[KLUG Hardware] Re: VPN, was: Difference between Gold & Silver

[Adam Tauno Williams]

> >CIPE?  Not yet, but I'll probably check into it too.  My main concern 
> >is getting to work as a server since it's not supported by my firewall
> >(Devil Linux).
>I was going to use CIPE for a VPN tunnel, because it runs over UDP and is 
>fast (It didn't matter that it worked with Windows and Linux boxes).  I
>ended up just setting up 2 dedicated IPCop boxes and run a permanent
>compressed IPSec tunnel (blowfish).  Works great!

I believe Bridleman has implemented something similar.  But I'm looking
for a single client -> LAN solution for bearing traffic over insecure
wireless links.

>PPTP is garbage.  I am ashamed to say I have set that up for dial-up ISP
>VPN clients (salesmen).  It is easy to setup and yet very INSECURE.
>Better off with L2TP for Windows or using kerberos for authentication
>and IPSec for tunnel.

The primarily flaw with PPTP was the primer was static and could be
acquired with minimal brute force.  With the stateless fix the primer is
constantly renegotiated, so the primary security problem as been
ameliorated.  It isn't ideal, but it one needs to support Win9x clients
there really aren't any other options.  When all my Win9x users finally
upgrade I intend to move to CIPE, given the available Win32 client.  My
expirements with ipsec have proven it really hard to install, crabby
about firewalls, and inoperable on some ISPs.  Of course the 2.6 kernel
might just support it out of the box, which will change my avoidance
reaction.