[lug] This is a very irritating problem

Kevin Fenzi kevin at scrye.com
Wed Jan 5 18:11:24 MST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "David" == David Anselmi <anselmi at anselmi.us> writes:

David> Kevin Fenzi wrote: [...]
>> The only reason I can understand for anyone using ipsec anymore is
>> that they have an endpoint that can only run ipsec (appliance,
>> etc).

David> Like a Windows or Cisco VPN?  For Windows clients this may be
David> the easiest for non-technical users to set up.  If I'd wanted
David> to connect to my last job's VPN with Linux I'd have had to use
David> it too.

Well, openvpn runs on windows as well. Any of the older windows that
don't have ipsec support built in, might be easier to setup openvpn
than a 3rd party app. I guess it depends on how savvy the people
setting up the vpn are. 

>> openvpn is easy to use, easy to setup, well documented, works
>> great. Runs on windows/osx/linux/solaris. It's better in every way
>> than any of the ipsec setups I have seen.

David> The last VPN I set up was openvpn.  I'm glad to hear it
David> recommended since I found it in desperation (after giving up on
David> ipsec due to lack of easy packaging and directions).  It wasn't
David> too hard but IIRC it required a separate port for every user
David> and had some silly netmask problem so I couldn't use the
David> endpoint IPs I wanted to (maybe that was just on Windows, and
David> maybe it's better now).

Yeah, with the 2.0 version (not yet final) there is a server mode,
where a single server can listen for and handle as many clients as you
like on a single port. It can also push config settings back to the
client, so the client config gets even easier. 

Also with 2.0, there are clear directives in the config for if you
would like the vpn client endpoints to be able to talk to each other
or not.

You can also have a generic default for clients that connect to the
server, (like: issue a ip from the 192.168.0.0/24 net) and override
them on a per client basis (if the connection is from client foo, give
them static IP 192.168.10.1). 

It's pretty cool. 

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFB3JA/3imCezTjY0ERAqrlAKCVMCjO0CtkqsxONZwDV6K016VvowCfZbJS
nKcFGL5a5LFoUV2Iwzhdu2o=
=wPx5
-----END PGP SIGNATURE-----

More information about the LUG mailing list