Many thanks for your response.
> 1. is the m0n0 box on a static IP? the ipsec implementation requires at
> least one static IP.
It will be deployed on a static IP. I have a /28 that I want to use for
machines in a DMZ, but the lan will be private NAT.
> 2. Do you just want to be able to "get into the LAN", or do you need real
> security? PPTP is far less secure than ipsec, and I base that on
> absolutely nothing right now, because I am too lazy to pull up the
> relevant sources :)
I'm not paranoid, but do want security. One of the reasons I want VPN into
LAN is so that I can do Windows Remote Desktop access when I travel...
either to sort out a problem on the machine in question or to do some work.
> 3. Are the road warriors behind restrictive firewalls that do not let IP
> protocol 50 through? no ipsec for you.
Possibly at times. Is PPTP better for firewalls than IPsec?
I also wondered about a VPN protocol that will allow you to work from a NAT
connection somewhere else as well. (I think this is called NAT transversal
if I recall). So many places have wireless APs with NAT on them. I don't
know if this is an issue for PPTP or IPsec.
> 4. Ease of use - last time I tried to connect windows 2000 to freeSWAN, it
> was a weekend project. I did not want to pay for a third-party ipsec
> client for windows, and the built-in one doesn't follow all the standards.
> Dunno if that improved in XP.
I get the impression that XP is better in this regard than W2k, but my
knowledge of VPN is weak... so this is an opportunity to learn!
> if you want the best of both worlds (i.e., ease of use of PPTP on windows,
> but decent security), I still highly recommend OpenVPN. Either set up an
> openVPN box in the LAN, or grab one of Peter Allgeyer's images, that's
> what I am using since over a year, rock solid. Wife uses a wireless laptop
> at home and can only get out through an openVPN tunnel (starts
> automatically upon starting the laptop, default route gets pushed by the
> server), I work from everywhere behind all kinds of firewalls and have it
> listen on a tcp port (not changing the default route, just to get to my
> internal mchines at home), never had a problem. Even works with
> certificates, don't have to rely on PSK.
I'll google around on this... sounds interesting. Are there some
instructions on OpenVPN with m0n0wall posted somewhere? What is the client
that I would use from the laptop running XP?
Thanks for your advice and time. Very helpful indeed.