On 10/27/05, Michael H. Warfield <mhw@xxxxxxxxxxxx> wrote: > On Thu, 2005-10-27 at 07:49 -0400, Leonard Isham wrote: > > On 10/27/05, Rick Lim <ricklim@xxxxxxxxx> wrote: > > > > -----Original Message----- > > > From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] > > > On Behalf Of Kenneth Porter > > > Sent: Tuesday, October 25, 2005 12:51 AM > > > To: For users of Fedora Core releases > > > Subject: Re: Best VPN server to use on Fedora > > > > > > --On Monday, October 24, 2005 9:53 PM -0400 Leonard Isham > > > <leonard.isham@xxxxxxxxx> wrote: > > > > > > > OpenVPN gets my vote. www.openvpn.net > > > > > > Agreed. It runs over SSL instead of IPSec, almost completely in userspace, > > > which I find is easier to set up. The stock Fedora kernel includes the > > > required kernel tun/tap device, so you don't need a custom kernel, nor > > > special router support. If you can open a ssh or https connection to your > > > VPN server, then you can get to it with OpenVPN, assuming the port is open. > > > ISP's don't see it as "VPN". (Some forbid VPN connections.) > > > > > > Hi Kenneth, > > > > > > I have looked at OpenVPN, from what I can figure out.... with a Linux VPN > > > server and windows xp clients you would have to install OpenVPN on the > > > windows machine. > > > > > > I don't want to have to install OpenVPN on each windows machine, windows xp > > > already has a client built in, I would like a Linux server that would work > > > with the built in windows client, am I wrong in assuming that OpenVPN on the > > > Linux box will not work with the XP client? > > > > > > While I don't know your situation... > > > The MIcrosoft included Windows VPN clients are insecure. Which has > > been proven multiple times. I would only impliment a Windows solution > > under protest. In fact I have migrated people to OpenVPN. > > Not to defend Microsoft or anything... > > You're thinking of the old PPTP/L2TP over GRE stuff that Bruce Schneier > and Mudge lambasted years ago on Windows 2000 and earlier. That was > supported by the PopTop project on Linux. Windows XP is now using IPSec > NAT-T as the core of their XP VPN and it does interoperate with OpenSWAN > and does NOT have the security problems of the old PPTP. I think > Windows XP still can support the older PPTP but only for older > installations, and I'm not even totally sure about that. You are right > with regards to that older stuff... I wouldn't use PPTP for anything. > But the modern MS VPN stuff is pretty straight forward X.509 certificate > based IPSec over NAT-T 4500/udp. There's more information on how to do > that over with the OpenSWAN crowd. > > > I find the installation of the windows client trivial and you end up > > with a reliable secure solution. > You are correct that this is when it became obvious that MS VPN had problems. The other issue I have is their poor coding results in many vunerabilities in all there products. While I don't follow it closely to know what fixes have been released. As for IPSec I agree with Bruce Schneier. ( I copied the quote directly from http://www.sans.org/rr/whitepapers/vpns/1459.php, ut the original source is http://www.schneier.com/paper-ipsec.pdf) We strongly discourage the use of IPSec in its current form for protection of any kind of valuable information …… however, we …. recommend IPSec when the alternative is an insecure network. -- Leonard Isham, CISSP Ostendo non ostento.
