[ale] IPSec client for Linux?

Bob Toxen transam at verysecurelinux.com
Fri Jun 17 14:58:30 EDT 2005


On Thu, Jun 16, 2005 at 05:31:45PM -0400, Michael H. Warfield wrote:
> On Wed, 2005-06-15 at 18:40 -0400, Bob Toxen wrote:
> > On Tue, Jun 14, 2005 at 03:36:53PM -0500, ChangingLINKS.com wrote:
> > > Does anyone VPN in to their employer's network using anykind of IPSec client
> > > for Linux?

> > > If I had a solution for that, I think I could stop using windows. On
> > > Windows, I'm currently using a Cisco IPsec client to access a customer VPN
> > > and a Lucent IPsec client to access Lucent's network.  
> > FreeS/WAN is the Open Source standard and it works as well as any IPSec
> > implementation does.  (IPSec is garbage and hard to use but it
> > is STANDARD garbage and everyone supports it.)

> 	Define "garbage"?
IMO, you did define "garbage" in your reply to my previous post:

  1. Royal pain over NAT devices (except when using the new NAT-T).

  2. New protocols for no good reason (now fixed with ESPinUDP, in other
     words now using UDP as it should have all along).

Frankly, I much prefer CIPE as a much better design, IMO.

> 	IPSec is the transport encryption and it's pretty damn solid and the
> basis for many modern VPN's even if they don't say so.  XP uses IPSec
> now, instead of PPTP/GRE (which was pure junk).  OpenVPN claims to be
> using ESPinUDP encapsulation, which appears to be IPSec, as the
> transport, as well, even if they do use SSL/TLS for their
> authentication.  Now, I found the OpenVPN v1 to be a royal pain.  Ever
> try setting that up for a mesh of more than a few boxes?  Each tunnel
> has to have its own unique UDP port and a separate process and the
> transport runs in user space (so much for performance).  OpenVPN v2 is
> better but still has a ways to go.  They still don't have
> multi-connection server-to-server mesh working and IPv6 only works in
> client-to-client (v1) mode or tap (bridge) mode (gag).

> 	What most people mistakenly refer to as IPSec is really IPSec (the
> transport encryption) plus IKE (the Keying daemon/protocol).  Most of
> the problems with IPSec have to do with IKE.  IKE definitely has some
> problems.  Some in the protocol, some in the implimentations.  OpenSWAN
> or StrongSWAN used with RSA keys or X.509 certs is not too bad.  IKE v2
> is on the horizon, but I'm not sure how much of an improvement it's
> going to be vis-a-vis setup.  The protocol is going to be an improvement
> but the problem of interfaces will remain.

> 	IPSec (the transport) use to be a royal pain over NAT devices but
> that's pretty much cleared up with NAT-T (IPSec over UDP aka ESPinUDP).
> OpenSWAN, StrongSWAN, and IPSec-Tools all support setting up IPSec NAT-T
> and even forcing it where necessary.

> > I've had a number of clients have me set it up.

> 	I've set up lots of VPN's for lots of reasons.  I haven't found
> OpenSWAN to be much more difficult than OpenVPN or CIPE, and I've found
> it to be significantly easier on the processor than userland VPNs and
> more robust.  And I really don't trust SSL based VPNs (at least not the
> ones using SSL as the transport, such as stunnel).  They could all use
> better management interfaces.  OpenSWAN/StrongSWAN is definitely better
> than IPSec-Tools (aka setkey/racoon).  While it might be argued that
> Racoon gives you a finer grained control over the VPN tunnels, very few
> people need that level of control and most that might try to exploit the
> features in Racoon that can't be accomplished with Pluto (from OpenSWAN)
> would probably just hurt themselves.

> > > I know that FC3 has a IPsec client.  Has anyone ever gotten it to work?
> > > -- 
> > > Wishing you Happiness, Joy, and Laughter,
> > > Drew Brown
> > > http://www.ChangingLINKS.com
> > 
> > > (posted for a friend)
> > 
> > Best regards,
> > 
> > Bob Toxen, CTO
> > Horizon Network Security
> > "Your expert in Firewalls, Virus and Spam Filters, VPNs,
> > Network Monitoring, and Network Security consulting"
> > 
> > http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
> > http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
> > http://www.verysecurelinux.com/sunset.html                    [Sunset Computer]
> > bob at verysecurelinux.com (e-mail)

> 	Mike
> -- 
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
Bob



More information about the Ale mailing list