Date: Mon, 1 Sep 2003 16:30:18 +0800 (PHT)
From: "ian sison (mailing list)" ian.s@qsr.com.ph
To: Philippine Linux Users Group Mailing List plug@lists.q-linux.com
Subject: Re: [plug] Best VPN server?
On Mon, 1 Sep 2003, Rafael 'Dido' Sevilla wrote:
> On Mon, Sep 01, 2003 at 02:28:29PM +0800, cedie boyet
alben benavente alteza EL wrote:
> >
> > Good day to all!!
> >
> > What do you recommend as a VPN server? I only know
FreeS/WAN but I heared
> > there still problems with kernel 2.4.18-14 which is the
current Redhat linux
> > installed in my gateway. I only seen kernel pacth for
2.4.18-3.
> >
> > My clients would be, mobile clients and network
clients.
> >
> > Any suggestion?
>
> That's it. Roll a custom kernel then, don't feel confined to
2.4.18-3
> unless there is a REAL need (e.g. naghahabol ka ng
certification sa
> Oracle). CIPE, well it's not exactly easier to set up than
FreeS/WAN in
> my experience, and you WILL need to compile a custom kernel
to do it.
> I simply cannot recommend the use of PPP over SSH, because
of latency
> issues (but it is acceptable in my mind to do so for a quick
and dirty
> setup). Don't even get started on PPTP... If you want to
stick to the
> binary kernels your distribution provides your choices are
sorely
> limited.
>
> If security is your prime concern, then I think FreeS/WAN is
really the
> only way to go.
>
Rather than rolling with a custom kernel (and all the
complications
associated with it), i chose to stick with a totally userland
VPN
implementation, and it can be found at
It's udp based, openssl-based, uses the ethertap device, and
totally
agnostic to kernels as long as it support the tap/tun interface.
I've
been using it in production for almost two years now.
The maintainer is also very patient, given the types of
problems these
kinds of software entail.
From: "Ian C. Sison" ian.s@qsr.com.ph
To: "plug@lists.q-linux.com"
plug@lists.q-linux.com
Subject: Re: [plug] VPN Howto ?
Date: Wed, 27 Mar 2002 10:56:45 +0800 (PHT)
On Wed, 27 Mar 2002, Federico Sevilla III wrote:
> So I checked out the webpage of tinc <http://tinc.nl.linux.org>
which was
> recommended by Ian Sison. Interestingly it seems to be
purely in userland!
> Does anyone aside from Ian use tinc? Or perhaps would anyone
have negative
> feedback about it?
Userland it is, and performs quite well. It's unlike
traditional
point-to-point VPNs, in that its tap device acts like an
_ethernet_
device wherin all points connected to the VPN appear to be hooked
up to
the same "ethernet" bus... So no more routing gymnastics
needed.
It's also a lot faster than the traditional ppp over ssh type
of VPNs..
but being purely userland does consume some CPU cycles (it
averages 3+ CPU
in top)... but it doesn't matter, as my router is totally
PC/Linux based
anyway (even got a V.35 adapter).
> I think I'll play around with tinc this summer. I'll let the
group now
> about how things go. :)
If you have problems, the main developer, Guus Slippen, is
quite
approachable, and _very_ patient. I guess he is used to
supporting this
kind of application, wherein there's loads of 'context'
information that
should be explained (aside from the usual kernel, distro,
routing
tables... etc.) before the usual, 'I can't ping the other
side'
question.
Good luck! I have my tinc running in production (yun nga lang
i'm using
a CVS mod of pre4... I actually found a bug in pre4!)
From: Federico Sevilla III jijo@free.net.ph
To: "plug@lists.q-linux.com"
plug@lists.q-linux.com
Subject: Re: [plug] VPN Howto ?
Date: Wed, 27 Mar 2002 09:11:51 +0800 (PHT)
On Tue, 26 Mar 2002 at 12:28, Rick Moen wrote:
> Yes, that's what I've found, too. Be careful about upgrades,
though,
> since FreeS/WAN is extremely kernel-dependent. I would
recommend having
> dedicated VPN boxes on both sides, and leaving them alone as
much as
> possible.
This is actually a small irk I have with FreeS/WAN. I use XFS,
and as such
more-or-less follow the CVS tree of XFS for various fixes.
So I checked out the webpage of tinc <http://tinc.nl.linux.org>
which was
recommended by Ian Sison. Interestingly it seems to be purely in
userland!
Does anyone aside from Ian use tinc? Or perhaps would anyone have
negative
feedback about it?
I think I'll play around with tinc this summer. I'll let the
group now
about how things go. :)
--> Jijo
--
Federico Sevilla III : <http://jijo.free.net.ph/>
Network Administrator : The Leather Collection, Inc.
GnuPG Key Fingerprint : 0x93B746BE
From rick Wed Dec 11 20:09:57 2002
Date: Wed, 11 Dec 2002 20:09:57 -0800
To: ilug@linux.ie
Subject: Re: [ILUG] VPN Networks
User-Agent: Mutt/1.4i
Quoting Stephen Shirley (diamond@skynet.ie):
> On Wed, Dec 11, 2002 at 02:21:41PM +0000, Ronan Waide
wrote:
>
>> Also, there's the PPTP stuff, which is Windows' "native"
VPN tool. I
>> believe PoPToP is the name of the Linux server
implementation.
>
> Not highly regarded (read: insecure), so don't use for
important
> stuff.
I'm glad you said that, rather than me. When I said pretty
much the
exact same thing on the Silicon Valley Linux User Group's mailing
list,
I got flamed up one side and down the other as simultaneously
"ignorant", "wrong", and "elitist". But here's some
ammunition:
http://www.counterpane.com/pptp.html
--
Cheers, Right to keep and bear
Rick Moen Haiku shall not be abridged
rick@linuxmafia.com Or
denied. So there.
From: bryan hunt bryan.hunt@ossidian.com
Organization: na
To: ilug@linux.ie
Subject: Re: [ILUG] VPN Networks
User-Agent: KMail/1.4.3
Date: Thu, 12 Dec 2002 11:19:33 +0000
On Thursday 12 December 2002 10:37, Ronan Waide wrote:
> On December 12, bryan.hunt@ossidian.com
said:
>> Thing is thought that using MPPE will make your
connection secured is
>> the security problem that they refer to at the end the
crap security in
>> the windows sam files ?
>
> Not really, other than that it shares the authentication
method of the
> various windows security hives. It's a brute-force attack on
the
> password, having retrieved the password hash off the wire.
It's
> similar in technique to brute-forcing /etc/password.
>
>> But if the clients are windows thats something that you
will be used to
>> though ?
>
> I'm not really sure what this comment is meant to imply -
that you
> should disregard security if you're used to insecurity?
>
>> Is the advantage then with ipsec that the keys are
encrypted using
>> industry standard symetric encryption with a passphrase
?
>
> Yes and no. FreeSWAN, an IPSEC implementation, forces
security on you
> to a certain extent because they've basically refused to
implement the
> a few of the less secure options. IPSEC on a Cisco router
can be set
> to use e.g. single instead of triple DES. And if you use
Shared Secret
> keying, you're opening yourself up in a differnet way. The
main
> difference between PPTP and IPSEC from an attacker's point
of view is
> - as I understand it, note - that it's a lot harder to get
at the
> equivalent of a password hash in an IPSEC session.
I just found some more specific info on why mppe isn't great
http://packetstormsecurity.nl/9902-exploits/pptp.revisited.txt