Hanasaki JiJi said: > Wow!! great overview .. AFter all of that... Which do you recommend > and why? Do any of them interoperate with each other? My CISCO > client runs fine over TCP with ipchains NAT.
depends on your OS requirements. vtun only officially supports freebsd, linux and solaris i believe. vpnd only officially supports freebsd and linux(a guy i know ported it to BSD/OS though). vtun requires a kernel driver for optimal performance(not sure if its required period, it might not be..). vpnd does not require any special drivers. cisco vpn works decent on win32. i was browsing their bug reports a couple days ago and saw that it does not work with USB network adapters of any kind, specifically they mentioned direcPC. the client is not capable of any kind of routing so you cannot use the cisco vpn to physically connect one network to another. the software overrides all NAT settings if you have any on the machine you run it on. it also makes the public IP unreachable. it also tunnels all of your traffic (including internet traffic) through the VPN connection. which slows down the browsing experience for users with a slow link. it is also not a persistant connection, turn it on when you need it, turn it off when you dont. cisco vpn supports radius accounting so it makes it very easy to determine who is using it, when, how much data they transferred. i like that very much. if you want bi-directional mapping between 2 networks the only way to do it with cisco vpns is with the full decked out vpn box. they have smaller hardware clients that are capable of one-way network mapping for those that need it, for about half the price. cisco vpn seems reliable for most any kind of traffic. it can be hard to debug though. in about 6 months of using it we only had 1 serious incident where 2 out of 4 of the vpn boxes were crashing CONSTANTLY, within 5 minutes of booting they'd crash. nothing had changed on them and the other 2 were fine.. cisco told us it was a known bug and we upgraded and it was fine again(but what caused it to happen out of nowhere ??). my boss rebooted a linux firewall with 200+ days of uptime because he thought it might be causing it(to be honest i was doubtful who to blame..) caused a good 4 hours of WAN downtime in the middle of a busy day. cisco tech support is very responsive. another plus .. vtun/vpnd on the other hand(if you have linux on both ends) is fully bi directional, persistant connection, has no radius accounting though you can have it run scripts when a link is up/downed for crude accounting. fully routable(i used vpnd for some time accross 4 56k multilink modems during inital weeks after an office move while we waited for the t1 to get installed). vpnd/vtun have sofar(vtun been in use only 1 week, vpnd about 2 years) have had in my experience a near perfect reliability record. never has a machine crashed from vpnd, links are stable, and since its fully routable it is transparent. anywhere on my internal network at home i can access any of the machines at any of the 4 remote sites for my company like i was at my desk in my office..(i have a 1Mbit/1Mbit connection) security is harder with vtun/vpnd. unless you personally supply the boxes to run it on and monitor them, you rely on the people running them to maintain good security. there is nothing stopping an intruder on that vpn connected machine from accessing the network on the other side. as the vpnd instructions say "if your machine isn't secure, don't bother with vpnd" or something like that. cisco vpn makes you authenticate every time, so if someone gained access to the system it would be much more difficult to abuse network access through the vpn. i better stop here before i type another page or 2 :) needless to say ive had a lot of experience working with different vpns over the past couple years ....good for the resume :)) nate
