[ale] Poptop

H. A. Story adrin at bellsouth.net
Tue Mar 14 17:04:54 EST 2006 

Michael H. Warfield wrote:

>On Mon, 2006-03-13 at 12:22 -0500, Christopher Fowler wrote:
>  
>
>>I have need for WinXP to VPN into a Linux server.  Is poptop my only
>>choice?  I'm looking for something that a dumb user can easily configure
>>on the XP side, OSS, and can work when both end points have private
>>addresses and going through firewalls.
>>    
>>
>
>	Windows XP supports IPSec.  In fact, while I think it supports both the
>older pptp and IPSec, I believe that their "newer / modern" default is
>to prefer IPSec (and IPSec NAT-T) over pptp, which is really the legacy
>stuff now.  Check out the OpenSWAN list and archives.  Someone has
>posted a configuration utility and howto for setting up the certificates
>and getting XP to talk to OpenSWAN.
>
>	AFA "dumb user" and "easily configure", I guess that all depends on the
>value of "dumb".  X.509 certificates are typically easier for the user
>because you are frontloading a lot of work into the creation of the
>certificates that you just hand to them.  To make it easier, you are
>most certainly going to have to do more work on your end so you can
>"dumb down" their end to a cookbook howto.  Can be done...
>
>	Last point...  "Both endpoints have private addresses and going through
>firewalls..."  Would you like the sun and the moon on a platter with
>that as well...  ESP stands for Encrypted Security Payload, not
>ExtraSensory Perception.  It depends.  You are rapidly depleting your
>options.  IPSec NAT-T (IPSec over UDP) will work this way but one end
>must have a passthrough that will allow the other end to contact it.
>Again, check the OpenSWAN list and archives.  If you want something that
>will "blindly" work over arbitrary NAT devices on both ends and private
>addresses at either end, you are going to have to have a server on
>public addresses in the middle to act as a relay.  There are a limited
>number of protocols which incorporate a technique called "STUN" (I
>forget the RFC) which allow for a server in the middle to mediate direct
>client to client over NAT's at both ends (only the setup traffic goes
>through the server) and neither IPSec or OpenVPN (or l2tp) are amongst
>them (SIP has that ability as does Teredo for IPv6).  So, if you don't
>want to diddle with your NAT configuration on at least one end, your
>options are extremely limited (time to learn IPv6 and Teredo - Both of
>which XP understands).  You are going to have to have something that
>will answer two and passthrough from a global unicast address.
>  
>	Mike
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
Oh Boy,  I didn't even know XP would do IPsec.  I will have to look into 
this. They last time I tried IPSec in Windows was on W2K.  That was 
following some directions from Linksys.  I would never suggest anyone 
trying it.

Adrin

More information about the Ale mailing list