Hi,
I am facing a task of choosing vpn server. I do not know which is better. The one distributed with CentOS4.5 only supports pppd (or maybe pptp but I cannot find it). If* *I want to use PPTP or L2TP, which one should I choose? OpenVPN? Poptop?
Thanks.
On 9/19/07, Wei Yu zig.wei@gmail.com wrote:
Hi,
I am facing a task of choosing vpn server. I do not know which is better. The one distributed with CentOS4.5 only supports pppd (or maybe pptp but I cannot find it). If I want to use PPTP or L2TP, which one should I choose? OpenVPN? Poptop?
Thanks.
I suggest OpenVPN. It's modern, very secure, and had a wide range of options and usage scenarios. PPTP / L2TP is a pain to get working, and it has some security issues.
OpenVPN works with windows too (client or server). The same configuration files works on both OS. Very easy to enable multiple VPN connection at the same time.
On 9/19/07, Brian Mathis brian.mathis@gmail.com wrote:
On 9/19/07, Wei Yu zig.wei@gmail.com wrote:
Hi,
I am facing a task of choosing vpn server. I do not know which is better. The one distributed with CentOS4.5 only supports pppd (or maybe pptp but I cannot find it). If I want to use PPTP or L2TP, which one should I choose? OpenVPN? Poptop?
Thanks.
I suggest OpenVPN. It's modern, very secure, and had a wide range of options and usage scenarios. PPTP / L2TP is a pain to get working, and it has some security issues. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Does openvpn support IPsec well? I want the server to work cooperation with a Microsoft ISA Server inside the intranet with site-to-site vpn mode. For that reason I want the server has good compatibility with windows.
On 9/19/07, Alain Spineux aspineux@gmail.com wrote:
OpenVPN works with windows too (client or server). The same configuration files works on both OS. Very easy to enable multiple VPN connection at the same time.
On 9/19/07, Brian Mathis brian.mathis@gmail.com wrote:
On 9/19/07, Wei Yu zig.wei@gmail.com wrote:
Hi,
I am facing a task of choosing vpn server. I do not know which is
better.
The one distributed with CentOS4.5 only supports pppd (or maybe pptp
but I
cannot find it). If I want to use PPTP or L2TP, which one should I choose? OpenVPN?
Poptop?
Thanks.
I suggest OpenVPN. It's modern, very secure, and had a wide range of options and usage scenarios. PPTP / L2TP is a pain to get working, and it has some security issues. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Alain Spineux aspineux gmail com May the sources be with you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
OpenVPN doesn't support IPSec at all. It's an SSL implementation. You'll want to look at Openswan (http://www.openswan.org/) for IPSec. PS. The "www" is very important when going to the openswan site. Their webserver is configured funky.
For Microsoft compatibility, Poptop and Openswan are your best bets. Neither are a piece of cake to setup, but I personally find Openswan easier ... but then I've been using it in a production environment for 5 or 6 years (was Freeswan).
-Ken
----- Message from zig.wei@gmail.com --------- Date: Thu, 20 Sep 2007 22:25:05 +0800 From: Wei Yu zig.wei@gmail.com Reply-To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] Choosing VPN Server To: CentOS mailing list centos@centos.org
Does openvpn support IPsec well? I want the server to work cooperation with a Microsoft ISA Server inside the intranet with site-to-site vpn mode. For that reason I want the server has good compatibility with windows.
On 9/19/07, Alain Spineux aspineux@gmail.com wrote:
OpenVPN works with windows too (client or server). The same configuration files works on both OS. Very easy to enable multiple VPN connection at the same time.
On 9/19/07, Brian Mathis brian.mathis@gmail.com wrote:
On 9/19/07, Wei Yu zig.wei@gmail.com wrote:
Hi,
I am facing a task of choosing vpn server. I do not know which is
better.
The one distributed with CentOS4.5 only supports pppd (or maybe pptp
but I
cannot find it). If I want to use PPTP or L2TP, which one should I choose? OpenVPN?
Poptop?
Thanks.
I suggest OpenVPN. It's modern, very secure, and had a wide range of options and usage scenarios. PPTP / L2TP is a pain to get working, and it has some security issues. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Alain Spineux aspineux gmail com May the sources be with you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Zijing 15# 1404B Tsinghua Univ. +86 -10 -51537235 Zig
----- End message from zig.wei@gmail.com -----
On Thursday 20 September 2007, Ken Price wrote:
OpenVPN doesn't support IPSec at all. It's an SSL implementation. You'll want to look at Openswan (http://www.openswan.org/) for IPSec. PS. The "www" is very important when going to the openswan site. Their webserver is configured funky.
For Microsoft compatibility, Poptop and Openswan are your best bets. Neither are a piece of cake to setup, but I personally find Openswan easier ... but then I've been using it in a production environment for 5 or 6 years (was Freeswan).
You'll want an L2TP setup, though, for best security, performance, and best compatibility. There are commercial Linux firewall boxes that do this easily; SmoothWall is one. Barring that, install l2tpd (for CentOS 4 it's on Karanbir's CentOS repo; for CentOS 5 I'm not sure, as I don't have extra repos enabled on any of my CentOS 5 boxes).
Windows L2TP VPN's are the most secure, being PPP over L2TP over IPsec, without the holes that have plagued PPTP (PPP over L2TP does essentiall the same thing PPTP does, but in a more secure and standard manner).
Wei Yu wrote:
Does openvpn support IPsec well? I want the server to work cooperation with a Microsoft ISA Server inside the intranet with site-to-site vpn mode. For that reason I want the server has good compatibility with windows.
You don't need IPSec for Windows ISA server compatibility, just add a server publishing rule that forwards your OpenVPN port of choice to the internal OpenVPN server, whether it is on CentOS or Windows doesn't matter.
If you use a different SSL port then 443, which you will need to do if you also publish an https: site off of ISA, then you need to run a script that adds that port # to the list of authorized SSL ports on the ISA server.
Also when deploying the OpenVPN client to your Windows laptops look at using Group Policy so they are all identically installed and configured.
-Ross
On 9/19/07, Alain Spineux aspineux@gmail.com wrote:
OpenVPN works with windows too (client or server). The same configuration files works on both OS. Very easy to enable multiple VPN connection at the same time.
On 9/19/07, Brian Mathis brian.mathis@gmail.com wrote:
On 9/19/07, Wei Yu zig.wei@gmail.com wrote:
Hi,
I am facing a task of choosing vpn server. I do not
know which is better.
The one distributed with CentOS4.5 only supports
pppd (or maybe pptp but I
cannot find it). If I want to use PPTP or L2TP, which one should I
choose? OpenVPN? Poptop?
Thanks.
I suggest OpenVPN. It's modern, very secure, and had
a wide range of
options and usage scenarios. PPTP / L2TP is a pain
to get working,
and it has some security issues. _______________________________________________ CentOS mailing list CentOS@centos.org mailto:CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Alain Spineux aspineux gmail com May the sources be with you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Zijing 15# 1404B Tsinghua Univ. +86 -10 -51537235 Zig
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
I just want to point out that the default port for openvpn is 1194. SSL/TLS has absolutely nothing to do with port 443, except that https happens to use both port 443 and SSL/TLS. Otherwise, SSL/TLS is simply a toolkit used for encryption, and does not require any specific port whatsoever. Saying so would be like saying that glibc requires network port XYZ.
The use of port 443 with openvpn is only mentioned as a convenience, because many firewalls allow traffic to port 443 to pass unrestricted, while they may block other ports.
Those of you in the know probably already know this, but for those unfamiliar, the discussion may seem to imply that port 443 and SSL/TLS are tightly bound. This message is intended to clarify that implication.
On 9/20/07, Ross S. W. Walker rwalker@medallion.com wrote:
Wei Yu wrote:
Does openvpn support IPsec well? I want the server to work cooperation with a Microsoft ISA Server inside the intranet with site-to-site vpn mode. For that reason I want the server has good compatibility with windows.
You don't need IPSec for Windows ISA server compatibility, just add a server publishing rule that forwards your OpenVPN port of choice to the internal OpenVPN server, whether it is on CentOS or Windows doesn't matter.
If you use a different SSL port then 443, which you will need to do if you also publish an https: site off of ISA, then you need to run a script that adds that port # to the list of authorized SSL ports on the ISA server.
Also when deploying the OpenVPN client to your Windows laptops look at using Group Policy so they are all identically installed and configured.
-Ross
On 9/19/07, Alain Spineux aspineux@gmail.com wrote:
OpenVPN works with windows too (client or server). The same configuration files works on both OS. Very easy to enable multiple VPN connection at the same time. On 9/19/07, Brian Mathis <brian.mathis@gmail.com> wrote: > On 9/19/07, Wei Yu <zig.wei@gmail.com> wrote: > > Hi, > > > > I am facing a task of choosing vpn server. I do notknow which is better. > > The one distributed with CentOS4.5 only supports pppd (or maybe pptp but I > > cannot find it). > > If I want to use PPTP or L2TP, which one should I choose? OpenVPN? Poptop? > > > > Thanks. > > > > I suggest OpenVPN. It's modern, very secure, and had a wide range of > options and usage scenarios. PPTP / L2TP is a pain to get working, > and it has some security issues.
-- Alain Spineux aspineux gmail com-- Zijing 15# 1404B Tsinghua Univ. +86 -10 -51537235 Zig
Ross S. W. Walker wrote:
Wei Yu wrote:
Does openvpn support IPsec well? I want the server to work cooperation with a Microsoft ISA Server inside the intranet with site-to-site vpn mode. For that reason I want the server has good compatibility with windows.
You don't need IPSec for Windows ISA server compatibility...
it does if the Windows ISA machine is the VPN server as he said.
frankly, for business site to site VPN, I generally recommend tossing ALL software and OS implementations in favor of Jupiter Netscreen or another router based implementation.
John R Pierce wrote:
Ross S. W. Walker wrote:
Wei Yu wrote:
Does openvpn support IPsec well? I want the server to work cooperation with a Microsoft ISA Server inside the intranet with site-to-site vpn mode. For that reason I want the server has good compatibility
with windows.
You don't need IPSec for Windows ISA server compatibility...
it does if the Windows ISA machine is the VPN server as he said.
OpenVPN has a Windows version and if the OP wanted to run it on the ISA itself, he is welcome to, though not recommended as it decreases the hardness of the ISA server.
OpenVPN server would probably virtualize well as the Internet connection will end up being the limiting bandwidth factor and Internet connectivity is always susceptible to wild latencies, so a little VM added latency surely wouldn't go noticed.
frankly, for business site to site VPN, I generally recommend tossing ALL software and OS implementations in favor of Jupiter Netscreen or another router based implementation.
I have to agree here, for site-to-site VPNs it is better with hardware accelerated devices on fixed IP addresses doing IPSec.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Wei Yu spake the following on 9/19/2007 8:19 AM:
Hi,
I am facing a task of choosing vpn server. I do not know which is better. The one distributed with CentOS4.5 only supports pppd (or maybe pptp but I cannot find it). If/ /I want to use PPTP or L2TP, which one should I choose? OpenVPN? Poptop?
Thanks.
If you want PPTP because of Windows clients, you need some kernel patches and some firewall patches. You can use a CentOS spinoff like ClarkConnect for this as it already has the patches, and a decent web config to set things up. If you want something more secure, use OpenVPN, but you will have to set each client up manually.
Scott Silva wrote:
Wei Yu spake the following on 9/19/2007 8:19 AM:
Hi,
I am facing a task of choosing vpn server. I do not know
which is better.
The one distributed with CentOS4.5 only supports pppd (or
maybe pptp but
I cannot find it). If/ /I want to use PPTP or L2TP, which one should I choose?
OpenVPN? Poptop?
Thanks.
If you want PPTP because of Windows clients, you need some kernel patches and some firewall patches. You can use a CentOS spinoff like ClarkConnect for this as it already has the patches, and a decent web config to set things up. If you want something more secure, use OpenVPN, but you will have to set each client up manually.
For pptp clients I've used 'poptop' with good success.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-
Alain Spineux -
Brian Mathis -
John R Pierce -
Ken Price -
Lamar Owen -
Ross S. W. Walker -
Scott Silva -
Wei Yu