> Just curious what is the basic plan for VPN solutions for Opensolaris or even > Solaris in general? The answer actually differs depending on what do you actually want from VPN.
Before someone begins, one should clearly answer yourself what ISO layer he wants to tunnel through. In a case if there's a need to link two layer 2 networks, there are two possible solutions known to me -- Cisco VPN Client (L2TP over IPSec over UDP) and OpenVPN (homegrown). The former is available only to Cisco customers, much outdated (latest version of Cisco VPN Client available for platforms different from Microsoft Windows is 4.8), Cisco-specific, proprietary/closed source and available for Solaris/SPARC only, but somewhat time-proven and tends to be an "de facto" industry standard, albeit only in the world of Cisco guys. :) The latter is open-source, but relates on availability of "ethertap-like" driver on operating system. It's unknown to me if there's such a driver available under Solaris, but in a case of it's availability OpenVPN will work fine. In a case if there's a need to link two layer 3 networks, solutions spectra is much more rich. First of all, if tunneling of unicast traffic is enough for you, you can use IPSec. IPSec without anything more. :) IPSec tunnel mode, in theory, can be used with static keying, as such, no other software besides of kernel IPSec engine and /usr/sbin/ipsec* utilities is needed to operate IPSec tunnel. Although this mode is not secure enough in modern world, nobody can forbid you to install ISAKMP/IKE daemon such as racoon and use dynamic keying. :) Second, if you want, for example, to send multicast traffic via IPSec (for example, to use OSPF), you should protect by IPSec (better by using IPSec transport mode to lower tunneling overhead) some tunneling protocol more powerful than IPSec tunnel mode. Any protocol, really. PPP over TCP (protected by IPSec, duh!) works. :) But GRE is usually recommended for this case, and is much more inter-operable (you even be able to terminate such a tunnel on Cisco device). Third, VPN as a technology doesn't really _REQUIRE_ any cryptography. If there're no sensitive information passing the VPN link, one can use GRE (or even PPP over TCP :) without any encryption. -- This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
