[ale] IPSec client for Linux?

Scott Warfield magius at wittsend.com
Thu Jun 16 18:23:23 EDT 2005 

Lord, you scare me 

-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Michael
H. Warfield
Sent: Thursday, June 16, 2005 5:32 PM
To: Atlanta Linux Enthusiasts; transam at verysecurelinux.com
Cc: groups at ChangingLINKS.com
Subject: Re: [ale] IPSec client for Linux?

On Wed, 2005-06-15 at 18:40 -0400, Bob Toxen wrote:
> On Tue, Jun 14, 2005 at 03:36:53PM -0500, ChangingLINKS.com wrote:
> > Does anyone VPN in to their employer's network using anykind of 
> > IPSec client for Linux?

> > If I had a solution for that, I think I could stop using windows. On 
> > Windows, I'm currently using a Cisco IPsec client to access a 
> > customer VPN and a Lucent IPsec client to access Lucent's network.
> FreeS/WAN is the Open Source standard and it works as well as any 
> IPSec implementation does.  (IPSec is garbage and hard to use but it 
> is STANDARD garbage and everyone supports it.)

	Define "garbage"?

	IPSec is the transport encryption and it's pretty damn solid and the
basis for many modern VPN's even if they don't say so.  XP uses IPSec now,
instead of PPTP/GRE (which was pure junk).  OpenVPN claims to be using
ESPinUDP encapsulation, which appears to be IPSec, as the transport, as
well, even if they do use SSL/TLS for their authentication.  Now, I found
the OpenVPN v1 to be a royal pain.  Ever try setting that up for a mesh of
more than a few boxes?  Each tunnel has to have its own unique UDP port and
a separate process and the transport runs in user space (so much for
performance).  OpenVPN v2 is better but still has a ways to go.  They still
don't have multi-connection server-to-server mesh working and IPv6 only
works in client-to-client (v1) mode or tap (bridge) mode (gag).

	What most people mistakenly refer to as IPSec is really IPSec (the
transport encryption) plus IKE (the Keying daemon/protocol).  Most of the
problems with IPSec have to do with IKE.  IKE definitely has some problems.
Some in the protocol, some in the implimentations.  OpenSWAN or StrongSWAN
used with RSA keys or X.509 certs is not too bad.  IKE v2 is on the horizon,
but I'm not sure how much of an improvement it's going to be vis-a-vis
setup.  The protocol is going to be an improvement but the problem of
interfaces will remain.

	IPSec (the transport) use to be a royal pain over NAT devices but
that's pretty much cleared up with NAT-T (IPSec over UDP aka ESPinUDP).
OpenSWAN, StrongSWAN, and IPSec-Tools all support setting up IPSec NAT-T and
even forcing it where necessary.

> I've had a number of clients have me set it up.

	I've set up lots of VPN's for lots of reasons.  I haven't found
OpenSWAN to be much more difficult than OpenVPN or CIPE, and I've found it
to be significantly easier on the processor than userland VPNs and more
robust.  And I really don't trust SSL based VPNs (at least not the ones
using SSL as the transport, such as stunnel).  They could all use better
management interfaces.  OpenSWAN/StrongSWAN is definitely better than
IPSec-Tools (aka setkey/racoon).  While it might be argued that Racoon gives
you a finer grained control over the VPN tunnels, very few people need that
level of control and most that might try to exploit the features in Racoon
that can't be accomplished with Pluto (from OpenSWAN) would probably just
hurt themselves.

> > I know that FC3 has a IPsec client.  Has anyone ever gotten it to work?
> > --
> > Wishing you Happiness, Joy, and Laughter, Drew Brown 
> > http://www.ChangingLINKS.com
> 
> > (posted for a friend)
> 
> Best regards,
> 
> Bob Toxen, CTO
> Horizon Network Security
> "Your expert in Firewalls, Virus and Spam Filters, VPNs, Network 
> Monitoring, and Network Security consulting"
> 
> http://www.verysecurelinux.com       [Network & Linux/Unix Security
Consulting]
> http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux
Security"]
> http://www.verysecurelinux.com/sunset.html                    [Sunset
Computer]
> bob at verysecurelinux.com (e-mail)

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the Ale mailing list