On 30-Nov-07, at 2:13 AM, Khalid Schofield wrote:
Hi,
I'd like to make a VPN Concentrator using openbsd. I want users to be
able to authenticate using usernames and passwords and to either nat
the users or give them an ip from our main dhcp server via a bridge.
If I have say a mac user at home wanting to connect into my network
using the built in mac os client how should I set up the vpn server?
Will it auth using usernames and passwords or is certificates only
simple way to authenticate to the vpn server?
How would I know which is better to use for this application out of
PPTP or IPsec?
Any and all input welcome.
Khalid
I'm embarking down the same path for what it's worth, but I'm actually
doing it to eventually get rid of my Cisco 3005. My main structure
though is ipsec between static fixed devices/locations and I don't
need to worry about supporting PPTP or L2TP over IPSEC, or supplying
addresses- yet.
I think Brian A. Seklecki's response:
`That's a tall order. In Cisco-land a VPNC3000k will run you $5k
plus SMARTNet. You'll need isakmpd(8) policies. You'll need
dhclient-server relay support. You'll need XAuth authentication
(Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all
together with LDAP and PKI.
Kind of hit the nail on the head of my worries as well. I'm busy
enough now making a secure network between offices using an OpenBSD
box as the hub, but when I need to start adapting for "Road Warriors"
things may get tricky.
For example, your Mac user at home, assuming Tiger's built in client
(I'm not clear on Leopard's new VPN protocols), can only use PPTP or
L2TP over IPSEC. I don't know if it's even possible to support all
protocols easily on an OpenBSD concentrator, so I plan to push my Road
Warriors into using clients such as VPN Tracker or The Greenbow
client, though open source alternatives would be preferable. In my
perfect world it would be isakmp/ipsec only for me and to hell with
clients. Too bad that can't always happpen...
So, anyway, lots of ramble for little benefit, but at least I know
somebody else is doing it...
