Can't find suitable firewall/VPN software for dynamic IPs

Discussion in 'Linux Networking' started by kenw, Feb 8, 2004.

  1. kenw

    kenw Guest

    Is there _any_ open source firewall solution that provides VPN endpoints
    with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
    XP?

    I've been asked to build a software firewall for a small business network.
    I can't seem find anything Linux (or equiv.) based, that meets my needs,
    which are:

    - it should provide NAT service for outbound connections, although I do NOT
    need it to provide DHCP or DNS services. So far no problem. Smoothwall,
    e.g., handles this nicely.

    - must act as a VPN endpoint (i.e., NOT passthrough) for the local network,
    providing remote access for remote Windows XP Pro workstations using
    Microsoft VPN clients.

    - must support VPN with dynamic IP on both ends. Most Linux firewalls only
    support IPsec, and hence static IPs; I think we're down to PPTP and L2TP.
    This blows it for ITShield, too; for some crazy reason, even though it
    supports PPTP, it requires a static IP. Those things ain't cheap.

    - do NOT want to use pinholes or VPN pass-through; i.e., no direct access
    to internal systems by any clients not authenticated to the firewall. I
    can buy a cheap hardware firewall if I'm just going to poke holes in it.

    - must be quick and easy to set up. The client won't pay for a day's worth
    of my time to figure out unmaintainable patches, scripts, etc.

    What I really want is an 386 ISO image with PoPToP already incorporated, I
    think. Nothing of the sort seems to exist.

    Before people rag on me about PPTP security, let's be clear about whether
    we're talking about PPTP v1 or v2; it makes a big difference. With a
    firewall endpoint, I control the passwords; they're good, and used nowhere
    else. And if anybody's got a better solution for dynamic IPs, I'm
    listening.

    BTW, there's one other solution I might possibly use in this situation: an
    HTTP/HTTPS inbound proxy server -- since all I _really_ need right now is
    to allow secure remote access to a web-based app running on a Win2K server.
    Do such beasts really exist, or would I need some sort of stateful
    inspection? Using MS' IIS on that server is not an option I want to think
    about.

    /kenw
    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    www.kmsi.net
     
    kenw, Feb 8, 2004
    #1
    1. Advertisements

  2. kenw

    Leythos Guest

    A simple Linksys VPN router will do all of this an more. The VPN routers
    allow IPSec over dynamic IP's using the user name and key method.
     
    Leythos, Feb 8, 2004
    #2
    1. Advertisements

  3. kenw

    kenw Guest

    Personally, if I were going hardware, I'd use a Netopia -- say, their
    3381-ENT. It's more flexible.

    But I wanted an open source software-based solution, and although I plenty
    of mention of dynamic DNS, I see little about dynamic IPs for VPN
    endpoints.

    For example, the SmoothWall FAW says:
    Admittedly, I wasn't really thinking of IPsec with dynamic IPs, although
    it's an intriguing possibility. But I don't see any simple, open source
    solutions for that, either.

    The hardware firewall solution certainly looks better at the moment.

    /kenw
    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    www.kmsi.net
     
    kenw, Feb 9, 2004
    #3
  4. kenw

    James Knott Guest

    I use CIPE, which works well. I've always used it with dhcp at both ends.
    The fact that it's dhcp is irrelevant, provided you have a known &
    consistent host name.

    --

    Fundamentalism is fundamentally wrong.

    To reply to this message, replace everything to the left of "@" with
    james.knott.
     
    James Knott, Feb 10, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.