[ previous ] [ next ] [ threads ]
 From:  D Syde <m0n0wall at evermore dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec Issues
 Date:  Sun, 28 Aug 2005 21:02:17 -0700
Ah, okay.  The client side is behind NAT.  I didn't realize that would
be a problem.

I spent a couple hours earlier trying the OpenVPN stuff.  I took the
warning on the m0n0wall site about not using the betas in a production
environment pretty seriously.  So, I had been using 1.11.

I think I have identified the problem I am having with OpenVPN at this
point (it hangs while establishing the connection - the OpenVPN FAQ
suggested that it is likely due to being behind NAT and that I need to
figure out how to permit returning UDP traffic back through the
client-side firewall).

However, I just read that the plan is to remove OpenVPN from the 1.2
release.  I know I don't want to deploy abandoned beta functionality.
So, probably won't continue working with OpenVPN right now.

I'll have to look at the PPTP stuff in greater depth.  Thanks for the
response and the suggestions.

- D. Syde

Chris Buechler wrote:
> I'd recommend not using OpenVPN as it's going to be removed from 1.2
> final unless somebody steps up and fixes it.
> The IPsec in m0n0wall currently does have some serious limitations
> from the aged racoon it uses, but I don't know if any of the ones you
> describe are amongst those.  One, it doesn't support NAT-T, so if your
> client machine is behind NAT, it won't work.  That might have
> something to do with the client side firewall issue you're talking
> about, but I don't know.  The shared secrets issue you describe is a
> client issue, the SafeNet client and other clients don't have this
> issue.
> The most solid, reliable, and easy to deal with option for client VPN
> at this point is PPTP.
> -Chris
> On 8/28/05, D Syde <m0n0wall at evermore dot com> wrote:
>>I am using m0n0wall on a soekris net4801 and have installed similar
>>configurations at several remote locations.  I would like to be able to
>>use VNC to provide remote support and, perhaps ssh in to intranet file
>>and application servers on the other LANs.
>>So, I thought I would give IPsec a go.  After a lot of reading
>>(including digging through the archives of this list) and several hours
>>of futzing, I got it mostly working using the open source front-end for
>>the Windows XP IPSec stuff (TauVPN/iVPN).
>>Unfortunately, there seem to be some pretty serious limitations.  First,
>>the shared secrets list seems to require that the client's IP address be
>>used as an identifier.  I don't see any way to change/specify that on
>>the client end (i.e. in TauVPN/iVPN).  That kind of defeats the purpose
>>of supporting mobile clients, who will have dynamically-assigned IP
>>addresses that vary on different connection attempts.
>>It also seems to be necessary to put a firewall rule on the client side
>>that allows all traffic from the public IP of the server side to pass
>>through the client-side firewall in order to have VNC work properly
>>through the tunnel.  Some other services (http, at least) don't seem to
>>require this.  Having the firewall open to all traffic, even from that
>>one Internet address, seems like a larger security risk than I would prefer.
>>Am I right about the limitations or, am I doing something wrong?
>>Would I be better off with different client software?  The FAQ has an
>>example using SafeNet SoftRemoteLT.  I would prefer to use open source
>>software but, would consider using it, if it will definitely do what I want.
>>Or is IPSec even the best choice for this?
>>Any suggestions or references would be appreciated.
>>- D. Syde
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch