On Mon, 1 Sep 2003, Rafael 'Dido' Sevilla wrote:
> On Mon, Sep 01, 2003 at 02:28:29PM +0800, cedie boyet
alben benavente alteza EL wrote:
> > Good day to all!!
> > What do you recommend as a VPN server? I only know FreeS/WAN but I heared
> > there still problems with kernel 2.4.18-14 which is the current Redhat linux
> > installed in my gateway. I only seen kernel pacth for 2.4.18-3.
> > My clients would be, mobile clients and network clients.
> > Any suggestion?
> That's it. Roll a custom kernel then, don't feel confined to 2.4.18-3
> unless there is a REAL need (e.g. naghahabol ka ng certification sa
> Oracle). CIPE, well it's not exactly easier to set up than FreeS/WAN in
> my experience, and you WILL need to compile a custom kernel to do it.
> I simply cannot recommend the use of PPP over SSH, because of latency
> issues (but it is acceptable in my mind to do so for a quick and dirty
> setup). Don't even get started on PPTP... If you want to stick to the
> binary kernels your distribution provides your choices are sorely
> If security is your prime concern, then I think FreeS/WAN is really the
> only way to go.
Rather than rolling with a custom kernel (and all the
associated with it), i chose to stick with a totally userland VPN
implementation, and it can be found at
It's udp based, openssl-based, uses the ethertap device, and
agnostic to kernels as long as it support the tap/tun interface. I've
been using it in production for almost two years now.
The maintainer is also very patient, given the types of
kinds of software entail.
On Wed, 27 Mar 2002, Federico Sevilla III wrote:
> So I checked out the webpage of tinc <http://tinc.nl.linux.org>
> recommended by Ian Sison. Interestingly it seems to be purely in userland!
> Does anyone aside from Ian use tinc? Or perhaps would anyone have negative
> feedback about it?
Userland it is, and performs quite well. It's unlike
point-to-point VPNs, in that its tap device acts like an _ethernet_
device wherin all points connected to the VPN appear to be hooked up to
the same "ethernet" bus... So no more routing gymnastics needed.
It's also a lot faster than the traditional ppp over ssh type
but being purely userland does consume some CPU cycles (it averages 3+ CPU
in top)... but it doesn't matter, as my router is totally PC/Linux based
anyway (even got a V.35 adapter).
> I think I'll play around with tinc this summer. I'll let the group now
> about how things go. :)
If you have problems, the main developer, Guus Slippen, is
approachable, and _very_ patient. I guess he is used to supporting this
kind of application, wherein there's loads of 'context' information that
should be explained (aside from the usual kernel, distro, routing
tables... etc.) before the usual, 'I can't ping the other side'
Good luck! I have my tinc running in production (yun nga lang
a CVS mod of pre4... I actually found a bug in pre4!)
On Tue, 26 Mar 2002 at 12:28, Rick Moen wrote:
> Yes, that's what I've found, too. Be careful about upgrades, though,
> since FreeS/WAN is extremely kernel-dependent. I would recommend having
> dedicated VPN boxes on both sides, and leaving them alone as much as
This is actually a small irk I have with FreeS/WAN. I use XFS,
and as such
more-or-less follow the CVS tree of XFS for various fixes.
So I checked out the webpage of tinc <http://tinc.nl.linux.org>
recommended by Ian Sison. Interestingly it seems to be purely in userland!
Does anyone aside from Ian use tinc? Or perhaps would anyone have negative
feedback about it?
I think I'll play around with tinc this summer. I'll let the
about how things go. :)
Federico Sevilla III : <http://jijo.free.net.ph/>
Network Administrator : The Leather Collection, Inc.
GnuPG Key Fingerprint : 0x93B746BE
From rick Wed Dec 11 20:09:57 2002
Date: Wed, 11 Dec 2002 20:09:57 -0800
Subject: Re: [ILUG] VPN Networks
Quoting Stephen Shirley (firstname.lastname@example.org):
> On Wed, Dec 11, 2002 at 02:21:41PM +0000, Ronan Waide wrote:
>> Also, there's the PPTP stuff, which is Windows' "native" VPN tool. I
>> believe PoPToP is the name of the Linux server implementation.
> Not highly regarded (read: insecure), so don't use for important
I'm glad you said that, rather than me. When I said pretty
exact same thing on the Silicon Valley Linux User Group's mailing list,
I got flamed up one side and down the other as simultaneously
"ignorant", "wrong", and "elitist". But here's some ammunition:
Cheers, Right to keep and bear
Rick Moen Haiku shall not be abridged
email@example.com Or denied. So there.
On Thursday 12 December 2002 10:37, Ronan Waide wrote:
> On December 12, firstname.lastname@example.org said:
>> Thing is thought that using MPPE will make your connection secured is
>> the security problem that they refer to at the end the crap security in
>> the windows sam files ?
> Not really, other than that it shares the authentication method of the
> various windows security hives. It's a brute-force attack on the
> password, having retrieved the password hash off the wire. It's
> similar in technique to brute-forcing /etc/password.
>> But if the clients are windows thats something that you will be used to
>> though ?
> I'm not really sure what this comment is meant to imply - that you
> should disregard security if you're used to insecurity?
>> Is the advantage then with ipsec that the keys are encrypted using
>> industry standard symetric encryption with a passphrase ?
> Yes and no. FreeSWAN, an IPSEC implementation, forces security on you
> to a certain extent because they've basically refused to implement the
> a few of the less secure options. IPSEC on a Cisco router can be set
> to use e.g. single instead of triple DES. And if you use Shared Secret
> keying, you're opening yourself up in a differnet way. The main
> difference between PPTP and IPSEC from an attacker's point of view is
> - as I understand it, note - that it's a lot harder to get at the
> equivalent of a password hash in an IPSEC session.
I just found some more specific info on why mppe isn't great