setting up a VPN from scratch
numa at thenuma.com
numa at thenuma.com
Fri Feb 21 16:23:23 CST 2003
To be honest, having used Free/SWAN some... I well... don't use it in
production environments.. I actually the prefer the seamlessness of VPN
network appliances. Also, over the period of 2 years the power savings
alone manage to pay for themselves. Something to think about.
Hell, even the linksys VPN routers work great. Kris
> Ben Coffman wrote:
>> LUGers
>>
>> What would be a good web site or book to read about setting up a VPN
>> between two RH Linux machines? Do I use software for this, or do I
>> just configure the firewall just so...
>
> You need some software to do the encrypting, or you wind up with a VN,
> not a VPN. :)
>
> Linux solutions include the FreeS/WAN IPSec implementation, which is
> very powerful, but pretty complex to initiall setup, as kernel patching
> is required. You can also use ssh, ssl, cipe, and several other
> options. What will work best for you depends on how you plan to use the
> VPN link, if you care about adhering to some sort of standard (like
> ipsec), and how much effort you want to put into up-front setup and
> ongoing maintainence.
>
> You might want to start with the VPN-HOWTO:
> http://www.tldp.org/HOWTO/VPN-HOWTO/
>
> ...which describes how to build a VPN with SSH, and covers some basics
> and describes some alternatives.
>
> I'd also suggest reading through the FreeS/WAN docs if you want a true
> VPN. The ssh tunnels can run into problems with less than perfect
> connections...since ssh is running over TCP (a guaranteed delivery
> mechanism), if you run tcp connections through an ssh tunnel, you can
> get nasty interactions between the two tcp stacks if your link drops or
> mangles packets, which can rapidly degrade the usefulness of your "VPN".
>
> http://www.freeswan.org/doc.html
>
> FYI: I'd rate configuring FreeS/WAN about the same as dealing with bind
> (named) on my sysadmin complexity scale. It's pretty hard to wrap your
> head around until you get everything working, but once setup and
> working, it's pretty easy to maintain.
>
> --
> Charles Steinkuehler
> charles at steinkuehler.net
>
>
>
>
More information about the Kclug
mailing list