[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec Issues
 Date:  Sun, 28 Aug 2005 19:37:43 -0400
I'd recommend not using OpenVPN as it's going to be removed from 1.2
final unless somebody steps up and fixes it.

The IPsec in m0n0wall currently does have some serious limitations
from the aged racoon it uses, but I don't know if any of the ones you
describe are amongst those.  One, it doesn't support NAT-T, so if your
client machine is behind NAT, it won't work.  That might have
something to do with the client side firewall issue you're talking
about, but I don't know.  The shared secrets issue you describe is a
client issue, the SafeNet client and other clients don't have this
issue.

The most solid, reliable, and easy to deal with option for client VPN
at this point is PPTP.

-Chris


On 8/28/05, D Syde <m0n0wall at evermore dot com> wrote:
> I am using m0n0wall on a soekris net4801 and have installed similar
> configurations at several remote locations.  I would like to be able to
> use VNC to provide remote support and, perhaps ssh in to intranet file
> and application servers on the other LANs.
> 
> So, I thought I would give IPsec a go.  After a lot of reading
> (including digging through the archives of this list) and several hours
> of futzing, I got it mostly working using the open source front-end for
> the Windows XP IPSec stuff (TauVPN/iVPN).
> 
> Unfortunately, there seem to be some pretty serious limitations.  First,
> the shared secrets list seems to require that the client's IP address be
> used as an identifier.  I don't see any way to change/specify that on
> the client end (i.e. in TauVPN/iVPN).  That kind of defeats the purpose
> of supporting mobile clients, who will have dynamically-assigned IP
> addresses that vary on different connection attempts.
> 
> It also seems to be necessary to put a firewall rule on the client side
> that allows all traffic from the public IP of the server side to pass
> through the client-side firewall in order to have VNC work properly
> through the tunnel.  Some other services (http, at least) don't seem to
> require this.  Having the firewall open to all traffic, even from that
> one Internet address, seems like a larger security risk than I would prefer.
> 
> Am I right about the limitations or, am I doing something wrong?
> 
> Would I be better off with different client software?  The FAQ has an
> example using SafeNet SoftRemoteLT.  I would prefer to use open source
> software but, would consider using it, if it will definitely do what I want.
> 
> Or is IPSec even the best choice for this?
> 
> Any suggestions or references would be appreciated.
> 
> - D. Syde
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>