[ previous ] [ next ] [ threads ]
 From:  "Donovan R. Palmer" <donovan at dmpnet dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] PPTP versus IPsec
 Date:  Sun, 7 Jan 2007 20:21:39 -0000

Many thanks for your response.

> 1. is the m0n0 box on a static IP? the ipsec implementation requires at 
> least one static IP.

It will be deployed on a static IP.  I have a /28 that I want to use for 
machines in a DMZ, but the lan will be private NAT.

> 2. Do you just want to be able to "get into the LAN", or do you need real 
> security? PPTP is far less secure than ipsec, and I base that on 
> absolutely nothing right now, because I am too lazy to pull up the 
> relevant sources :)

I'm not paranoid, but do want security.  One of the reasons I want VPN into 
LAN is so that I can do Windows Remote Desktop access when I travel... 
either to sort out a problem on the machine in question or to do some work.

> 3. Are the road warriors behind restrictive firewalls that do not let IP 
> protocol 50 through? no ipsec for you.

Possibly at times. Is PPTP better for firewalls than IPsec?

I also wondered about a VPN protocol that will allow you to work from a NAT 
connection somewhere else as well.  (I think this is called NAT transversal 
if I recall).  So many places have wireless APs with NAT on them.  I don't 
know if this is an issue for PPTP or IPsec.

> 4. Ease of use - last time I tried to connect windows 2000 to freeSWAN, it 
> was a weekend project. I did not want to pay for a third-party ipsec 
> client for windows, and the built-in one doesn't follow all the standards. 
> Dunno if that improved in XP.

I get the impression that XP is better in this regard than W2k, but my 
knowledge of VPN is weak... so this is an opportunity to learn!

> if you want the best of both worlds (i.e., ease of use of PPTP on windows, 
> but decent security), I still highly recommend OpenVPN. Either set up an 
> openVPN box in the LAN, or grab one of Peter Allgeyer's images, that's 
> what I am using since over a year, rock solid. Wife uses a wireless laptop 
> at home and can only get out through an openVPN tunnel (starts 
> automatically upon starting the laptop, default route gets pushed by the 
> server), I work from everywhere behind all kinds of firewalls and have it 
> listen on a tcp port (not changing the default route, just to get to my 
> internal mchines at home), never had a problem. Even works with 
> certificates, don't have to rely on PSK.

I'll google around on this... sounds interesting.  Are there some 
instructions on OpenVPN with m0n0wall posted somewhere?  What is the client 
that I would use from the laptop running XP?

Thanks for your advice and time.  Very helpful indeed.