Contributed by jose on from the commercial-VPNs dept.
Thanks
Peter"
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the commercial-VPNs dept.
Thanks
Peter"
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By dengue () on http://deadly.org
Comments
By Anonymous Coward () on
First, the L2TP client is nicely integrated into the windows environment, making a VPN connection seem little more than another "dial-up Internet" solution to the end user.
Second, the NAT issues, which are nicely handled by L2TP (NAT/T is still not here)
Third, authentication is nicely integrated into an existing infrastructure. (LDAP/RADIUS/NTauth are already deployed at most sites)
Finally, the L2TP client handles the irksome details of internal DNS, making the client feel like "part of the network"
I have deployed IPSec VPNs on Windows clients in many configurations. The user headaches are several orders of magnitude greater than the equivalent L2TP solution (unless a remote desktop/terminal server solution is used).
By Peter Curran () peter@closeconsultants.com on mailto:peter@closeconsultants.com
Nope this is not my goal. What I am looking for is a no-brainer setup for a windows user to create a secure connection across a wireless network to an Access Point that happens to be running OpenBSD.
You can actually set this up in a couple of clicks, as the windows wizard takes care of the L2TP setup as well as automatically enabling IPsec transport mode with (by default) an X.509 cert or (if you beat on it) a shared secret.
The same wizard will also create a setup that automatically checks for either a PPTP tunnel or an L2TP tunnel. PPTP sucks, it is also proprietary. I prefer to stick to recognised standards hence my interest in L2TP.
Peter
By paulc () on
Actually getting IPSEC/L2TP working would be a very useful for remote VPN access from W2K/OSX clients (which have this built in). L2TP also addresses the problem with distributing/managing pre-shared secrets or certificates for users and as there is a secondary password authentication mechanism built into the L2TP/PPP connection.
There is an open-source L2TP implementation here:
http://www.l2tpd.org/
A port of this was posted to openbsd-ports here:
http://monkey.org/openbsd/archive/ports/0307/msg00349.html
I spent a bit of time setting this up a while ago however unfortunately dont have the notes - (from memory) you essentially need the following:
* IPSEC setup with either pre-shared key or cert (pre-shared key is easiest as this just establishes the tunnel auth - the user is authenticated later using PPP)
* PF setup to limit enc0 access to the L2TPD server port
* L2TPD running on lo0
* PPP setup to authenticate vpn users
One key problem is that without IPSEC NAT/T this wont work for a client behind a NAT gateway which made it essentially useless for my requirements (and hence I gave up). I believe the OpenBSD IPSEC should support NAT/T in 3.5 and Apple have committed to support this in their client - once this is in place I will probably take another look.
Comments
By Peter Curran () peter@closeconsultants.com on mailto:peter@closeconsultants.com
As my requirement is really aimed at running this over a wireless LAN to an AP I will not have problems with NAT traversal.
If I get this working OK then I will, of course, report back to this forum with the details on how I did it.
Incidentally, I have a very easy to implement solution working using OpenVPN at the moment. Is anybody interested in this?
Peter
Comments
By Dengue () on http://deadly.org
By Anonymous Coward () on
By X () on
By [rootkit] () dshit2002@mail.ru on mailto:dshit2002@mail.ru
By pires () paulo.pires@vodafone.pt on mailto:paulo.pires@vodafone.pt
By yijun () hust888@sina.com on mailto:hust888@sina.com
Comments
By Anonymous Coward () on