Hi,
I'm looking for a VPN client for linux which doesn't need compiling a new kernel.
We have to equip a large number of notebooks with it and the installation should be done by the users, cause it would be too hard getting all notebooks here. So it has to be quite simple, maybe by runnning a shell script provided by us to the users.
We use IPSec, L2TP and X509 Certificates.
All I found is a client from Cisco, but it requires Cisco-Apliances that we don't have...
Any ideas?
Greetings, Rocco
--Frank Elsner
OpenVPN is a nice user-space implementation and at a first glance exactly what I need, but it uses SSL and is not compatible with IPSec and L2TP.
Maybe this is the price to pay to get a pure user-space implementation...
Greetings, Rocco
Is that really important? Are particular buzzwords important of is security the issue?
With OpenVPN It's only necessary for one end to have a highport through the firewall... and you can decide which one.
Static (private) keys mean that somebody has to break into one of the machines to gain entry. If the machines are behind a firewall that forwards only the relevant highport, unauthorised penetration is much more difficult than it would be otherwise. Authentication traffic with static keys is almost indiscernable from "junk" binary data traffic if somebody's snooping on the outside.
No. Source code is available for you to write user-space IPSec and L2TP implementations.
SuSE may already support Openswan out of the box. I don't have a chance to check ATM if it's already in the kernel.
Which kernel are you using? A 2.6 kernel have IPsec in by default. A 2.4 based kernel doesn't have IPsec built-in but various vendors (e.g. SUSE) added FreeS/WAN as a module which can be installed without re-compilation.
If you don't have IPsec in the kernel or use a release which makes it available as a module then you are out of luck as regards IPsec. There is a freely-available user-level IPsec implementation I don't think it is sufficient for your needs.
Ignore the following unless you have IPsec in your kernel or you can easily add it as a module ...
How are users authenticated? If it was just IPsec+L2TP I'd assume you had a group shared secret to set up main-mode and then authenticating via L2TP. If it was IPsec+X509 I'd assume you were authenticating via the certificate perhaps also using Xauth. With both L2TP and certificates it isn't clear to me what authentication method you currently use and/or which methods you could use and so whether the available IKE daemon's that run under Linux will be able to handle your situation. Also if you can avoid L2TP then I would since that would remove another level of complexity.
Some systems use 2.4, some 2.6. They are mainly SUSE and Red Hat distributions. A loadable FreeS/WAN would be a nice solution for 2.4 based kernels - I'm going to check the various distributions for it.
You're right, the 2.6er kernel already supports IPsec, but as I read in a documentation of ipsec-tools/racoon it's neccessary to re-compile it to enable IPsec because it's disabled by default.
We use machine-based certificates for authentication. There are two certificates installed on each PC - one root-certificate which users download on our website, and one machine-certificate which they have to request via a formular on our website. And that leads to the next problem - this "automated certificate setup" works only with I-Ex and Active-X, but to this later...
I don't know about all 2.6 based releases but in SUSE 9.2 the kernel has native IPsec compiled into it by default and one can install two different user-level IPsec interfaces with YAST, ipsec-tools or OpenS/WAN, without re-compiling anything.
Certificate based authentication works with either Racoon or OpenS/WAN so that should not be a problem.
L2TP still might be a deal breaker. You can read all about how it can be made to work at , though some of the hoops one has to jump through to make it work may not be feasible in your setup.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.