompile, reverse 
engineer, disassemble, modify, rent, lease, loan, sublicense, distribute or 
create derivative works based upon the Client in whole or part or transmit 
the Client over a network."

Definitely not free :(

-- 
Sridhar Dhanapalan  [Yama | http://www.pclinuxonline.com/]
  {GnuPG/OpenPGP: http://dhanapalan.webhop.net/yama.asc
   0x049D38B4 : A7A9 8A02 78CB AB1B FCE4 EEC6 2DD9 249B 049D 38B4}

"An Eye for an Eye will make the whole world blind" - Mohandas Gandhi


pgpdbgVBB9X8D.pgp
Description: PGP signature
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Lindsay Holmwood]

On 6/7/06, Simon Wong <[EMAIL PROTECTED]> wrote:

I'm just starting to look into providing a VPN server for some Mac OS X
10.3 clients.

Can anyone give any pointers on what is good to use on the server side
(Ubuntu dapper) for minimal client setup and ease of use for Mac
types ;-)


Semi-related - I stumbled across Hamachi, a "secure mediated peer to
peer" zero-configuration vpn. It's free software, with Linux and
Windows versions available at: http://www.hamachi.cc/

A beta quality Mac client can be found at:
http://homepage.mac.com/lxr/homepage/spaceants/hamachix/

Cheers,
Lindsay

--
http://slug.org.au/
http://lca2007.linux.org.au/
http://holmwood.id.au/~lindsay/
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Simon Wong]

On Wed, 2006-06-07 at 19:12 +1000, David Kempe wrote:
> I dunno about all these OSX things, but from memory OSX is just samba, 

yep

> and I know that works fine over openvpn. You need wins for reliable name 
> resolution though - same as any vpn. (unless you bridge the connections, 
> not route)

cool, will do if required but access is only to one server so
some /etc/hosts (or wherever it is) editing will be manageable.

Thanks!

-- 
Simon Wong <[EMAIL PROTECTED]>

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Simon Wong]

On Wed, 2006-06-07 at 05:10 -0400, Crossfire wrote:
> I have litle trouble accessing OpenVPN services from my OSX systems.
> There is an excellent interface to openvpn on OSX called "Tunnelblick".

ah ha, that looks like the missing piece of the puzzle, thanks!

> Beware of the version 3.0 beta however, it currently has a few nasty bugs.

OK, tah.

> Teach them how to use Fugu to copy from sftp. :)  I'm not sure if SMB 
> works properly over openvpn.  I think it does.  Safari, however, does not 
> for some strange reason.  Camino is not afflicted by this issue however.

I'll look into Fugu, sounds useful.

I'm down on Safari at the moment.  I used to think that it was good but
now that Firefox is available for Mac, I'm recommending that.

Thanks, for the pointers.

-- 
Simon Wong <[EMAIL PROTECTED]>

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Simon Wong]

On Wed, 2006-06-07 at 19:21 +1000, Jeff Waugh wrote:
> For minimal client setup, use PPTP, which is supported in OS X as of 10.2.
> You can use poptop on the server (pptpd in dapper). PPTP isn't the greatest

I've heard that PPTP has some serious flaws in the protocol.  It would
be good to avoid.

> of VPN protocols though, so you could look to things like IPSEC (supported
> as of 10.2) and OpenVPN (which you'll need additional client software for).

I had an ugly experience recently, failing to get IPsec and Racoon
working in Breezy.

OpenVPN would be good.

-- 
Simon Wong <[EMAIL PROTECTED]>

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Jeff Waugh]

> I'm just starting to look into providing a VPN server for some Mac OS X
> 10.3 clients.
> 
> Can anyone give any pointers on what is good to use on the server side
> (Ubuntu dapper) for minimal client setup and ease of use for Mac types ;-)

For minimal client setup, use PPTP, which is supported in OS X as of 10.2.
You can use poptop on the server (pptpd in dapper). PPTP isn't the greatest
of VPN protocols though, so you could look to things like IPSEC (supported
as of 10.2) and OpenVPN (which you'll need additional client software for).

- Jeff

-- 
linux.conf.au 2007: Sydney, Australia   http://lca2007.linux.org.au/
 
   "You know, the crunchy, folk-singer part of me wants to believe that a
 performance is a dialogue, but I can't hear a fucking thing you're
  saying." - Ani DiFranco
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[David Kempe]

Crossfire wrote:
Teach them how to use Fugu to copy from sftp. :)  I'm not sure if SMB 
works properly over openvpn.  I think it does.  Safari, however, does not 
for some strange reason.  Camino is not afflicted by this issue however.


I dunno about all these OSX things, but from memory OSX is just samba, 
and I know that works fine over openvpn. You need wins for reliable name 
resolution though - same as any vpn. (unless you bridge the connections, 
not route)


dave
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN server for Mac clients

[Crossfire]

On Wed, Jun 07, 2006 at 07:02:21PM +1000, Simon Wong wrote:
> I'm just starting to look into providing a VPN server for some Mac OS X
> 10.3 clients.
> 
> Can anyone give any pointers on what is good to use on the server side
> (Ubuntu dapper) for minimal client setup and ease of use for Mac
> types ;-)

I have litle trouble accessing OpenVPN services from my OSX systems.
There is an excellent interface to openvpn on OSX called "Tunnelblick".
Beware of the version 3.0 beta however, it currently has a few nasty bugs.

> Access is primarily for accessing files remotely.

Teach them how to use Fugu to copy from sftp. :)  I'm not sure if SMB 
works properly over openvpn.  I think it does.  Safari, however, does not 
for some strange reason.  Camino is not afflicted by this issue however.

C.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Jamshid Karimi]

Another descendant of FreeS/WAN is strongSwan
http://www.strongswan.org/
JK

--- Howard Lowndes <[EMAIL PROTECTED]> wrote:

> Read my comment again.  I am not suggesting openvpn,
> I am suggesting 
> openswan; it took over from freeswan.
> 
> It supports X509 as well, which freeswan didn't
> (except with 
> extensions).  The other major change is that it does
> not create ipsecX 
> interfaces but uses the existing interfaces, so it
> may need some changes 
> to iptables rules - this one caused me some midnight
> oil burning when I 
> switched over.
> 
> Charles Myers wrote:
> > Howard Lowndes wrote:
> > 
> >>
> >>
> >> Charles Myers wrote:
> >>
> >>> Thanks to those who helped with this, looks like
> I have to head the 
> >>> freeswan way, as it does IPSec
> >>
> >>
> >> I seriously suggest that you go the openswan way
> as I think freeswan 
> >> has stalled.
> >>
> >>
> >> ... where openvpn doesnt (from my
> >>
> >>> readings) :( (shame.. as it is far easier to
> setup)...
> >>>
> >>> Thanks again.
> >>>
> >>> Charles.
> >>>
> >>>
> >>>
> >>>
> >>> Erik de Castro Lopo wrote:
> >>>
>  Charles Myers wrote:
> 
>   
> 
> > I need to connect to another network (via a
> VPN)... Is this 
> > attainable using this script or do I need to
> somthing else? I have 
> > read conflicting google results and being
> unsure about VPN's I 
> > thought I would ask here.
> >   
> 
> 
>  OpenVPN is trivially easy to set up. Give it a
> try.
> 
>  Erik
>   
> 
> >>>
> > 
> > 
> > hmm, but openvpn doesnt support IPSec does it? The
> server I am 
> > connecting to tells me it's required... ?? :/ Are
> there any alternatives 
> > out there that you might know of that can handle
> IPSec?
> > 
> > 
> 
> -- 
> Howard.
> LANNet Computing Associates - Your Linux people
> 
> When you want a computer system that works, just
> choose Linux;
> When you want a computer system that works, just,
> choose Microsoft.
> -- 
> Flatter government, not fatter government; abolish
> the Australian states.
> 
> -- 
> SLUG - Sydney Linux User's Group Mailing List -
> http://slug.org.au/
> Subscription info and FAQs:
> http://slug.org.au/faq/mailinglists.html
> 




 
On Yahoo!7 
Dating: It's free to join and check out our great singles! 
http://www.yahoo7.com.au/personals
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Charles Myers]

Ok I blame the flu I'm coming down with.. or Friday... yes thats it 
Friday's to blame :P hehehe cool.. ill look into openswan :)



Thanks for that...




Howard Lowndes wrote:

Read my comment again.  I am not suggesting openvpn, I am suggesting 
openswan; it took over from freeswan.


It supports X509 as well, which freeswan didn't (except with 
extensions).  The other major change is that it does not create ipsecX 
interfaces but uses the existing interfaces, so it may need some 
changes to iptables rules - this one caused me some midnight oil 
burning when I switched over.


Charles Myers wrote:


Howard Lowndes wrote:




Charles Myers wrote:

Thanks to those who helped with this, looks like I have to head the 
freeswan way, as it does IPSec




I seriously suggest that you go the openswan way as I think freeswan 
has stalled.



... where openvpn doesnt (from my


readings) :( (shame.. as it is far easier to setup)...

Thanks again.

Charles.




Erik de Castro Lopo wrote:


Charles Myers wrote:

 

I need to connect to another network (via a VPN)... Is this 
attainable using this script or do I need to somthing else? I 
have read conflicting google results and being unsure about VPN's 
I thought I would ask here.
  




OpenVPN is trivially easy to set up. Give it a try.

Erik
 






hmm, but openvpn doesnt support IPSec does it? The server I am 
connecting to tells me it's required... ?? :/ Are there any 
alternatives out there that you might know of that can handle IPSec?







--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Howard Lowndes]

Read my comment again.  I am not suggesting openvpn, I am suggesting 
openswan; it took over from freeswan.


It supports X509 as well, which freeswan didn't (except with 
extensions).  The other major change is that it does not create ipsecX 
interfaces but uses the existing interfaces, so it may need some changes 
to iptables rules - this one caused me some midnight oil burning when I 
switched over.


Charles Myers wrote:

Howard Lowndes wrote:




Charles Myers wrote:

Thanks to those who helped with this, looks like I have to head the 
freeswan way, as it does IPSec



I seriously suggest that you go the openswan way as I think freeswan 
has stalled.



... where openvpn doesnt (from my


readings) :( (shame.. as it is far easier to setup)...

Thanks again.

Charles.




Erik de Castro Lopo wrote:


Charles Myers wrote:

 

I need to connect to another network (via a VPN)... Is this 
attainable using this script or do I need to somthing else? I have 
read conflicting google results and being unsure about VPN's I 
thought I would ask here.
  



OpenVPN is trivially easy to set up. Give it a try.

Erik
 






hmm, but openvpn doesnt support IPSec does it? The server I am 
connecting to tells me it's required... ?? :/ Are there any alternatives 
out there that you might know of that can handle IPSec?





--
Howard.
LANNet Computing Associates - Your Linux people 
When you want a computer system that works, just choose Linux;
When you want a computer system that works, just, choose Microsoft.
--
Flatter government, not fatter government; abolish the Australian states.

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Charles Myers]

Howard Lowndes wrote:




Charles Myers wrote:

Thanks to those who helped with this, looks like I have to head the 
freeswan way, as it does IPSec



I seriously suggest that you go the openswan way as I think freeswan 
has stalled.



... where openvpn doesnt (from my


readings) :( (shame.. as it is far easier to setup)...

Thanks again.

Charles.




Erik de Castro Lopo wrote:


Charles Myers wrote:

 

I need to connect to another network (via a VPN)... Is this 
attainable using this script or do I need to somthing else? I have 
read conflicting google results and being unsure about VPN's I 
thought I would ask here.
  



OpenVPN is trivially easy to set up. Give it a try.

Erik
 






hmm, but openvpn doesnt support IPSec does it? The server I am 
connecting to tells me it's required... ?? :/ Are there any alternatives 
out there that you might know of that can handle IPSec?



--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Howard Lowndes]

Charles Myers wrote:
Thanks to those who helped with this, looks like I have to head the 
freeswan way, as it does IPSec


I seriously suggest that you go the openswan way as I think freeswan has 
stalled.



... where openvpn doesnt (from my

readings) :( (shame.. as it is far easier to setup)...

Thanks again.

Charles.




Erik de Castro Lopo wrote:


Charles Myers wrote:

 

I need to connect to another network (via a VPN)... Is this 
attainable using this script or do I need to somthing else? I have 
read conflicting google results and being unsure about VPN's I 
thought I would ask here.
  


OpenVPN is trivially easy to set up. Give it a try.

Erik
 





--
Howard.
LANNet Computing Associates - Your Linux people 
When you want a computer system that works, just choose Linux;
When you want a computer system that works, just, choose Microsoft.
--
Flatter government, not fatter government; abolish the Australian states.

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Charles Myers]

Thanks to those who helped with this, looks like I have to head the 
freeswan way, as it does IPSec... where openvpn doesnt (from my 
readings) :( (shame.. as it is far easier to setup)...


Thanks again.

Charles.




Erik de Castro Lopo wrote:


Charles Myers wrote:

 

I need to connect to another network (via a VPN)... Is this attainable 
using this script or do I need to somthing else? I have read conflicting 
google results and being unsure about VPN's I thought I would ask here.
   



OpenVPN is trivially easy to set up. Give it a try.

Erik
 



--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Erik de Castro Lopo]

Charles Myers wrote:

> I need to connect to another network (via a VPN)... Is this attainable 
> using this script or do I need to somthing else? I have read conflicting 
> google results and being unsure about VPN's I thought I would ask here.

OpenVPN is trivially easy to set up. Give it a try.

Erik
-- 
+---+
  Erik de Castro Lopo
+---+
"It has been discovered that C++ provides a remarkable facility
for concealing the trival details of a program -- such as where 
its bugs are." -- David Keppel
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[cmyers]

> Charles Myers wrote:
>
>> I need to connect to another network (via a VPN)... Is this attainable
>> using this script or do I need to somthing else? I have read conflicting
>> google results and being unsure about VPN's I thought I would ask
>> here.
>
> There are a number of different VPN technologies. My guess is that
> perhaps what you're talking about here is using the IPSec protocol to
> access some sort of VPN gateway?
>
> I'm not familiar with the monmothas script, but a quick google suggests
> to me that it is a firewall/NAT configuration script, in which case it
> almost certainly isn't what you need.
>
> If IPSec is what you're after then look toward the 'freeswan' package.
>
> If you're unsure what sort of VPN you're dealing with, you'll need to
> ask whoever administers the network for some information.
>
> I'm happy to assist you when you have the information you need.
>
> regards
> Terry
>
>
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>


Great thanks for the tip.. Ill google freeswan up now... It is an IPSec
VPN.. So Ill grab it and have peek and see what's next...  Thanks for the
offer of help Ill let you know after having a peek at freeswan.


Charles.



-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN and Monmotha.. :/

[Terry Dawson]

Charles Myers wrote:

I need to connect to another network (via a VPN)... Is this attainable 
using this script or do I need to somthing else? I have read conflicting 
google results and being unsure about VPN's I thought I would ask here.


There are a number of different VPN technologies. My guess is that 
perhaps what you're talking about here is using the IPSec protocol to 
access some sort of VPN gateway?


I'm not familiar with the monmothas script, but a quick google suggests 
to me that it is a firewall/NAT configuration script, in which case it 
almost certainly isn't what you need.


If IPSec is what you're after then look toward the 'freeswan' package.

If you're unsure what sort of VPN you're dealing with, you'll need to 
ask whoever administers the network for some information.


I'm happy to assist you when you have the information you need.

regards
Terry


--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN to Cisco

[Phil Scarratt]

Mike MacCana wrote:

On Wed, 2005-08-24 at 10:31 +1000, Phil Scarratt wrote:


Hi

Having no experience with VPN'ing toa Cisco router endpoint, I'm 
interested in peoples thoughts on creating a VPN to a Cisco 1712 
endpoint. 



The Cisco client requires a special kernel module and isn't Open Source.
It's very annoying to use.

I, and many staff at Red Hat, use an Open Source Cisco-compatible client
called vpnc to connect to our office VPN, a Cisco VPN concentrator.
Can't remember the model number.

Packages for FC and RHEL are available at dag.wieers.com.

Mike


Thanks Mike. I was going to wait to be able to report success or not, 
but am still waiting for the other end to sort itself out (a couple of 
days is currently sitting at 1.5 weeks). Got it all installed 
successfully, now just need to wait for te other end to get itself sorted.


Thanks all for the replies.

Fil
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN to Cisco

[Mike MacCana]

On Wed, 2005-08-24 at 10:31 +1000, Phil Scarratt wrote:
> Hi
> 
> Having no experience with VPN'ing toa Cisco router endpoint, I'm 
> interested in peoples thoughts on creating a VPN to a Cisco 1712 
> endpoint. 

The Cisco client requires a special kernel module and isn't Open Source.
It's very annoying to use.

I, and many staff at Red Hat, use an Open Source Cisco-compatible client
called vpnc to connect to our office VPN, a Cisco VPN concentrator.
Can't remember the model number.

Packages for FC and RHEL are available at dag.wieers.com.

Mike

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN to Cisco

[Phil Scarratt]

Martin wrote:

$quoted_author = "Phil Scarratt" ;

Having no experience with VPN'ing toa Cisco router endpoint, I'm 
interested in peoples thoughts on creating a VPN to a Cisco 1712 
endpoint. What have people used (successfully or otherwise)? The Cisco 
VPN Client software from Cisco? open-source IPSEC client (openswan or 
whatever it's called)?



the cisco client only does IPSEC. you could do PPTP or IPSEC using other
clients. are you roaming or is it fixed end points?




Does anyone know if I have to use the cisco client?



you don't have to.

marty



Thanks for the reply. Much appreciated.

I have fixed end points - of which I have to setup one. The other end is 
a Cisco 1712, my end is a linux box (actually a gateway machine for a 
LAN). I was thinking down the lines of openswan.


I'm actually very glad I don't have to use the cisco client - I find the 
cisco site an absolute nightmare to use, and the downloads section (with 
registration) doesn't work.


Fil
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN to Cisco

[Martin]

$quoted_author = "Phil Scarratt" ;
> 
> Having no experience with VPN'ing toa Cisco router endpoint, I'm 
> interested in peoples thoughts on creating a VPN to a Cisco 1712 
> endpoint. What have people used (successfully or otherwise)? The Cisco 
> VPN Client software from Cisco? open-source IPSEC client (openswan or 
> whatever it's called)?

the cisco client only does IPSEC. you could do PPTP or IPSEC using other
clients. are you roaming or is it fixed end points?


> Does anyone know if I have to use the cisco client?

you don't have to.

marty

-- 
Take these tears
Wash your skin
I'm havin' trouble breathin'
Since you walked in

"Million Tears" - Kasey Chambers
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN networking

[james]

> Hi
> last week I asked about VPNs and was given good advice. Thanks.
>
> Can anybody help explain my networking woes please:

> IE
> tigger is on 192.168.1.254
> A (dhcp) 192.168.1.23
> B (ditto)192.168.1.24


> [tigger] /home/jam [96]% route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.100.2   *   255.255.255.255 UH0  0   0 tun0
> 202.71.175.56   *   255.255.255.252 U 0  0   0 eth1
> 192.168.100.0   *   255.255.255.0   U 0  0   0 tun0
> 192.168.1.0 *   255.255.255.0   U 0  0   0 eth0
> link-local  *   255.255.0.0 U 0  0   0 eth0
> loopback*   255.0.0.0   U 0  0   0 lo
> default 202.71.175.57   0.0.0.0 UG0  0   0 eth1
>
>
> Every gw option that I've tried fails. How do you setup the gw networking so
> A and B can see 192.168.1.x (and I guess therefore) they can see each other.

Looks like a routing issue to me. Off the top of my head:

route del -net 192.168.1.0/24
route add -net 192.168.1.0/24 tun0
route add -host 192.168.1.23 eth0 (for WXpA)

At least, this is what I've had to put in a script on my own laptop, for what 
looks
like a very similar arrangement.

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN solutions

[James Fleming]

> I wanted to suggest OpenVPN ( http://openvpn.net/ ), but checking the
> site briefly suggests it only runs on Windows > NT.
Very definitely not the case; I'm using it right now to secure the
wireless connection from my Fedora-powered laptop to my RedHat gateway
server (yes, I need to upgrade the gateway).
AFAIK, it runs on pretty much any kind of *nix, and is surprisingly easy
to get running.

Incidentally, if anybody has any tips for getting it to do the same
under Windows, I'd love to hear them...


Cheers,
James
-- 
Stupidity killed the cat.
Curiosity was framed.


pgpZOy1Rd3cob.pgp
Description: PGP signature
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN solutions

[Peter Hardy]

On Tue, 2005-07-26 at 21:00 +0800, [EMAIL PROTECTED] wrote:
> Hi
> I need to do this for a customer:
> 
> [NT workstation 1]
>.
> [NT workstation 2]---192.168.1.x[SuSE9.3]=bridge==[adsl]..internet
>.
> [NT workstation 3]
> 
> and
> 
> internet.[adsl-router]--[NT workstation 4]
> 
> I need to establish a VPN from 4 to (1,2,3)
> I looked at http://sourceforge.net/projects/amvpn
> perfect, except a linux box at each end.
> 
> I looked at SuSE's pptpd. All in German, seems to be very complicated and 
> wants to use a modem-ppp connection.

PPTP under linux isn't really all that hard. Check out the docs at
http://www.poptop.org/ . It definitely doesn't require a ppp interface
to run the server.

> The easiest solution, a router/adsl at each end to do VPN-VPN is hard for non 
> technical reasons. Anybody please, a simple linux-vpn to windows-vpn
> both sides have internet connectivity.

I wanted to suggest OpenVPN ( http://openvpn.net/ ), but checking the
site briefly suggests it only runs on Windows > NT. Kind of a shame,
because it does everything you need, is very easy to get up and running
(I have an almost identical setup to what you describe running at home)
and I'd probably trust it more than PPTP.

I'm starting to think that PPTP might be your best option.

-- 
Pete

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN - help me please

[Amanda]

Quoting James Gray <[EMAIL PROTECTED]>:

> 
> 
> Amanda wrote:
> > I need someone to point me in the right direction here.
> > 
> > I need to VPN from my home machine into the network at work.
> > The work server is running Windows Server 2000 with a static IP.
> > My machine at home, which is on a network,  behind 2 firewalls, connects
> with
> > ADSL & a static IP. It runs Mandrake 9.0, & I've installed FreeSwan 1.98b.
> This
> > machine also dual-boots to windows ME. I've installed the windows vpn
> client,
> > and can connect with work just fine. So the basic networking works just
> fine.
> > 
> > Is Freeswan the right tool to use. Will FreeSwan connect to a Windows
> Server.
> > The documentation I've read so far doesn't make this clear. Should I be
> > upgrading to a more recent version of FreeSwan. Do I need to upgrade the
> Kernel?
> > 
> > I really need to get a handle on this, because soon I need to connect an
> e-smith
> > server on the Lan at work to several similar servers in our remote
> offices.
> > 
> > Thanks in advance.
> > 
> > Amanda
> 
> Have a look at http://pptpclient.sourceforge.net/
> 
> Your office network is more than probably using PPTP (aka. VPN without 
> "real" security) in which case you need to follow the steps at the URL 
> above.  This will include a kernel patch and recompile so make sure 
> you're comfortable with that.  I could send you a precompiled package 
> for Debian but you are using Mandrake - still, if you need help either 
> contact the SLUG group or me directly :)
> 
> Good luck.
> 
> --James
> 
> 
> 

I'm gonna invent a new Law; like Murphy's Law. It's called "Amanda's Law of
Serendipity". Google will magically find the needed information, 5 minutes after
posting a dumb question to the Slug list. Irrespective of how much one has
searched prior to posting.

I did eventually find http://pptpclient.sourceforge.net; and now my Mandrake box
can connect to the Lan at work.:-)

Amanda

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN - help me please

[James Gray]

Amanda wrote:
I need someone to point me in the right direction here.

I need to VPN from my home machine into the network at work.
The work server is running Windows Server 2000 with a static IP.
My machine at home, which is on a network,  behind 2 firewalls, connects with
ADSL & a static IP. It runs Mandrake 9.0, & I've installed FreeSwan 1.98b. This
machine also dual-boots to windows ME. I've installed the windows vpn client,
and can connect with work just fine. So the basic networking works just fine.
Is Freeswan the right tool to use. Will FreeSwan connect to a Windows Server.
The documentation I've read so far doesn't make this clear. Should I be
upgrading to a more recent version of FreeSwan. Do I need to upgrade the Kernel?
I really need to get a handle on this, because soon I need to connect an e-smith
server on the Lan at work to several similar servers in our remote offices.
Thanks in advance.

Amanda
Have a look at http://pptpclient.sourceforge.net/

Your office network is more than probably using PPTP (aka. VPN without 
"real" security) in which case you need to follow the steps at the URL 
above.  This will include a kernel patch and recompile so make sure 
you're comfortable with that.  I could send you a precompiled package 
for Debian but you are using Mandrake - still, if you need help either 
contact the SLUG group or me directly :)

Good luck.

--James

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN - help me please

[Ken Foskey]

On Wed, 2003-12-31 at 22:15, Kevin Saenz wrote:

> With windows what VPN technology are you playing with PPTP? ipsec? 
> Someone could correct me if I am wrong I think that default vpn
> technology is the dodgy PPTP. Freeswan talks on ipsec I doubt it can
> talk PPTP. If freeswan can talk PPTP you will need to let protcol Gre
> and tcp 1753 (if memory serves corrctly) thru your 2 firewalls. 

I think you are right a quick google on the slug mailing archives would
answer this question I think.  I believe there are a few VPN
technologies available.

-- 
Thanks
KenF
OpenOffice.org developer

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN - help me please

[Graham Smith]

On Wed, 31 Dec 2003 20:12, Amanda wrote:
> I need someone to point me in the right direction here.
>
> I need to VPN from my home machine into the network at work.
> The work server is running Windows Server 2000 with a static IP.
> My machine at home, which is on a network,  behind 2 firewalls, connects
> with ADSL & a static IP. It runs Mandrake 9.0, & I've installed FreeSwan
> 1.98b. This machine also dual-boots to windows ME. I've installed the
> windows vpn client, and can connect with work just fine. So the basic
> networking works just fine.
>
> Is Freeswan the right tool to use. Will FreeSwan connect to a Windows
> Server. The documentation I've read so far doesn't make this clear. Should
> I be upgrading to a more recent version of FreeSwan. Do I need to upgrade
> the Kernel?
>
> I really need to get a handle on this, because soon I need to connect an
> e-smith server on the Lan at work to several similar servers in our remote
> offices.
>
> Thanks in advance.
>
> Amanda

You could try openVPN, there is a Windows binary available. It is easier to 
configure than ipsec.

http://openvpn.sourceforge.net/

-- 
Regards,

Graham Smith
-

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN - help me please

[Kevin Saenz]

> I need to VPN from my home machine into the network at work.
> The work server is running Windows Server 2000 with a static IP.
> My machine at home, which is on a network,  behind 2 firewalls, connects with
> ADSL & a static IP. It runs Mandrake 9.0, & I've installed FreeSwan 1.98b. This
> machine also dual-boots to windows ME. I've installed the windows vpn client,
> and can connect with work just fine. So the basic networking works just fine.
> 
With windows what VPN technology are you playing with PPTP? ipsec? 
Someone could correct me if I am wrong I think that default vpn
technology is the dodgy PPTP. Freeswan talks on ipsec I doubt it can
talk PPTP. If freeswan can talk PPTP you will need to let protcol Gre
and tcp 1753 (if memory serves corrctly) thru your 2 firewalls. 

The best way to do it is any firewall is capable of doing VPN, check
with work and find out what kind of firewall they have and use it to VPN
in I would not rely on windows2000 to be too secure no matter how much
you harden it.


> Is Freeswan the right tool to use. Will FreeSwan connect to a Windows Server.
> The documentation I've read so far doesn't make this clear. Should I be
> upgrading to a more recent version of FreeSwan. Do I need to upgrade the Kernel?
> 
> I really need to get a handle on this, because soon I need to connect an e-smith
> server on the Lan at work to several similar servers in our remote offices.
> 
> Thanks in advance.
> 
> Amanda
-- 
Regards,

Kevin Saenz
 
Spinaweb
I.T consultants
 
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] VPN security issue

[Phil Scarratt]

But what's the difference between this and any normal "internet gateway" 
for a lan where Application A (eg Mozilla, Netscape, or whatever) 
connects to port 80 on internet. Add to this hosting a website and 
you've got App B connecting to port 80 on the lan.

I guess there's an inherent risk in everything like this. No risk means 
total isolation (network or otherwise - floppies, etc) - not a terribly 
practical solution.

Fil

Visser, Martin (Sydney) wrote:
Split-tunnelling always has a risk. 

Consider this "secure" scenario:-

1. You ensure that IP packets from the Internet *cannot* be forwarded to
the Office network (and vice versa). 
2. You deny all traffic except
   a. You allow application A to connect to (say) port 80 on the
Internet
   b. You allow application B to connect to (say) port 80 on the Office
network

This sounds secure, however, can you guarantee that:-

1. Application A is in fact Application A (and not some trojan), and of
course App B is App B?
OR 

2. Trojan application T isn't somehow using creating covert channel
between the Internet and the Office by effectively manipulating
information from application B to drive application A (or vice versa)?
If you can't ensure this, then you will be at risk.

I know I am exaggerating to the extreme, but this is the reason why
split-tunneling is insecure, even if you are fairly careful about
routing at the IP layer, it is very diffcult to prevent application
level interaction. (That being said I imagine today people using
split-tunneling have never had a security attack, as they are unlikely
to have a trojan this smart.) 

Martin Visser ,CISSP
Network and Security Consultant 
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 
Phone *: +61-2-9022-1670Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com



-Original Message-
From: Stewart [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 29 May 2003 12:07 PM
To: [EMAIL PROTECTED]
Subject: Fwd: [SLUG] VPN security issue

i forwarded that link to a network admin friend of mine who has this to 
say fyi:


It doesn't have to be insecure, it just requires careful setup to
ensure
that incoming from the internet is controlled (ie not allowed, or 
allowed
in a completely accountable way) and that there is no capacity for 
traffic
to cross the two nets: internet <-> tunnel

The vpn product that *** offer uses a cisco client and disables 
split-tunnelling. It cannot be worked around as the the client has
no local config. Start the client and it downloads its config from the
server, which cannot be changed without restarting the client...


sounds like a good way of doing it.

..S.



--
Phil Scarratt
Draxsen Technologies
IT Contractor/Consultant
0403 53 12 71
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [OT] Windows XP CIPE client WAS Re: [SLUG] VPN security issue

[Phil Scarratt]

It does now, after considerable experimenting with IP subnet's and so 
on. If you want more info, let me know. I will eventually produce some 
sort of howto for Linux-Win32 CIPE connection. The linux end just worked 
(as usual). It was the Win end that really played havoc.

Basically:
- when setting up, make sure both ends of the cipe conneciton are on the 
same ip subnet or windows won't be able to route between them
- if you have a lan behind the redhat server(s) that needs to be 
accessible from the remote clients, make sure you choose a different 
subnet for the cipe connection ends than either the lan behind the 
redhat server or the client. This way you can add a route by hand on the 
win clients that tells it how to get to the lan subnet. This last bit is 
the issue talked about as "split tunnel". It might be better to port 
forward on the lan behind server.

Fil

Simon Wong wrote:
On Thu, 2003-05-29 at 11:36, Phil Scarratt wrote:

and was wondering what people thought. I came across the article trying 
to find a solution to changing a network route on a WinXP machine with a 
CIPE VPN connection to a linux server so that the WinXP machine could 


Does the XP CIPE client work okay?

I was looking at this the other day as I need to setup some VPNs between
Windows 9x/2000/XP and Linux clients and RedHat servers.



--
Phil Scarratt
Draxsen Technologies
IT Contractor/Consultant
0403 53 12 71
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

[OT] Windows XP CIPE client WAS Re: [SLUG] VPN security issue

[Simon Wong]

On Thu, 2003-05-29 at 11:36, Phil Scarratt wrote:
> and was wondering what people thought. I came across the article trying 
> to find a solution to changing a network route on a WinXP machine with a 
> CIPE VPN connection to a linux server so that the WinXP machine could 

Does the XP CIPE client work okay?

I was looking at this the other day as I need to setup some VPNs between
Windows 9x/2000/XP and Linux clients and RedHat servers.


-- 
**
* Simon Wong *
**

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] VPN security issue

[Visser, Martin (Sydney)]

Split-tunnelling always has a risk. 

Consider this "secure" scenario:-

1. You ensure that IP packets from the Internet *cannot* be forwarded to
the Office network (and vice versa). 
2. You deny all traffic except
   a. You allow application A to connect to (say) port 80 on the
Internet
   b. You allow application B to connect to (say) port 80 on the Office
network

This sounds secure, however, can you guarantee that:-

1. Application A is in fact Application A (and not some trojan), and of
course App B is App B?

OR 

2. Trojan application T isn't somehow using creating covert channel
between the Internet and the Office by effectively manipulating
information from application B to drive application A (or vice versa)?

If you can't ensure this, then you will be at risk.

I know I am exaggerating to the extreme, but this is the reason why
split-tunneling is insecure, even if you are fairly careful about
routing at the IP layer, it is very diffcult to prevent application
level interaction. (That being said I imagine today people using
split-tunneling have never had a security attack, as they are unlikely
to have a trojan this smart.) 

Martin Visser ,CISSP
Network and Security Consultant 
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 
Phone *: +61-2-9022-1670Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com



-Original Message-
From: Stewart [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 29 May 2003 12:07 PM
To: [EMAIL PROTECTED]
Subject: Fwd: [SLUG] VPN security issue


i forwarded that link to a network admin friend of mine who has this to 
say fyi:

> It doesn't have to be insecure, it just requires careful setup to
> ensure
> that incoming from the internet is controlled (ie not allowed, or 
> allowed
> in a completely accountable way) and that there is no capacity for 
> traffic
> to cross the two nets: internet <-> tunnel
>
> The vpn product that *** offer uses a cisco client and disables 
> split-tunnelling. It cannot be worked around as the the client has
> no local config. Start the client and it downloads its config from the
> server, which cannot be changed without restarting the client...

sounds like a good way of doing it.

..S.

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN with failover

[Howard Lowndes]

Richard, a lot depends on what your basic config is.

Somehow you need to be able to determine that your primary link has failed
and whether that failure is just the VPN tunnel or the link itself and
hence also the VPN, and if so which end is at fault.

I use BP ADSL together with VPNs for a lot of my clients so I see ppp
interfaces which means that I can do ipsec, dyn dns and firewall things in
the /etc/ppp/ip-up.local and /etc/ppp/ip-down.local scripts.  If you don't
have a ppp interface then you need to think how else you can determine the
health of the links.


On Wed, 14 Aug 2002, Richard Hayes wrote:

> Dear lists,
>
> It easy enough to create VPN using FreesWan.
> With a connection between Sydney <-> Melbourne but I would like to use an
> alternate route if the link fails.
>
> My thinking is to create a script 'ppp-vpn' with the usual stuff but then if
> the link does not respond within 10 mins the box runs a scripts
> 'vpn-alternate' using a modem and changes the routing table.
>
> Are there any problems doing this?
>
> Are there any pre-written scripts that I could modify?
>
> Any other ideas or suggestions
>
> regards,
>
> Richard Hayes
>

-- 
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
"Flatter government, not fatter government." - me
 Get rid of the Australian states.

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN Win32<-->Linux?

[Graeme Robinson]

On Wed, 5 Jun 2002, Jessica Mayo wrote:

> 
> Any suggestions/pointers to docs on setting up VPNs between Linux and
> windows?

SME comes with VPN access for PPTP (MS VPN clients) built in. 128bit only.
http://www.mitel.com/products/product.cfm?p_id=76

Otherwise use SSH and it's suite of tools (including SCP and port
tunnelling) for a fast and secure solution.

-=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-=
Graeme Robinson - Graenet consulting
www.graenet.com - internet solutions
-=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-=

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN Win32<-->Linux?

[David Kempe]

> It seems my options are:
> 1) PoPToP + Windows Dialup Networking implementations which are relatively
> insecure but easy to set up.
> 2) Freeswan and IPSEC which is secure but requires Win2K with windows high
> encryption package installed.

You can use a piece of software like Netscreen remote to get road warriors
to freeswan nicely.
works well on win98 to give them ipsec.

PPTP is a native solution for most windows OS'es

However because your sites are permanent I would strongly consider whacking
dedicated VPN boxes at each end and just having a meshed IPSEC setup to
cover it.

dave


-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN Win32<-->Linux?

[Jessica Mayo]

On Wed, 5 Jun 2002, David Kempe wrote:
> What windows platforms exactly?
Assume win98 as base level

> What applications are going to run over the vpn?
Printer sharing and X11/LBX.

Windows is still preferred at the end site so the can run other 
applications. All sites are permanent. No 'Road Warriors' :)

Thanks to everyone who has replied so far, and google has been more
helpful today as well.

It seems my options are:
1) PoPToP + Windows Dialup Networking implementations which are relatively
insecure but easy to set up.
2) Freeswan and IPSEC which is secure but requires Win2K with windows high
encryption package installed.

Any others? Experiences?

-- Jessica Mayo.
(Everything with a Grin :)


-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN Win32<-->Linux?

[Tim White]

I have also found 
http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509
to be very helpful too


Tim White


> www.freeswan.org :)
> 
> Also, there's a heap of links in their documentation to other sites...
> 
> Extremely useful is this site:
> 
> http://vpn.ebootis.de/
> 
> I don't think I've read the docs there, but they should be good..

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN Win32<-->Linux?

[Zhasper]

www.freeswan.org :)

Also, there's a heap of links in their documentation to other sites...

Extremely useful is this site:

http://vpn.ebootis.de/

I don't think I've read the docs there, but they should be good..

what really rocks tho is the tool provided there that reads a config file
which is bassically the same as freeswan's config for the connection, and
sets up win2k/winXP for you...

I found this particularly useful in a situation where the clients were
road warriors on winXP laptops.. rather than having to go into 16 control
panels and change 42 settings each time their IP address changed (ie, each
time they dialed up), the users were provided with a single icon on their
desktop - just connect to the net, doublce-click on the icon, and voila,
she is operational..

On Wed, 5 Jun 2002, Jessica Mayo wrote:

>
> Any suggestions/pointers to docs on setting up VPNs between Linux and
> windows?
>
> I haven't found googlejuice yet that has shown me anything I want, so
> I'm appealing to the wider knowledge of SLUG...
>
> I would prefer the windows end of the link to be as easily configured as
> possible, as our support people may have to do it. :)
>
> -- Jessica Mayo. (with work hat)
> (Everything with a Grin :)
>
>

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN Win32<-->Linux?

[David Kempe]

What windows platforms exactly?
What applications are going to run over the vpn?

dave


- Original Message - 
From: "Jessica Mayo" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 05, 2002 4:00 PM
Subject: [SLUG] VPN Win32<-->Linux?


> 
> Any suggestions/pointers to docs on setting up VPNs between Linux and
> windows?
> 
> I haven't found googlejuice yet that has shown me anything I want, so
> I'm appealing to the wider knowledge of SLUG...
> 
> I would prefer the windows end of the link to be as easily configured as
> possible, as our support people may have to do it. :)
> 
> -- Jessica Mayo. (with work hat)
> (Everything with a Grin :)
> 
> -- 
> SLUG - Sydney Linux User's Group - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
> 

-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN on Linux

[Howard Lowndes]

Tks for that, it just illustrates how hard it is to keep up to date.

On Mon, 4 Feb 2002, Zhasper wrote:

> On Fri, 1 Feb 2002, Howard Lowndes wrote:
>
> > One caveat.  I cannot get the current release of Freeswan (1.91) to
> > compile with any kernel greater than 2.4.8
>
> The current release is actually 1.94, but the FreeS/WAN team warn you not
> to use it because it has severe flaws...
>
> They instead recommend release 1.92, which I've successfully used with
> kernel version 2.4.9 with no problems at all
>

-- 
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
 "We are either doing something, or we are not.
 'Talking about' is a subset of 'not'."

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN on Linux

[Zhasper]

On Fri, 1 Feb 2002, Howard Lowndes wrote:

> One caveat.  I cannot get the current release of Freeswan (1.91) to
> compile with any kernel greater than 2.4.8

The current release is actually 1.94, but the FreeS/WAN team warn you not 
to use it because it has severe flaws...

They instead recommend release 1.92, which I've successfully used with 
kernel version 2.4.9 with no problems at all

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN on Linux

[Frode Egeland]

For Win9x clients who don't have IPSec capabilities, one can use PPTP.
Obviously not as secure as IPSec (FreeS/WAN uses IPSec), but not too bad.
The linux implementation of PPTP is PoPToP (http://www.poptop.de/poptop/).
There is a client floating around, too, funnily enough called pptp-linux
(http://cag.lcs.mit.edu/~cananian/Projects/PPTP/)
Hope this helps.

I would go with FreeS/WAN if possible, as PPTP is a PITA (will involve
kernel recompiles, as well as patching and recompiling pppd). Once it's up
and running, it works well enough, but avoid the pain if you can help it!
;)

Cheers,
Frode


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] VPN on Linux

[Chris Barnes]

This is what I use. I don't have any trouble.

--

-Original Message-
From: Graeme Robinson [mailto:[EMAIL PROTECTED]] 
Sent: Friday, 1 February 2002 8:33 AM
To: Dennis M. Gray
Cc: [EMAIL PROTECTED]
Subject: Re: [SLUG] VPN on Linux

SME 5.1 (www.e-smith.com) has a subscription based offering that provides
highly simplified VPN using IPSEC.  Their network operations centre does
the key brokering, always a problem when setting up server to server VPNs.
It's not particularly cheap but it's a supported commercial solution.

On Thu, 31 Jan 2002, Dennis M. Gray wrote:

> Is anyone doing successful VPN using a Linux server? I have heard of
> CIPE but have just started researching this topic. I would appreciate
> anyone's comments.
>
> Dennis
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
>
>

-=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-=
Graeme Robinson - Graenet consulting
www.graenet.com - internet solutions
-=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-=

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Searching for "A Better Way" to a home loan ?. Call RAMS on 13 7267, or go to 
http://www.rams.com.au

The e-mail and any attachments may contain confidential information.  If you receive 
it in error you must not use or disclose the information. You must tell us and delete 
it. We do not waive any legal privilege by sending it. RAMS does not promise that the 
email is free from virus defect or error.
-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN on Linux

[Howard Lowndes]

VPN on Linux using Freeswan works nicely.

I have several remote sites, all with dynamic IPs connecting to the main
server site.  I also run key brokering and dynamic DNS at the server site.

If one of the remote sites changes IP (with Hel$tra ADSL that is not an
unknown event) then I have got the site to gracefully re-establish the VPN
with the new IP.

One caveat.  I cannot get the current release of Freeswan (1.91) to
compile with any kernel greater than 2.4.8

If you need consultancy work on this then pse contact me OL.

On Fri, 1 Feb 2002, Graeme Robinson wrote:

> SME 5.1 (www.e-smith.com) has a subscription based offering that provides
> highly simplified VPN using IPSEC.  Their network operations centre does
> the key brokering, always a problem when setting up server to server VPNs.
> It's not particularly cheap but it's a supported commercial solution.
>
> On Thu, 31 Jan 2002, Dennis M. Gray wrote:
>
> > Is anyone doing successful VPN using a Linux server? I have heard of
> > CIPE but have just started researching this topic. I would appreciate
> > anyone's comments.
> >
> > Dennis
> >
> > --
> > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> > More Info: http://lists.slug.org.au/listinfo/slug
> >
> >
>
> -=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-=
> Graeme Robinson - Graenet consulting
> www.graenet.com - internet solutions
> -=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-=
>
>

-- 
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
 "We are either doing something, or we are not.
 'Talking about' is a subset of 'not'."

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN on Linux

[Graeme Robinson]

SME 5.1 (www.e-smith.com) has a subscription based offering that provides
highly simplified VPN using IPSEC.  Their network operations centre does
the key brokering, always a problem when setting up server to server VPNs.
It's not particularly cheap but it's a supported commercial solution.

On Thu, 31 Jan 2002, Dennis M. Gray wrote:

> Is anyone doing successful VPN using a Linux server? I have heard of
> CIPE but have just started researching this topic. I would appreciate
> anyone's comments.
>
> Dennis
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
>
>

-=-=-==-=-=--=-=-=-=-=-=-=-=-=-=-=-=
Graeme Robinson - Graenet consulting
www.graenet.com - internet solutions
-=-=-=-=-=-=-=-=-=-=-==---=-=--=-=-=

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] VPN on Linux

[Jeff Waugh]

> Is anyone doing successful VPN using a Linux server? I have heard of
> CIPE but have just started researching this topic. I would appreciate
> anyone's comments.

Using FreeS/WAN, with both Linux and PGPnet clients. Just happen to be
attempting to get an XP machine connected up at the moment: Under 10 lines
of ipsec.conf configuration on the Linux side, over seven gadzillion
dialogues and clickity things, stupid concepts, and disturbing irrelevancies
on the XP side.

FreeS/WAN <--> FreeS/WAN is a snap, however.

- Jeff

-- 
   I used the word 'infrastructure' when describing her cooking style...
   and she didn't speak to me for a week.   
-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] VPN on Linux

[Bernhard Luder]

Some people us FREESWAN


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Dennis M. Gray
Sent: Thursday, 31 January 2002 23:21
To: [EMAIL PROTECTED]
Subject: [SLUG] VPN on Linux


Is anyone doing successful VPN using a Linux server? I have heard of
CIPE but have just started researching this topic. I would appreciate
anyone's comments.

Dennis

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

RE: [SLUG] VPN/L2TP?

[David Kempe]

> I need to allow Win2k notebooks to VPN into the network via the Internet
> through a RH7 gateway. Remote users will have dynamic IP addresses and
> connect from all over the world.
>
> What is best to use? Has anyone had any experience with L2TP?
>
> I have freeswan running between sites, but can't get Win2k to work in a
> client-to-subnet arrangement - so I guess I need to use something else.

If you dig around the freeswan site there is some links to documentation
that describes how to do this.
Other than that you could run poptop and have the win2k clients connect in
PPTP mode to your RH7 server

dave


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[Jamie Honan]

On Fri, 10 Nov 2000, James Morris wrote:

> Please keep in mind that single DES is not considered to be secure.
> 
> This is why Free/SWAN is shipped with single DES disabled.  The reason it
> can be hacked to use single DES so easily is because the same core code is
> required for triple DES.

Anyone looking at freeswan will have this opinion pointed out
forcefully.

If the point is to get people to use increased security, then this
is actually counter-productive.

By making freeswan difficult to install and use, people will actually 
gravitate to using a Windows client and be blissfully unaware of security
concerns.

Instead if they had enabled DES and put lots of warning messages,
more people would use freeswan, and thus more people would become
aware of the security limitations of DES.

Many people have no influence over the choice of equipment they
are connecting to, no possibility of altering security policies
or practices.

For them, freeswan not having DES simply makes life harder to
avoid Windows.

Stay isolated and pure. Engage, explain and look at things from
other points of view and maybe the result will be better.

> If you've bought VPN products which only do single DES, you might as well 
> have bought boat anchors.  I'd certainly be extremely wary of any vendor 
> who has promoted these things as secure.
> 
> Please read:
> 
> http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/DES.html

Feel free to pass on.

Jamie



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[James Morris]

On Fri, 10 Nov 2000, Jamie Honan wrote:

>
> * the stock standard freeswan won't do DES. This is only
> important because older equipment (i.e. the router at the other
> end you may have to work with) may not do the recommended 3DES.
> Cisco, for example, couldn't export 3DES till this year. (AFAIK).
> 
> The patch to freeswan to do DES is around. (It is actually in there,
> you patch it to enable it).
>

Please keep in mind that single DES is not considered to be secure.

This is why Free/SWAN is shipped with single DES disabled.  The reason it
can be hacked to use single DES so easily is because the same core code is
required for triple DES.

If you've bought VPN products which only do single DES, you might as well 
have bought boat anchors.  I'd certainly be extremely wary of any vendor 
who has promoted these things as secure.

Please read:

http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/DES.html


- James
--
James Morris
<[EMAIL PROTECTED]>




-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] VPN

[tom burkart]

On Fri, 10 Nov 2000, Daron Barndon wrote:

> at that could cover the distance between the mountains and Sydney? I
> expect I would be over the 44 K mark although with enough height, line
> of site to Sydney would not be a problem.
Line of sight to the mountains is pretty well out of the question.  I have
had a brush with the SWAMP project (Sydney Wollongong Area Microwave
Project) linking major universities with (usually) 32Mbit microwave
installations.  You should have seen the trouble they had to go
through...  Anyway, from the City there are at least two hops to
Penrith.  Ok, one of the hops is a drop as well, but the major hop is via
the prospect tower (for height reasons).

tom.
Consultant

AUSSECPhone: 61 4 1768 2202
339 Blaxland Rd., Ryde NSW 2112
Email: [EMAIL PROTECTED]



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[Howard Lowndes]

I will confirm that.  The doco is good, the examples are sound, but you
really do need to understand the link concepts between one private network
and another.

Setting up the various tunnels becomes exponentially more complex as you
add sites and you need to plan it well beforehand.  The 4 site network I
set up just recently has a total of 21 tunnels.

-- 
Howard.
__
LANNet Computing Associates 

On Fri, 10 Nov 2000, Jamie Honan wrote:

> 
> * there is a fair bit of doco you have to read. This is fair
> enough, because there is a lot to know.
> 



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[Jamie Honan]

> Does anyone know the status of Linux VPN? Will it talk to a
> CheckPoint Firewall-1 firewall?

I did a little googling and came up with this:

> There's a Checkpoint-to-FreeS/WAN Howto at;
> http://kubarb.phsx.ukans.edu/~tbird/vpn.html

As the various VPN howtos explain, there are various tunneling
schemes. IpSec (caps?) is the standard promoted by the IETF,
and used by Cisco and obviously checkpoint.

Freeswan is the Free Software version.

Some points about freeswan:

* it generally means patching and compiling the kernel (apparantly
not SuSE - don't kow about various international distros). This
is not incredibly difficult, as one of the freeswan
make options basically does everything for you bar pushing the reset
button.

* there is a fair bit of doco you have to read. This is fair
enough, because there is a lot to know.

* the stock standard freeswan won't do DES. This is only
important because older equipment (i.e. the router at the other
end you may have to work with) may not do the recommended 3DES.
Cisco, for example, couldn't export 3DES till this year. (AFAIK).

The patch to freeswan to do DES is around. (It is actually in there,
you patch it to enable it).

The nice thing about freeswan is that you can run it on
a Linux box acting as a firewall / router, and have complete
LAN - LAN connectivity. The various Windows clients will probably only
give you one machine to remote connectivity.

Jamie



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[Terry Collins]

Daron Barndon wrote:

...snip.

> Spread spectrum wireless - now that sounds nice. Other than
> www.air.net.au, who else (other sites/manufacturers) 

http://www.x.net.au  for one place, but also look for links off my slug
wirelesslan interest page at 

http://www.woa.com.au/linux/lists/slugwireless.html 

WOOPS - hmm, somehow I've overwritten the page partially. What is worse,
this has been this way for months and no one said anything. Will get
back when it is fixed.

--
   Terry Collins {:-)}}} Ph(02) 4627 2186 Fax(02) 4628 7861  
   email: [EMAIL PROTECTED]  www: http://www.woa.com.au  
   WOA Computer Services 

 "People without trees are like fish without clean water"


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] VPN

[Daron Barndon]

The only prob for me is that it has to work with Checkpoint FW. I do
believe it is possible, but it will require some work... :-)

Thanks

Daron

-Original Message-
From: Howard Lowndes [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 9 November 2000 11:01 PM
To: Gareth Walters
Cc: Daron Barndon; [EMAIL PROTECTED]
Subject: Re: [SLUG] VPN


I can tell you that it works a treat.  I put in a 4 site VPN with
FreeSwan
a couple of months ago.  Windows boxen locked up behind Linux firewalls
communicating with each other over Freeswan IPSec.  Just make sure that
any circuitry in between  understands about protocols 50 & 51.

-- 
Howard.
__
LANNet Computing Associates <http://www.lannet.com.au>

On Thu, 9 Nov 2000, Gareth Walters wrote:

> I was looking into this a little while ago..
> 
> http://www.xs4all.nl/~freeswan/
> 
> compiled it etc it looked ok. I have not needed to actually tested it
> thoroughly yet (ie to a working state with another firewall) as we
decided
> we didn't really need it.
> 
> Good luck
> 
> ---Gareth
> 
> - Original Message -
> From: "Daron Barndon" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, November 09, 2000 4:35 PM
> Subject: [SLUG] VPN
> 
> 
> Guys,
> Does anyone know the status of Linux VPN? Will it talk to a
> CheckPoint Firewall-1 firewall?
> 
> I am looking at the option of setting up a permanent link between the
> home office and the city office and dont like the idea of paying $25K
> plus a year for a frame link.
> 
> Alt., does anyone know of any companies that will provide a 64K+ link
> between Sydney and the lower blue mountains?
> 
> 
> 
> 
> 
> 
> 
> 



--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] VPN

[Daron Barndon]

Investigated ISDN as well, as well as install costs there was running
costs of approx $650 a month as well, cheaper than frame but still
expensive.

Spread spectrum wireless - now that sounds nice. Other than
www.air.net.au, who else (other sites/manufacturers) could I have a look
at that could cover the distance between the mountains and Sydney? I
expect I would be over the 44 K mark although with enough height, line
of site to Sydney would not be a problem.

Thanks

Daron

-Original Message-
From: DaZZa [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 9 November 2000 6:27 PM
To: Daron Barndon
Cc: [EMAIL PROTECTED]
Subject: Re: [SLUG] VPN


On Thu, 9 Nov 2000, Daron Barndon wrote:

> I am looking at the option of setting up a permanent link between the
> home office and the city office and dont like the idea of paying $25K
> plus a year for a frame link.

Why go frame? ISDN works fine at the data rates you're talking about.

> Alt., does anyone know of any companies that will provide a 64K+ link
> between Sydney and the lower blue mountains?

Sure. Telstra ISDN. $500 odd bucks installation {$270 each end, I
think},
and probably $500 a month for the call cap {not sure of the distance
involved - you'd have to check}.

Way cheaper than $25k for frame.

Alternate - this depends _heavily_ on line of site and distance involved
-
spread spectrum wireless. 2 meg at up to 44 k's. All you pay is the
hardware and install costs - there's _no_ running costs or licensing
fees
apart from electricity.

DaZZa



--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[Howard Lowndes]

I can tell you that it works a treat.  I put in a 4 site VPN with FreeSwan
a couple of months ago.  Windows boxen locked up behind Linux firewalls
communicating with each other over Freeswan IPSec.  Just make sure that
any circuitry in between  understands about protocols 50 & 51.

-- 
Howard.
__
LANNet Computing Associates 

On Thu, 9 Nov 2000, Gareth Walters wrote:

> I was looking into this a little while ago..
> 
> http://www.xs4all.nl/~freeswan/
> 
> compiled it etc it looked ok. I have not needed to actually tested it
> thoroughly yet (ie to a working state with another firewall) as we decided
> we didn't really need it.
> 
> Good luck
> 
> ---Gareth
> 
> - Original Message -
> From: "Daron Barndon" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, November 09, 2000 4:35 PM
> Subject: [SLUG] VPN
> 
> 
> Guys,
> Does anyone know the status of Linux VPN? Will it talk to a
> CheckPoint Firewall-1 firewall?
> 
> I am looking at the option of setting up a permanent link between the
> home office and the city office and dont like the idea of paying $25K
> plus a year for a frame link.
> 
> Alt., does anyone know of any companies that will provide a 64K+ link
> between Sydney and the lower blue mountains?
> 
> 
> 
> 
> 
> 
> 
> 



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[Howard Lowndes]

I do know that IPSec does a very good VPN on Linux, but I don't know about
working it to Checkpoint.

I put in a 4 site VPN in my neck of the woods (150 km radius) and it works
a charm.

-- 
Howard.
__
LANNet Computing Associates 

On Thu, 9 Nov 2000, Daron Barndon wrote:

> Guys,
>   Does anyone know the status of Linux VPN? Will it talk to a
> CheckPoint Firewall-1 firewall?
> 
> I am looking at the option of setting up a permanent link between the
> home office and the city office and dont like the idea of paying $25K
> plus a year for a frame link.
> 
> Alt., does anyone know of any companies that will provide a 64K+ link
> between Sydney and the lower blue mountains?
> 
> Thanks
> 
> Daron Barndon
> Systems Administrator
> BTLôôkSmart
> L7/241 Commonwealth St
> Surry Hills NSW 2010
> Australia
> 
> Phone: +6192820206
> Fax: +6192820222
> Mobile: +61416041017
> 
> E-mail: [EMAIL PROTECTED]
> 
> 
> 
> 



--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[DaZZa]

On Thu, 9 Nov 2000, Daron Barndon wrote:

> I am looking at the option of setting up a permanent link between the
> home office and the city office and dont like the idea of paying $25K
> plus a year for a frame link.

Why go frame? ISDN works fine at the data rates you're talking about.

> Alt., does anyone know of any companies that will provide a 64K+ link
> between Sydney and the lower blue mountains?

Sure. Telstra ISDN. $500 odd bucks installation {$270 each end, I think},
and probably $500 a month for the call cap {not sure of the distance
involved - you'd have to check}.

Way cheaper than $25k for frame.

Alternate - this depends _heavily_ on line of site and distance involved -
spread spectrum wireless. 2 meg at up to 44 k's. All you pay is the
hardware and install costs - there's _no_ running costs or licensing fees
apart from electricity.

DaZZa



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] VPN

[Daron Barndon]

Thanks - I will be testing this software over the w/e.

Daron

-Original Message-
From: Gareth Walters [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 9 November 2000 4:56 PM
To: Daron Barndon; [EMAIL PROTECTED]
Subject: Re: [SLUG] VPN


I was looking into this a little while ago..

http://www.xs4all.nl/~freeswan/

compiled it etc it looked ok. I have not needed to actually tested it
thoroughly yet (ie to a working state with another firewall) as we
decided
we didn't really need it.

Good luck

---Gareth

- Original Message -
From: "Daron Barndon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 09, 2000 4:35 PM
Subject: [SLUG] VPN


Guys,
Does anyone know the status of Linux VPN? Will it talk to a
CheckPoint Firewall-1 firewall?

I am looking at the option of setting up a permanent link between the
home office and the city office and dont like the idea of paying $25K
plus a year for a frame link.

Alt., does anyone know of any companies that will provide a 64K+ link
between Sydney and the lower blue mountains?







--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] VPN

[Gareth Walters]

I was looking into this a little while ago..

http://www.xs4all.nl/~freeswan/

compiled it etc it looked ok. I have not needed to actually tested it
thoroughly yet (ie to a working state with another firewall) as we decided
we didn't really need it.

Good luck

---Gareth

- Original Message -
From: "Daron Barndon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 09, 2000 4:35 PM
Subject: [SLUG] VPN


Guys,
Does anyone know the status of Linux VPN? Will it talk to a
CheckPoint Firewall-1 firewall?

I am looking at the option of setting up a permanent link between the
home office and the city office and dont like the idea of paying $25K
plus a year for a frame link.

Alt., does anyone know of any companies that will provide a 64K+ link
between Sydney and the lower blue mountains?







-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug