VPN

[Darren Critchley]

Markus Räipiö wrote:

> Hi there,
>
> there has been lot of discussion considering VPN with GUI and maybe 
> with somekind of wizard. IPsec is really not the best solution for the 
> secure remote connection to home or office networks. It has far too 
> many problems with different networks and wireles lan roaming is not 
> even good one. We have OpenVPN in use here at office with wireless lan 
> networks and it works just fine and if you but the ifplugd in use too 
> then it is even better. By the way everyone here uses Linux so it is 
> even more easier for us to build secure remote connections.

OpenVPN is one of the two open-source solutions that is considered 
secure. Something I learned from working with the Ipcop firewall 
project. We went through this last year and it was deemed that the only 
standard (albeit with quirks) that is reliable and widespread is ipsec 
(and yes even the security industry complains about it, but it is out 
there and continues to be developed and used). Perhaps OpenVPN has grown 
and matured since then.
When adding the wireless interface to the Ipcop distro, people called 
for a simple to configure vpn solution for it, here is the thread on 
that showing the decision process that in the end resulted in CIPE and 
OpenVPN being dropped in favour of staying with Ipsec.:
http://marc.theaimsgroup.com/?l=ipcop-devel&m=106447792613377&w=2

Also, here is an interesting post about the same subject (openvpn is not 
covered), but it does point out the inherent dangers of simplifying a 
secure protocol to make it easier for the end user to configure, it is 
written by Peter Gutmann (http://www.cs.auckland.ac.nz/~pgut001/) 
security expert.
http://diswww.mit.edu/bloom-picayune/crypto/14238
Yes OpenVPN is simple to implement, but when you make something simple, 
something else always suffers.

>
>
> IPsec is somekind of standard for the remote connections but do we 
> really have to stay with standards which are not well done and include 
> too many flaws built-in if we can get better working solutions with 
> some other software ? Sometimes fighting with the windmills is a 
> better solution. Trust

I would think so, given that the kernel developers chose this as a 
standard and not OpenVPN, L2TP or some other 3rd party variant. They 
chose what the industry is using - ipsec. Also ipsec once configured 
properly is reliable and stable. And yes it can be difficult to 
configure, but if you look to Ipcop on how they implemented it, it is 
quite simple to implement with the correct GUI around it. One other 
bonus is most OS's now come with a "variant" of the ipsec standard which 
means you don't have to pay for a client. I have written a how to for 
most of those OS's on getting ipsec to work  with PreShared keys and 
also using x509 certificates (my preferred method of VPN)

> me, we here at Stinghorn work on this area for living. We have solved 
> our customers remote problems with L2TP and IPsec combination which 
> enables them to use internal Windows software for the connections. 
> This way they save time 'cause they dont have to install any VPN 
> client software which blows up the system when you install personal 
> firewall into the same computer. NAT-T must be taken into 
> consideration when implementing GUI/wizard to Ubuntu Linux.
>
NAT-T is no longer a problem for Ipsec - at least the OpenSwan versions, 
at this point I do not know if the 2.6 kernel implementation of ipsec is 
as robust and flexible as openswan is. But we have no problems running 
ipsec behind NAT'd firewalls since Ipcop moved to openswan late last year.

One final thought, OpenVPN lives in userland and can be added to Ubuntu 
at any time - check synaptic, it is there. If people wish to use an easy 
to configure vpn, it is available right now. Whereas the ipsec 
implementation currently is not, but I can guarantee that ipsec can be 
made as easy as OpenVPN to configure. For my customers and the work I 
do, I prefer ipsec using x509 certificates, I know I am secure (relative 
term, nothing is 100% secure), and I know I will be able to connect to 
most of  the commercial equipment out there without using a Microsoft 
designed protocol, and we all know Microsofts security record to date. 
How secure is your vpn?

Darren