On 12 November 2013 20:42, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote: > On 12/11/13 19:29, Daniel Polak wrote: >> >> ==== Original message from Kapetanakis Giannis at 8-11-2013 13:38 >>> >>> I would like to discuss some suggestions about VPN to multiple road >>> warriors. >>> >>> So far we're using OpenVPN, but I want to change that or at maybe >>> offer L2TP/IPsec in addition to OpenVPN. >> >> Have you considered using isakmpd? > > > Yes my test implementation was with isakmpd and npppd. The problem is the > authentication on the ipsec path. > I don't want to use the same PSK for every-one. > > >>> Playing around with npppd was straight forward and I was quite >>> impressed with it. Good job. >>> EAP-TLS would also be a very nice feature to have. >>> >>> What I'm wondering is what you guys do to setup the ipsec path of the >>> tunnel. >>> >>> One option is to use a unique pre-shared key for all clients. But this >>> is probably insecure since >>> it opens MITM attacks. Isn't it? >>> >>> Best option would be is to use a PKI infrastructure for your clients. >>> Isn't that a pain in the ass for users (user registration, key >>> deliveries etc). >>> How do you guys manage this for best user experience and compatibility >>> with most OSes? >> >> PKI is a bit of a PITA but it is doable. You could use a PKCS#12 package >> to deliver the certificates to the client. >> >> Daniel >> > > Agree with you that PKI is a PITA especially for the users. > > I'm thinking a solution with either OpenCA or Dogtag where user would > ideally > login, generate and download their certificate... > > However the whole process is much more difficult for the end user than > New Connection -> Define Connection type -> Enter username/password -> done. > > IKEv2 looks promising but don't know if it's supported in something else > except windows 8. > I want to cover windows XP,7,Vista,8, MAC OSx (xxx) and varius flavors of > Linux + smart phones. >
Win7 and OS X should be supported, as per Reyk Floeter's paper on OpenIKED: http://www.openbsd.org/papers/openiked-asiabsdcon2013.pdf Vista and XP probably need an external client to handle IKEv2. As far as Linux is concerned my guess you'll have to test a bunch of clients and it will depend on what is already being used to manage connections. For instance, NetworkManager can integrate with OpenVPN or Cisco VPN client to provide a GUI to manage the VPN connection. Marios > The only type that works in all these is PPTP but this suxxx a lot in terms > of security... > > G
