On Sunday 02 May 2004 20:43, Michael Mansour wrote: > In one state (the other state from here), this > particular company is supported by a mob who don't > know anything about Linux, so they wish to convert the > company to Microsoft VPN and have asked me what is > required on my end to make Linux support their > Microsoft VPN solution their end. > * can Linux VPN support Microsoft VPN? Microsoft's current VPN is a hybrid three-layer beast. It's PPP over L2TP over IPsec. All of these are supportable under Linux. The configuration is not easy. There is a commercial Linux-based solution for a Linux VPN _server_ that works with Microsoft's VPN clients, including a nice Certification Authority and a Windows certificate installation Wizard that makes it very easy to connect Microsoft clients to the Linux VPN firewall. The product is SmoothWall's Corporate Server 3.0 + SmoothTunnel 3.1. The VPN portion (SmoothTunnel) is licensed based on the number of configured tunnels. Each L2TP client gets a separate tunnel. A reseller local to me is Joyner Network Solutions. E-mail ben@xxxxxxxxxxxx for more information. The Microsoft VPN, for the Road Warrior case (that is, a dynamically assigned IP address 'dialing' in to a fixed gateway) is very simple to configure on the client side (once you get your certificates in the right place) and is very easy in concept, being that it is Just Another Dialup Networking Connection. Don't use PPTP as it has known security issues. Win95/98/ME L2TP VPN DUN client software is available free from Microsoft. I am using the SmoothTunnel product here and was extremely impressed by the polish of the web GUI tools for configuration. To say it was simple is an extreme understatement: Generate CA; Generate Host Cert; Generate Client Cert; Create L2TP RoadWarrior Tunnel (the only hard part here is 'Client IP' which is the IP address _on_the_inside_ network for the tunnelled host to use); download certs (CA in PEM, Client in PKCS12) (simple web form based download); install certs using provided GUI Wizard; configure the DUN VPN properly (a couple of configuration points are not default). The Win2k3 setup of the same thing is of about the same complexity. I tried doing this all by hand using l2tpd and hand-generating the CA, host, and user certs and hand importing everything into Windows. While it DID work, it took a very long time to get right, and the SmoothTunnel stuff Just Works. But all the pieces you need are available free: OpenSWAN for the IPsec, the stock PPP package, and L2TPD (see Nate Carlson's page at http://www.natecarlson.com/linux/ipsec-x509.php for more info, as well as Jacco's page at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html). But beware; configuration is not at all easy. But Jacco's website in particular has everything you need to know. Also available is the Astaro Security Linux and the Astaro IPsec Client at www.astaro.com. > * are there any ADSL modem/routers which support > Microsoft's VPN? IPsec needs to be put into 'NAT Traversal' mode for the typical VPN-passthrough solution to work. The Windows side also needs the 818043 update applied. NAT-traversal just causes IPsec to tunnel over UDP port 500 instead of using the default IP protocol 50. Look for the keyword 'VPN passthrough' and you would want the 'many clients' type. -- Lamar Owen Director of Information Technology Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 (828)862-5554 www.pari.edu
