Ugh...please disregard my signature...it was auto added on....stupid me *Marc*
On Tue, Nov 12, 2013 at 2:54 PM, Marc Epstein < marc.epst...@tightropeinteractive.com> wrote: > Hi > > Just wanted to chime in on my experience with PKI...like you guys said, > initially I found it to be a PITA especially combining it with site to site > tunneling (using ISAKMPD). But after getting the configs down and on the > client side using Shrew VPN client (if there is something else out there > better and free please let me know!) with a detailed document, none of my > users seem to have issues doing the initial connection. > > So my experience has been a pleasure so far. I do have some routing issues > where I have trouble getting the vpn user to connect to the endpoints on > the site to site but I hope to solve those soon. > > Regards, > > *Marc Epstein* > Senior IT Manager > Mobile: (415) 994-4625 > Email: marc.epst...@tightropeinteractive.com > > > > > On Tue, Nov 12, 2013 at 2:42 PM, Kapetanakis Giannis < > bil...@edu.physics.uoc.gr> wrote: > >> On 12/11/13 19:29, Daniel Polak wrote: >> >>> ==== Original message from Kapetanakis Giannis at 8-11-2013 13:38 >>> >>>> I would like to discuss some suggestions about VPN to multiple road >>>> warriors. >>>> >>>> So far we're using OpenVPN, but I want to change that or at maybe >>>> offer L2TP/IPsec in addition to OpenVPN. >>>> >>> Have you considered using isakmpd? >>> >> >> Yes my test implementation was with isakmpd and npppd. The problem is the >> authentication on the ipsec path. >> I don't want to use the same PSK for every-one. >> >> >> Playing around with npppd was straight forward and I was quite >>>> impressed with it. Good job. >>>> EAP-TLS would also be a very nice feature to have. >>>> >>>> What I'm wondering is what you guys do to setup the ipsec path of the >>>> tunnel. >>>> >>>> One option is to use a unique pre-shared key for all clients. But this >>>> is probably insecure since >>>> it opens MITM attacks. Isn't it? >>>> >>>> Best option would be is to use a PKI infrastructure for your clients. >>>> Isn't that a pain in the ass for users (user registration, key >>>> deliveries etc). >>>> How do you guys manage this for best user experience and compatibility >>>> with most OSes? >>>> >>> PKI is a bit of a PITA but it is doable. You could use a PKCS#12 package >>> to deliver the certificates to the client. >>> >>> Daniel >>> >>> >> Agree with you that PKI is a PITA especially for the users. >> >> I'm thinking a solution with either OpenCA or Dogtag where user would >> ideally >> login, generate and download their certificate... >> >> However the whole process is much more difficult for the end user than >> New Connection -> Define Connection type -> Enter username/password -> >> done. >> >> IKEv2 looks promising but don't know if it's supported in something else >> except windows 8. >> I want to cover windows XP,7,Vista,8, MAC OSx (xxx) and varius flavors of >> Linux + smart phones. >> >> The only type that works in all these is PPTP but this suxxx a lot in >> terms of security... >> >> G
