VPN solution(s) for Fedora Core
Felipe Alfaro Solana
felipe_alfaro at linuxmail.org
Fri May 21 19:04:17 UTC 2004
On Fri, 2004-05-21 at 17:52, Jason Tackaberry wrote:
> There seem to be two general approaches to VPNs, each with their own
> advantages and disadvantages: kernel space, and user space. I feel the
> only kernel solutions worth considering are those which implement IPsec.
> There exist several packages implementing VPN solutions in userspace,
> such as vtun, tinc, and OpenVPN.
I would stick with industry-standard technologies, like IPSec, as much
as possible. I have used IPSec in tunnel mode to setup VPN tunnels
between several branch offices.
--- BEGIN ADVICE ---
However, I must say there are some problems with automatic keying and
2.6 kernels regarding the use of ISAKMP/IKE. The problem is that
settings an SPD between both tunnel end-points causes the first packet
between any of them to start negotiating the Security Association. But
the kernel, instead of queueing the packet that triggered the ISAKMP/IKE
exchange (in order to set up the SA), discards it and returns -EGAIN
error to the userspace caller which, in turn, translates into "Resource
temporarily unavailable" for user space programs.
This happened to me when using "racoon" to manage an automatically keyed
SA, based on X.509 certificates. Doing a ping to force the ISAKMP/IKE
exchange, and to set up the SA, caused the first ping packet to fail
with "Resource temporarily unavailable". Once the SA had been set up, no
more packets were discared.
--- END ADVICE ---
Don't know if this behavior is applicable to 2.4 kernels, Free/SWAN or
Open/SWAP IPSec stacks.
More information about the devel