Firewall + VPN SERVER

Fraser Campbell fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Tue Mar 23 05:14:41 UTC 2004 

On Monday 22 March 2004 21:40, Paul Kozlenko wrote:

> Can anybody on this list recommend a firewall distro that also contains
> a vpn SERVER.

I'd think that almost any Linux distribution has vpn capabilities.  My 
preferred distribution is Debian, I discovered the joy of Debian around 1997 
and haven't looked back (well there have been minor diversions).

> I was looking for something where I could have a client on a Window$ PC
> establish the vpn connection to a firewall.

ipsec, pptp, openvpn should all be fine (though I would pass on pptp),


> One point however. The firewall is on Rogers and therefore has a
> semi-fixed IP.  But no control over public DNS as it seems is required
> by freeswan (unless I am mistaken).

Until recently Linux+ipsec has been almost the exclusive territory of freeswan 
however, there is new ipsec implementation in the 2.6 kernel.  I vastly 
prefer this new implementation over that of freeswan.

To use the 2.6 kernel ipsec you can obviously use a 2.6 kernel but there are 
also backports or the 2.6 kernel ipsec layer to 2.4 kernels.  Post 2.4.21 
Debian kernels have the 2.6 backport by default.  The userspace tool that I 
use is isakmpd, there is also at least one other daemon (racoon) that can 
work with it and I believe that freeswan's daemon (pluto) can live with 
things in 2.6 as well.

One drawback of the ipsec layer in 2.6 is that it doesn't implement a virtual 
interface (such as ipsecX for freeswan, tun0/tap0 for openvpn).  This makes 
it harder to properly firewall things.  From what I understand, the netfilter 
guys are looking at ways to improve this particular issue so hopefully it 
will be resolved soon.

I'm not sure which solution you'll find easier, client support might be the 
main issue; openvpn runs on XP/2000+ only, ipsec can even run on Windows 98 
(though I don't believe the client is free).

-- 
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list