On 30-Nov-07, at 9:57 PM, Jason Dixon wrote:
On Dec 1, 2007, at 12:37 AM, visc wrote:
On 30-Nov-07, at 2:13 AM, Khalid Schofield wrote:
Hi,
I'd like to make a VPN Concentrator using openbsd. I want users to
be
able to authenticate using usernames and passwords and to either nat
the users or give them an ip from our main dhcp server via a bridge.
If I have say a mac user at home wanting to connect into my network
using the built in mac os client how should I set up the vpn server?
Will it auth using usernames and passwords or is certificates only
simple way to authenticate to the vpn server?
How would I know which is better to use for this application out of
PPTP or IPsec?
Any and all input welcome.
Khalid
I'm embarking down the same path for what it's worth, but I'm
actually doing it to eventually get rid of my Cisco 3005. My main
structure though is ipsec between static fixed devices/locations
and I don't need to worry about supporting PPTP or L2TP over
IPSEC, or supplying addresses- yet.
I think Brian A. Seklecki's response:
`That's a tall order. In Cisco-land a VPNC3000k will run you $5k
plus SMARTNet. You'll need isakmpd(8) policies. You'll need
dhclient-server relay support. You'll need XAuth authentication
(Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all
together with LDAP and PKI.
Kind of hit the nail on the head of my worries as well. I'm busy
enough now making a secure network between offices using an OpenBSD
box as the hub, but when I need to start adapting for "Road
Warriors" things may get tricky.
For example, your Mac user at home, assuming Tiger's built in
client (I'm not clear on Leopard's new VPN protocols), can only use
PPTP or L2TP over IPSEC. I don't know if it's even possible to
support all protocols easily on an OpenBSD concentrator, so I plan
to push my Road Warriors into using clients such as VPN Tracker or
The Greenbow client, though open source alternatives would be
preferable. In my perfect world it would be isakmp/ipsec only for
me and to hell with clients. Too bad that can't always happpen...
I haven't been following this thread, but I saw your post and
thought I'd add some bits for you to consider. First, you mention
that Mac OS X only supports PPTP or L2TP over IPSec. This is not
true. I've used OpenVPN (via tunnelblick) and the Cisco VPN
client. OpenBSD has solutions that will support both of those
clients. Would it be nice to have XAUTH support? Sure, but don't
hold your breath.
---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Thanks, it's good to know not to get too excited about XAUTH. This is
all new territory for me.
I was only referring to the built-in osx client via Internet
Connect.app. Though the "Cisco VPN client" is actually what is driving
my desire to move away from Cisco. My support contracts have run out
with Cisco, and I'm too much of a paranoid soul to use Cisco clients I
find via other means. Yet incompatibility has once again struck me.
And Khalid - sorry to hijack your thread. Most of my road warriors are
going to be on macs and too cheap to purchase VPN Tracker. Any
successes I gave I'll certainly share.
Cheers
