VPN client for linux without compiling kernel

Hi,

I'm looking for a VPN client for linux which doesn't need compiling a
new kernel.

We have to equip a large number of notebooks with it and the
installation should be done by the users, cause it would be too hard
getting all notebooks here.
So it has to be quite simple, maybe by runnning a shell script
provided by us to the users.

We use IPSec, L2TP and X509 Certificates.

All I found is a client from Cisco, but it requires Cisco-Apliances
that we don't have...

Any ideas?

Greetings,
Rocco

Rocco wrote:
> Hi,
>
> I'm looking for a VPN client for linux which doesn't need compiling a
> new kernel.

http://www.openvpn.net


--Frank Elsner

Rocco wrote:

> Hi,
>
> I'm looking for a VPN client for linux which doesn't need compiling a
> new kernel.
>
> We have to equip a large number of notebooks with it and the
> installation should be done by the users, cause it would be too hard
> getting all notebooks here.
> So it has to be quite simple, maybe by runnning a shell script
> provided by us to the users.
>
> We use IPSec, L2TP and X509 Certificates.
>
> All I found is a client from Cisco, but it requires Cisco-Apliances
> that we don't have...
>
> Any ideas?
>
> Greetings,
> Rocco

http://openvpn.sourceforge.net

'Nough Said

Frank Elsner wrote:
> Rocco wrote:
>
>> Hi,
>>
>> I'm looking for a VPN client for linux which doesn't need compiling a
>> new kernel.
>
>
> http://www.openvpn.net
>
>
> --Frank Elsner

OpenVPN is a nice user-space implementation and at a first glance
exactly what I need, but it uses SSL and is not compatible with IPSec
and L2TP.

Maybe this is the price to pay to get a pure user-space implementation...

Greetings,
Rocco

Steven Coutts wrote:
> Rocco wrote:
>>
>>We use IPSec, L2TP and X509 Certificates.
>>
>
>
> http://openvpn.sourceforge.net
>
> 'Nough Said
>

Thanks Steven, Frank already suggested OpenVPN, but it uses SSL and
doesn't support IPSec.

Greetings,
Rocco

Rocco <(E-Mail Removed)> writes:

>Frank Elsner wrote:
>> Rocco wrote:

>>> I'm looking for a VPN client for linux which doesn't need compiling a
>>> new kernel.

>> http://www.openvpn.net

>OpenVPN is a nice user-space implementation and at a first glance
>exactly what I need, but it uses SSL and is not compatible with IPSec
>and L2TP.

Is that really important? Are particular buzzwords important of is
security the issue?

With OpenVPN It's only necessary for one end to have a highport
through the firewall... and you can decide which one.

Static (private) keys mean that somebody has to break into one of
the machines to gain entry. If the machines are behind a firewall
that forwards only the relevant highport, unauthorised penetration
is much more difficult than it would be otherwise. Authentication
traffic with static keys is almost indiscernable from "junk" binary
data traffic if somebody's snooping on the outside.

>Maybe this is the price to pay to get a pure user-space implementation...

No. Source code is available for you to write user-space IPSec and
L2TP implementations.

SuSE may already support Openswan out of the box. I don't have a
chance to check ATM if it's already in the kernel.
http://www.novell.com/products/linux.../openswan.html
--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!

(E-Mail Removed) (Rocco) writes:
> I'm looking for a VPN client for linux which doesn't need compiling a
> new kernel.

Which kernel are you using? A 2.6 kernel have IPsec in by default.
A 2.4 based kernel doesn't have IPsec built-in but various vendors
(e.g. SUSE) added FreeS/WAN as a module which can be installed without
re-compilation.

If you don't have IPsec in the kernel or use a release which makes it
available as a module then you are out of luck as regards IPsec.
There is a freely-available user-level IPsec implementation
<http://perso.enst.fr/~beyssac/pipsec/> I don't think it is sufficient
for your needs.

> We have to equip a large number of notebooks with it and the
> installation should be done by the users, cause it would be too hard
> getting all notebooks here.
> So it has to be quite simple, maybe by runnning a shell script
> provided by us to the users.
>
> We use IPSec, L2TP and X509 Certificates.

Ignore the following unless you have IPsec in your kernel or you can
easily add it as a module ...

How are users authenticated? If it was just IPsec+L2TP I'd assume you
had a group shared secret to set up main-mode and then authenticating
via L2TP. If it was IPsec+X509 I'd assume you were authenticating via
the certificate perhaps also using Xauth. With both L2TP and
certificates it isn't clear to me what authentication method you
currently use and/or which methods you could use and so whether the
available IKE daemon's that run under Linux will be able to handle
your situation. Also if you can avoid L2TP then I would since that
would remove another level of complexity.

> Which kernel are you using? A 2.6 kernel have IPsec in by default.
> A 2.4 based kernel doesn't have IPsec built-in but various vendors
> (e.g. SUSE) added FreeS/WAN as a module which can be installed without
> re-compilation.

Some systems use 2.4, some 2.6. They are mainly SUSE and Red Hat
distributions. A loadable FreeS/WAN would be a nice solution for 2.4
based kernels - I'm going to check the various distributions for it.

You're right, the 2.6er kernel already supports IPsec, but as I read
in a documentation of ipsec-tools/racoon it's neccessary to re-compile
it to enable IPsec because it's disabled by default.

> How are users authenticated? If it was just IPsec+L2TP I'd assume you
> had a group shared secret to set up main-mode and then authenticating
> via L2TP. If it was IPsec+X509 I'd assume you were authenticating via
> the certificate perhaps also using Xauth. With both L2TP and
> certificates it isn't clear to me what authentication method you
> currently use and/or which methods you could use and so whether the
> available IKE daemon's that run under Linux will be able to handle
> your situation. Also if you can avoid L2TP then I would since that
> would remove another level of complexity.

We use machine-based certificates for authentication. There are two
certificates installed on each PC - one root-certificate which users
download on our website, and one machine-certificate which they have
to request via a formular on our website. And that leads to the next
problem - this "automated certificate setup" works only with I-Ex and
Active-X, but to this later...

(E-Mail Removed) (Rocco) writes:
> You're right, the 2.6er kernel already supports IPsec, but as I read
> in a documentation of ipsec-tools/racoon it's neccessary to re-compile
> it to enable IPsec because it's disabled by default.

I don't know about all 2.6 based releases but in SUSE 9.2 the kernel
has native IPsec compiled into it by default and one can install two
different user-level IPsec interfaces with YAST, ipsec-tools or
OpenS/WAN, without re-compiling anything.

> We use machine-based certificates for authentication. There are two
> certificates installed on each PC - one root-certificate which users
> download on our website, and one machine-certificate which they have
> to request via a formular on our website. And that leads to the next
> problem - this "automated certificate setup" works only with I-Ex and
> Active-X, but to this later...

Certificate based authentication works with either Racoon or OpenS/WAN
so that should not be a problem.

L2TP still might be a deal breaker. You can read all about how it can
be made to work at <http://www.jacco2.dds.nl/networking/freeswan-l2tp.html>,
though some of the hoops one has to jump through to make it work may
not be feasible in your setup.