I looked at freeswan and IPsec as well as doing SSH tunnels, and the
best software I found for a quick and simple yet secure VPN is OpenVPN.
Its easy to set up, they have RPMs for everything you need (except for
one thing which you can get off freshrpms) and it works REALLY well.
I run a VPN between here and an office in Moscow and it was fairly
trivial to get working. Just follow the documentation closely.
The thing with FreeSwan and others is that they are very complicated
and/or use bizzare protocols such as GRE which sometimes get filtered.
OpenVPN just uses UDP for encapsulation, and TLS for the session
negotiation and OpenSSL for the encryption, so its very
straightforward. You can also set up a floating endpoint with no
Hope this helps,
On Feb 21, 2004, at 9:44 AM, Keith Lofstrom wrote:
I am planning on running a Virtual Private Network from my Fedora
firewall out to a UML virtual colo (running RH9) at another site.
That site will be the place I present services to the world;
httpd, ssh, sftp, smtp. This is to comply with the "no servers"
and dynamic ip restrictions on my Comcast connection to the net;
if my firewall always drives an outbound connection to the
colocation site, I am not worried about changes of ip address,
and I am not opening any inbound ports.
There are a number of options for the VPN - the most attractive
are cipe ( http://sites.inka.de/sites/bigred/devel/cipe.html
and FreeSwan ( http://www.freeswan.org/
), though I am told that
one can do all this through an ssh tunnel. I would rather have
simple and secure than super-duper; I have plenty of bandwidth,
and will send outbound http and smtp from the firewall, so the
main bandwidth user will be incoming spam/b/b/b/b mail.
Anyone have some experiences to share about setting up VPN? Is
there anything about either cipe or FreeSwan that is likely to
break with FC1 or FC2?
Keith Lofstrom keithl(a)ieee.org Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
fedora-list mailing list
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Nathan Ollerenshaw - Unix Systems Engineer
ValueCommerce - http://www.valuecommerce.ne.jp/