VPN solutions for Linux?

I'm trying to connect Windows/Linux clients to a Linux server using
any type of VPN available.

Right now I have probed CIPE, but Windows clients look buggy.
I have also tested with poptop (pptp) but it looks far difficult to
install.

Does anyone knows another easy to deploy and fully functional VPN for
Linux(server)<->Windows/Linux(clients)?

Thanks in advance for any hint!

"Enrique Ariz?n Benito" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...

> Right now I have probed CIPE, but Windows clients look buggy.
> I have also tested with poptop (pptp) but it looks far difficult to
> install.

If you can use the SMEserver linux distribution, it comes with a
working pptp out of the box and the administration tools maintain
the passwords so both samba and ms-chap pptp logins work. It
is drastically different to administer than any other Linux but if
you don't like it you might be able to adapt their modificatons
back into a normal RedHat system.

> Does anyone knows another easy to deploy and fully functional VPN for
> Linux(server)<->Windows/Linux(clients)?

I'm using CIPE in several locations but only linux<->linux. The security
of the encryption has been questioned recently but so far I think the only
real risk is a replay of previous packets which you'll have with any
stateless method and which will be rejected by tcp sessions anyway.
People do claim to have CIPE working well on windows and even
in roaming configurations, but if you are starting now I'd look at
openvpn first: http://openvpn.sourceforge.net/.

---
Les Mikesell
(E-Mail Removed)

On Sat, 4 Oct 2003, Les Mikesell wrote:

> I'm using CIPE in several locations but only linux<->linux. The security
> of the encryption has been questioned recently but so far I think the only

I think you should read again. One analysis shows that:
1. The encrytion is too weak.
2. The key exchange can be compromised.

What do you use a VPN for if not for secure encryption? If the
encryption can be broken, you might as well use clear text!

Whoever wrote:

> On Sat, 4 Oct 2003, Les Mikesell wrote:
>
>> I'm using CIPE in several locations but only linux<->linux. The security
>> of the encryption has been questioned recently but so far I think the
>> only
>
> I think you should read again. One analysis shows that:
> 1. The encrytion is too weak.
> 2. The key exchange can be compromised.
>
> What do you use a VPN for if not for secure encryption? If the
> encryption can be broken, you might as well use clear text!
>

If you're referring to that recent article that trashed any vpn other than
IPsec, I'm not sure I entirely agree with the author. In that article, he
seems to be trying to prove IPsec is superior, by trashing the
alternatives, without bothering to take time to analyze the alternatives.
It's the same as a Chev driver trashing Fords, even though he's never
driven one.

Also, with encryption, as so many other things in life, you choose the
appropriate tool for the job. For casual users such as myself, almost any
vpn would suffice as the rewards of breaking it are likely not worth the
effort. On the other hand, guarding deep government or military secrets,
might require something a bit more robust.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

On Sat, 4 Oct 2003, James Knott wrote:

> Whoever wrote:
>
> > On Sat, 4 Oct 2003, Les Mikesell wrote:
> >
> >> I'm using CIPE in several locations but only linux<->linux. The security
> >> of the encryption has been questioned recently but so far I think the
> >> only
> >
> > I think you should read again. One analysis shows that:
> > 1. The encrytion is too weak.
> > 2. The key exchange can be compromised.
> >
> > What do you use a VPN for if not for secure encryption? If the
> > encryption can be broken, you might as well use clear text!
> >
>
> If you're referring to that recent article that trashed any vpn other than
> IPsec, I'm not sure I entirely agree with the author. In that article, he
> seems to be trying to prove IPsec is superior,

I don't think we are reading the same article. I am referring to this:
http://www.mit.edu:8008/bloom-picayune/crypto/14238

In it he make passing mention of IPSEC and also mentions SSL and SSH as
having secure alternatives solutions to the same problems (such as key
exchange). If anything, he is promoting SSH and SSL, not
IPSEC.

Furthermore, Peter Gutmann appears to have attempted to given the author
of CIPE an opportunity to comment, but no reply was received.

There seems to be some discussion in support of CIPE on the CIPE mailing
list (hardly surprising) but it focusses on replay attacks. I don't think
that Mr. Gutmann was discussing replay attacks.

>
> Also, with encryption, as so many other things in life, you choose the
> appropriate tool for the job. For casual users such as myself, almost any
> vpn would suffice as the rewards of breaking it are likely not worth the
> effort.

That is a good reason to choose a VPN that is easy to set up, but one
should be careful when giving advice as other people's data may be more
valuable.

Question for you:
I thought tunnelling TCP in TCP was problematic if the link drops packets.
Is this not really a problem?

"Whoever" <(E-Mail Removed)> wrote in message
news:Pine.LNX.4.44.0310041016370.12043-100000@c941211-a...
> On Sat, 4 Oct 2003, Les Mikesell wrote:
>
> > I'm using CIPE in several locations but only linux<->linux. The
security
> > of the encryption has been questioned recently but so far I think the
only
>
> I think you should read again. One analysis shows that:
> 1. The encrytion is too weak.

If you are talking about Peter Gutmann's 'quick look', it is mostly
unrelated to how CIPE actually works. He criticized the IDEA
cipher which no one actually uses.

> 2. The key exchange can be compromised.

His one relevant point is that a man-in-the-middle attack can replay
packets (which is already true of any unreliable transport like UDP
itself so this could happen by accident) and that it might be possible
to inject unexpected packets by brute-force exploring the 32bit CRC
but he was a long way from suggesting a technique or that one
exists. Note that succeeding in this gets a packet onto the network
unlike in ssh where it gets you a tcp connection to a process running
as root. Shoving in ICMP broadcasts or even UDP floods would
be annoying but not likely to get you back anything useful. I don't
think anything suggested that you would be able to break into an
existing tcp stream being carried by the VPN. I *have* had machines
compromised by bugs in various versions of ssh so I'm not
particularly impressed by his recommendations of that instead.

> What do you use a VPN for if not for secure encryption? If the
> encryption can be broken, you might as well use clear text!

It is nothing that would make anyone rich if they stole it and if
you are the kind of person that can play man-in-the-middle on
a major ISP connection or the internet backbone you'd probably
be able to break ipsec easily too. Besides, the CIPE tunnel
just carries packets from one LAN to another, then dumps them
back unencrypted. Anything that needs security needs it end
to end anyway and will be running over ssl or https to avoid local
interception. CIPE is just the most convenient way to transport
the packets through an assortment of NAT routers and firewalls.
It is easier to NAT and control UDP than a GRE tunnel would be
and it has been one of the rare things that has worked for years
with literally no attention.

---
Les Mikesell
(E-Mail Removed)

Whoever wrote:

> On Sat, 4 Oct 2003, James Knott wrote:
>
>> Whoever wrote:
>>
>> > On Sat, 4 Oct 2003, Les Mikesell wrote:
>> >
>> >> I'm using CIPE in several locations but only linux<->linux. The
>> >> security of the encryption has been questioned recently but so far I
>> >> think the only
>> >
>> > I think you should read again. One analysis shows that:
>> > 1. The encrytion is too weak.
>> > 2. The key exchange can be compromised.
>> >
>> > What do you use a VPN for if not for secure encryption? If the
>> > encryption can be broken, you might as well use clear text!
>> >
>>
>> If you're referring to that recent article that trashed any vpn other
>> than
>> IPsec, I'm not sure I entirely agree with the author. In that article,
>> he seems to be trying to prove IPsec is superior,
>
> I don't think we are reading the same article. I am referring to this:
> http://www.mit.edu:8008/bloom-picayune/crypto/14238

That's the one, though I saw it elsewhere.
>
> In it he make passing mention of IPSEC and also mentions SSL and SSH as
> having secure alternatives solutions to the same problems (such as key
> exchange). If anything, he is promoting SSH and SSL, not
> IPSEC.

I'm not that familiar with SSL, but SSH while great for many things, isn't
good for a VPN, due to problems of running TCP over TCP.
>
> Furthermore, Peter Gutmann appears to have attempted to given the author
> of CIPE an opportunity to comment, but no reply was received.
>
> There seems to be some discussion in support of CIPE on the CIPE mailing
> list (hardly surprising) but it focusses on replay attacks. I don't think
> that Mr. Gutmann was discussing replay attacks.
>
>>
>> Also, with encryption, as so many other things in life, you choose the
>> appropriate tool for the job. For casual users such as myself, almost
>> any vpn would suffice as the rewards of breaking it are likely not worth
>> the effort.
>
> That is a good reason to choose a VPN that is easy to set up, but one
> should be careful when giving advice as other people's data may be more
> valuable.

I would expect people with greater needs would be prepared to provide a more
appropriate method.

>
> Question for you:
> I thought tunnelling TCP in TCP was problematic if the link drops packets.
> Is this not really a problem?

CIPE uses UDP, not TCP for transport. This means you do not get the TCP/TCP
problems you would with SSH based VPNs.

>
>

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

On 4 Oct 2003, Enrique Ariz?n Benito <(E-Mail Removed)> wrote:
> I'm trying to connect Windows/Linux clients to a Linux server using
> any type of VPN available.
>
> Right now I have probed CIPE, but Windows clients look buggy.
> I have also tested with poptop (pptp) but it looks far difficult to
> install.
>
> Does anyone knows another easy to deploy and fully functional VPN for
> Linux(server)<->Windows/Linux(clients)?

It really depends upon what you want to do. For shell access, and/or to
tunnel specific tcp ports, ssh alone works well and does not need root
access on the other end. I routinely use Putty (Win ssh client) to
connect to home, or my Solaris ISP from work. And I have tunneled ports
from my Linux router to our factory Linux smtp server to access an HP3000
on our factory LAN from Reflection on a Win98 box on my home LAN.

I have also accessed JetDirect on our local office printer via ssh tunnel
to California factory and back through VPN to our Illinois office. I just
haven't figured out yet how to tunnel actual printing.

Our company uses SonicWall hardware VPN to interconnect international
factories, warehouses and offices as one big WAN, but I have not tried to
tap into that yet from outside, since ssh to our factory smtp server does
everything I need to do, or in a pinch, dialup ppp to modems on a Cisco
router at our office (which is the only internet access my boss has).

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

(E-Mail Removed) (Enrique Ariz?n Benito) writes:

> I'm trying to connect Windows/Linux clients to a Linux server using
> any type of VPN available.

Openvpn apparently has a Windows client. I've never tried it. Openvpn's
linux client works great.

--
Dave Carrigan
Seattle, WA, USA
(E-Mail Removed) | http://www.rudedog.org/ | ICQ:161669680
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL