Hi List,
What's the best way to create a VPN (IPSec) client-to-site under CentOS 5.4?
Thanks in advance.
-- João Salvatti Graduated in Computer Science Federal University of Para - UFPA - Brazil E-Mail: salvatti@gmail.com
João Salvatti wrote:
Hi List,
What's the best way to create a VPN (IPSec) client-to-site under CentOS 5.4?
the best way is to use ssl-vpn rather than ipsec, via OpenVPN. Its a breeze to install and configure compared to most any other VPN, quite easy for the server to push routing rules to the clients, etc.
the best way is to use ssl-vpn rather than ipsec, via OpenVPN. Its a breeze to install and configure compared to most any other VPN, quite easy for the server to push routing rules to the clients, etc.
I'll second the OpenVPN reco, I just migrated off a Cisco PIX to this and it is the most configurable, and stable thing I have seen in ages. I have connections from both Linux and Windows machines that sustain for several days without a single hiccup whereas the PIX would often suffer from non recoverable transient errors that tanked the connection.
jlc
Openswan is your friend. I have it running (under OpenSUSE) and it is quite easy. I tend to favor IPsec over SSL as I don't like to have openssl as a dependancy.
-geoff
------------------------------ Geoff Galitz Blankenheim, DE http://www.galitz.org
Geoff Galitz wrote:
Openswan is your friend. I have it running (under OpenSUSE) and it is quite easy. I tend to favor IPsec over SSL as I don't like to have openssl as a dependancy.
On the other hand, if you don't have a strict requirement for IPsec, it is much easier to get the udp or tcp packets that work for openvpn through NAT and port-forwarding routers.
Geoff Galitz wrote:
Openswan is your friend. I have it running (under OpenSUSE) and it is quite easy. I tend to favor IPsec over SSL as I don't like to have openssl as a dependancy.
On the other hand, if you don't have a strict requirement for IPsec, it is much easier to get the udp or tcp packets that work for openvpn through NAT and port-forwarding routers.
True for port fowarding, but current versions of Openswan (that is, currently available in most public repos) work just fine with NAT. I am using it in NAT environment and I did not have to make NAT/Masquerading adjustments. This was not always the case, and the Openswan docs still refer to adjustments for NAT networks... but as I said it works just fine for us without adjustments.
-geoff
------------------------------ Geoff Galitz Blankenheim, DE http://www.galitz.org
On Thu, 2009-10-22 at 10:48 -0700, Geoff Galitz wrote:
Openswan is your friend. I have it running (under OpenSUSE) and it is quite easy. I tend to favor IPsec over SSL as I don't like to have openssl as a dependancy.
I second this.
IPSec also has another advantage over SSL as it is compatible with non-linux devices (Cisco etc) which don't have support for SSL based VPNs, and is just as (if not more) secure.
Regards
Hamzah
On Thu, 22 Oct 2009, Joseph L. Casale wrote:
the best way is to use ssl-vpn rather than ipsec, via OpenVPN. Its a breeze to install and configure compared to most any other VPN, quite easy for the server to push routing rules to the clients, etc.
I'll second the OpenVPN reco, I just migrated off a Cisco PIX to this and it is the most configurable, and stable thing I have seen in ages. I have connections from both Linux and Windows machines that sustain for several days without a single hiccup whereas the PIX would often suffer from non recoverable transient errors that tanked the connection.
Macs work well too in an OpenVPN environment. You can compile it up yourself (or via MacPorts) or use Tunnelblick:
http://code.google.com/p/tunnelblick/
Note that OpenVPN and Vista aren't necessarily quick to work and play well together. They can do it, but some coaxing is often necessary. XP, otoh, works great.
On Linux, I like running OpenVPN as a standard daemon, but there's also a NetworkManager plugin that mostly works as advertised.
Thanks for all.
On Thu, Oct 22, 2009 at 3:16 PM, Paul Heinlein heinlein@madboa.com wrote:
On Thu, 22 Oct 2009, Joseph L. Casale wrote:
the best way is to use ssl-vpn rather than ipsec, via OpenVPN. Its a breeze to install and configure compared to most any other VPN, quite easy for the server to push routing rules to the clients, etc.
I'll second the OpenVPN reco, I just migrated off a Cisco PIX to this and it is the most configurable, and stable thing I have seen in ages. I have connections from both Linux and Windows machines that sustain for several days without a single hiccup whereas the PIX would often suffer from non recoverable transient errors that tanked the connection.
Macs work well too in an OpenVPN environment. You can compile it up yourself (or via MacPorts) or use Tunnelblick:
http://code.google.com/p/tunnelblick/
Note that OpenVPN and Vista aren't necessarily quick to work and play well together. They can do it, but some coaxing is often necessary. XP, otoh, works great.
On Linux, I like running OpenVPN as a standard daemon, but there's also a NetworkManager plugin that mostly works as advertised.
-- Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Geoff Galitz -
John R Pierce -
Joseph L. Casale -
João Salvatti -
Les Mikesell -
M. Hamzah Khan -
Paul Heinlein