FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-24-2010, 04:46 PM
Bill Campbell
 
Default Optimal VPN

On Wed, Nov 24, 2010, nux@li.nux.ro wrote:
>tony.chamberlain@lemko.com writes:
>>
>> I am looking for the optimal VPN. Well it doens't have to be that elaborate.
>> Just the best VPN. We currently have some customers using PPTP, some using
>> openvpn, some using Cisco Any Connect and there are a few others.
>>
>> So my question is, if you have control of both ends (client and server)
>> what is the best VPN to use? There are not too many requirements, but a
>> big one is
>>
>> The VPN must return the same IP address to the same user each time
>>
>> That is there must be a specific IP address assigned to a user/password
>> combination. pptp does not really do this but I wrote sort of a backend
>> (or maybe frontend? ;-) ) to change the IP address assigned based on a
>> login and password. It is extra stuff I would prefer not to do though.
>
>OpenVPN can do that (see their commercial solution as well).

We use OpenVPN for most things, and pptp (poptop) for connections
where the OpenVPN client's aren't available (e.g. iPad, iPhone,
iPod Touch).

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792

In free governments the rulers are the servants, and the people their
superiors & sovereigns." -- Benjamin Franklin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2010, 04:48 PM
John Hodrien
 
Default Optimal VPN

On Wed, 24 Nov 2010, Bill Campbell wrote:

> We use OpenVPN for most things, and pptp (poptop) for connections
> where the OpenVPN client's aren't available (e.g. iPad, iPhone,
> iPod Touch).

Is there anything to make you choose pptp over IPSec? There are a number of
issues with PPTP that'd make me push it down my list of ideal VPNs.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2010, 05:05 PM
Bill Campbell
 
Default Optimal VPN

On Wed, Nov 24, 2010, John Hodrien wrote:
>On Wed, 24 Nov 2010, Bill Campbell wrote:
>
>> We use OpenVPN for most things, and pptp (poptop) for connections
>> where the OpenVPN client's aren't available (e.g. iPad, iPhone,
>> iPod Touch).
>
>Is there anything to make you choose pptp over IPSec? There are a number of
>issues with PPTP that'd make me push it down my list of ideal VPNs.

Yup. I've never been able to get IPSec and OpenVPN working
together on a Linux box. Perhaps it's brain-fade on my part, but
I have spent quite a bit of time trying.

I have read that the original arguments about kindergarten
cryptography from Microsoft in PPTP are not as valid as they once
were, and we're not running it from Windows clients in any case,
they're all using OpenVPN clients.

The only place I'm currently running PPTP is from my iPad with
iSSH to connect to our network. Any other connections I might
need to make from the iPad are done with another ssh connections
that originates from our LAN, not direct from the iPad. Other
connections via the PPTP VPN are encrypted IMAP/SMTP connections
to servers on the private side of our network.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792

Microsoft IIS has more holes than a wheel of Swiss Cheese after a shotgun
blast -- John Dvorak
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2010, 06:54 PM
Nico Kadel-Garcia
 
Default Optimal VPN

On Wed, Nov 24, 2010 at 12:48 PM, John Hodrien <J.H.Hodrien@leeds.ac.uk> wrote:
> On Wed, 24 Nov 2010, Bill Campbell wrote:
>
>> We use OpenVPN for most things, and pptp (poptop) for connections
>> where the OpenVPN client's aren't available (e.g. iPad, iPhone,
>> iPod Touch).
>
> Is there anything to make you choose pptp over IPSec? *There are a number of
> issues with PPTP that'd make me push it down my list of ideal VPNs.

>From personal experience, it's lighter weight to set up on the server,
it's compatible with Windows client's built-in VPN clients without
emotianal pain or traume, it doesn't require awkward client setups of
third party components, and it keeps you away from the very expensive
and so feature-filled, it's useless mongolian !@#$!@$#! that is the
Cisco tool suite.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2010, 08:16 PM
Eero Volotinen
 
Default Optimal VPN

2010/11/24 Nico Kadel-Garcia <nkadel@gmail.com>:
> On Wed, Nov 24, 2010 at 12:48 PM, John Hodrien <J.H.Hodrien@leeds.ac.uk> wrote:
>> On Wed, 24 Nov 2010, Bill Campbell wrote:
>>
>>> We use OpenVPN for most things, and pptp (poptop) for connections
>>> where the OpenVPN client's aren't available (e.g. iPad, iPhone,
>>> iPod Touch).
>>
>> Is there anything to make you choose pptp over IPSec? *There are a number of
>> issues with PPTP that'd make me push it down my list of ideal VPNs.
>
> >From personal experience, it's lighter weight to set up on the server,
> it's compatible with Windows client's built-in VPN clients without
> emotianal pain or traume, it doesn't require awkward client setups of
> third party components, and it keeps you away from the very expensive
> and so feature-filled, it's useless mongolian !@#$!@$#! that is the
> Cisco tool suite.

remember to avoid pptp protocol, because it's usually pain in the ..

--
Eero
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2010, 08:34 PM
Nataraj
 
Default Optimal VPN

tony.chamberlain@lemko.com wrote:
> I am looking for the optimal VPN. Well it doens't have to be that elaborate.
> Just the best VPN. We currently have some customers using PPTP, some using
> openvpn, some using Cisco Any Connect and there are a few others.
>
> So my question is, if you have control of both ends (client and server)
> what is the best VPN to use? There are not too many requirements, but a
> big one is
>
> The VPN must return the same IP address to the same user each time
>
> That is there must be a specific IP address assigned to a user/password
> combination. pptp does not really do this but I wrote sort of a backend
> (or maybe frontend? ;-) ) to change the IP address assigned based on a
> login and password. It is extra stuff I would prefer not to do though.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
My sense is that openvpn is the easiest to configure, the most robust
and fault tolerant, as far as keeping connections up and reestablishing
failed connections. The downside of openvpn is incompatibility with
most mobile devices, not relevant if you are able to install openvpn
clients. You can configure fixed IP addresses using either the ccd
files or the client-connect script.

Based on other discussussions on the list my recollection is that IPSEC
provides better performance if you need GigE or better data rates on
your VPNs. My sense is that IPSEC may be more difficult to configure
and less robust at keeping connections up, but this has probably
improved in recent years.

The main advantage to pptp that I see is compatibility with mobile
devices. A disadvantage of PPTP, as far as I know it cannot easily be
tunneled through something like a linux firewall because it uses
non-standard protocol packets (not TCP/UDP).

Both OPENVPN and IPSEC can easily be tunneled through most firewalls.

Though I have not researched this extensively, just based on watching
list of security updates that get released for Centos, Fedora etc, It
seems that OPENVPN has had very few security issues. I have definely
seen a few for strongswan and openswan (both are IPSEC
implementations). Again this is just gut feeling, not the result of any
investigation. I do note though that OPENVPN runs easily in a chroot
environment, just by enabling options in the config file. I'm not sure
if openswan or strongswan can do this.

Nataraj

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-24-2010, 08:41 PM
Eero Volotinen
 
Default Optimal VPN

> Based on other discussussions on the list my recollection is that IPSEC
> provides better performance if you need GigE or better data rates on
> your VPNs. *My sense is that IPSEC may be more difficult to configure
> and less robust at keeping connections up, but this has probably
> improved in recent years.

ipsec is usually too complex .. for anything else than site to site
tunneled connections.

>
> The main advantage to pptp that I see is compatibility with mobile
> devices. *A disadvantage of PPTP, as far as I know it cannot easily be
> tunneled through something like a linux firewall because it uses
> non-standard protocol packets (not TCP/UDP).
>

Well, at least linux support pptp connection tracking, but some poor
firewalls do not.


--
Eero
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2010, 12:12 PM
 
Default Optimal VPN

-----Original Message-----
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
My sense is that openvpn is the easiest to configure, the most robust and fault tolerant, as far as keeping connections up and reestablishing failed connections. The downside of openvpn is incompatibility with most mobile devices, not relevant if you are able to install openvpn clients. You can configure fixed IP addresses using either the ccd files or the client-connect script.

Based on other discussussions on the list my recollection is that IPSEC provides better performance if you need GigE or better data rates on your VPNs. My sense is that IPSEC may be more difficult to configure and less robust at keeping connections up, but this has probably improved in recent years.

The main advantage to pptp that I see is compatibility with mobile devices. A disadvantage of PPTP, as far as I know it cannot easily be tunneled through something like a linux firewall because it uses non-standard protocol packets (not TCP/UDP).

Both OPENVPN and IPSEC can easily be tunneled through most firewalls.

Though I have not researched this extensively, just based on watching list of security updates that get released for Centos, Fedora etc, It seems that OPENVPN has had very few security issues. I have definely seen a few for strongswan and openswan (both are IPSEC implementations). Again this is just gut feeling, not the result of any investigation. I do note though that OPENVPN runs easily in a chroot
environment, just by enabling options in the config file. I'm not sure
if openswan or strongswan can do this.

Nataraj

_______________________________________________

Hi,

If you don't use any fancy features, OpenVPN is rather easy to set up.
Additional effort is needed with:
-certificates
-routing
-smartcards

Exactly _the same troubles_ you will encounter with ipsec (though i have only used with strongswan)

If it is only master/slave configuration, openvpn will do, for a more complex topology (meshed) consider ipsec
Will you be confronted with IPv6 in the (not so) near future? Forget OpenVPN, it is still beta there, while it has been implemented in strongswan for ages, and part of there standard test plan.
Furthermore, openvpn is only compatible with openvpn, while using ipsec you might be able to connect to other boxes.
If you can install software on both ends, openvpn is available for many platforms.

hw

__________________________________________________ ____________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-30-2010, 01:49 PM
Ben McGinnes
 
Default Optimal VPN

On 25/11/10 4:07 AM, tony.chamberlain@lemko.com wrote:
>
>
> I am looking for the optimal VPN. Well it doens't have to be that elaborate.
> Just the best VPN. We currently have some customers using PPTP, some using
> openvpn, some using Cisco Any Connect and there are a few others.

Be careful with the Cisco VPN solutions. Cisco's VPN client is
notoriously bad at handling 64-bit architecture and frequently induces
kernel panics (I've seen this in both Linux and OS X systems).

> So my question is, if you have control of both ends (client and server)
> what is the best VPN to use? There are not too many requirements, but a
> big one is

I'd go for OpenVPN, it's free and widely supported across multiple
platforms.

> The VPN must return the same IP address to the same user each time
>
> That is there must be a specific IP address assigned to a user/password
> combination. pptp does not really do this but I wrote sort of a backend
> (or maybe frontend? ;-) ) to change the IP address assigned based on a
> login and password. It is extra stuff I would prefer not to do though.

RADIUS can assign a specific IP to a given user, but let OpenVPN
handle the encryption.


Regards,
Ben

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-09-2010, 02:30 PM
David Sommerseth
 
Default Optimal VPN

On 25/11/10 14:12, J.Witvliet@mindef.nl wrote:
[...snip...]
> Will you be confronted with IPv6 in the (not so) near future? Forget
> OpenVPN, it is still beta there, while it has been implemented in
> strongswan for ages, and part of there standard test plan.

Okay, I'll admit up-front I'm biased, as I am involved in the OpenVPN
project. But I can provide some info here.

IPv6 is currently in the development tree. I'm using it on my personal
equipment now, using IPv6 over TUN interface between a OpenWRT router
and a Linux "road warrior" client. I'm also looking for how to get this
code base compiled for maemo5 as well. Early next year, I'm going to
run this development code on a couple of production boxes as well.

Another developer (the guy who implemented the IPv6 support) is also
using this IPv6 implementation in a bigger environment too.

We're currently in the end of the beta round for OpenVPN-2.2 and will
release a RC version around Christmas. The full release will come
sometime around January. That code base is without IPv6. (2.2 is
basically a bigger bugfix release with a couple of new features)

The 2.3-beta round is scheduled sometime around February/March, with a
release slated for late summer 2011. This release will include IPv6
support, both for transport (connect/listen/bind to IPv6 addresses) and
payload (IPv6 over tun and tap via tunnel with IPv6 client configuration
support).

<http://thread.gmane.org/gmane.network.openvpn.devel/4221>

But for early adopters ... the current development code is stable enough
for daily usage without too much troubles. And we would like to see
more people testing out this code.

<https://community.openvpn.net/openvpn/wiki/TesterDocumentation>

> Furthermore, openvpn is only compatible with openvpn, while using ipsec you might be able to connect to other boxes.

That is mostly true, except for those vendors adding their own
proprietary extensions to their ipsec implementations ... thus making it
a vendor lock-in again.

"That's the wonderful thing about standards,
everyone can have their own"
- unknown


kind regards,

David Sommerseth

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org