<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-15" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> Dear Darren, the post that I sent was ment to be a food for thought when people at Ubuntu Linux project team start designing VPN graphical user interface. You are quite right that IPsec is industry accepted and like you said they also complain about it. I am not representing our company opinions with this email. These things which I said are just learned on the way during the years which I have worked at this field. Yes we do use (been using OpenVPN for couple of years now) OpenVPN for our own remote connections but for the customers we use IPsec for the obvious reasons. OpenVPN is secure enough for our use. Reason why our customers wanted to use the software which exists in Windows is quite simple. Ease of installation and management. They are even willing to lower the security for easier solutions. Windows IPsec software is basically the same as Cisco IPsec client and we use L2TP only for tunneling so the real IP traffic is IPsec secured and users are also authenticated with radius. IPsec configuration (like you also mentioned) can be made easy but it does not solve the problems of the usability for the users. Checkout <a class="moz-txt-link-abbreviated" href="http://www.netseal.com">www.netseal.com</a> (my previous employer). Netseal has made easiest Mobile VPN software which I have ever seen. You can even download the software from the site and use it for free (there is five user limit). This might the direction which Ubuntu Linux VPN client GUI should take (IPsec or not). Netseal has put a lot of money for the usability research and the software has been tested thoroughly. This again is just a proposal for the project. regards, Markus P.S. Stinghorn has build our solutions on top of the OpenBSD so I do hope that our VPN is secure enough. Darren Critchley wrote: <blockquote cite="mid416D689D.5060203@telus.net" type="cite">Markus Räipiö wrote: <blockquote type="cite">Hi there, there has been lot of discussion considering VPN with GUI and maybe with somekind of wizard. IPsec is really not the best solution for the secure remote connection to home or office networks. It has far too many problems with different networks and wireles lan roaming is not even good one. We have OpenVPN in use here at office with wireless lan networks and it works just fine and if you but the ifplugd in use too then it is even better. By the way everyone here uses Linux so it is even more easier for us to build secure remote connections. </blockquote> OpenVPN is one of the two open-source solutions that is considered secure. Something I learned from working with the Ipcop firewall project. We went through this last year and it was deemed that the only standard (albeit with quirks) that is reliable and widespread is ipsec (and yes even the security industry complains about it, but it is out there and continues to be developed and used). Perhaps OpenVPN has grown and matured since then. When adding the wireless interface to the Ipcop distro, people called for a simple to configure vpn solution for it, here is the thread on that showing the decision process that in the end resulted in CIPE and OpenVPN being dropped in favour of staying with Ipsec.: <a class="moz-txt-link-freetext" href="http://marc.theaimsgroup.com/?l=ipcop-devel&m=106447792613377&w=2">http://marc.theaimsgroup.com/?l=ipcop-devel&m=106447792613377&w=2</a> Also, here is an interesting post about the same subject (openvpn is not covered), but it does point out the inherent dangers of simplifying a secure protocol to make it easier for the end user to configure, it is written by Peter Gutmann (<a class="moz-txt-link-freetext" href="http://www.cs.auckland.ac.nz/~pgut001/">http://www.cs.auckland.ac.nz/~pgut001/</a>) security expert. <a class="moz-txt-link-freetext" href="http://diswww.mit.edu/bloom-picayune/crypto/14238">http://diswww.mit.edu/bloom-picayune/crypto/14238</a> Yes OpenVPN is simple to implement, but when you make something simple, something else always suffers. <blockquote type="cite"> IPsec is somekind of standard for the remote connections but do we really have to stay with standards which are not well done and include too many flaws built-in if we can get better working solutions with some other software ? Sometimes fighting with the windmills is a better solution. Trust </blockquote> I would think so, given that the kernel developers chose this as a standard and not OpenVPN, L2TP or some other 3rd party variant. They chose what the industry is using - ipsec. Also ipsec once configured properly is reliable and stable. And yes it can be difficult to configure, but if you look to Ipcop on how they implemented it, it is quite simple to implement with the correct GUI around it. One other bonus is most OS's now come with a "variant" of the ipsec standard which means you don't have to pay for a client. I have written a how to for most of those OS's on getting ipsec to work with PreShared keys and also using x509 certificates (my preferred method of VPN) <blockquote type="cite">me, we here at Stinghorn work on this area for living. We have solved our customers remote problems with L2TP and IPsec combination which enables them to use internal Windows software for the connections. This way they save time 'cause they dont have to install any VPN client software which blows up the system when you install personal firewall into the same computer. NAT-T must be taken into consideration when implementing GUI/wizard to Ubuntu Linux. </blockquote> NAT-T is no longer a problem for Ipsec - at least the OpenSwan versions, at this point I do not know if the 2.6 kernel implementation of ipsec is as robust and flexible as openswan is. But we have no problems running ipsec behind NAT'd firewalls since Ipcop moved to openswan late last year. One final thought, OpenVPN lives in userland and can be added to Ubuntu at any time - check synaptic, it is there. If people wish to use an easy to configure vpn, it is available right now. Whereas the ipsec implementation currently is not, but I can guarantee that ipsec can be made as easy as OpenVPN to configure. For my customers and the work I do, I prefer ipsec using x509 certificates, I know I am secure (relative term, nothing is 100% secure), and I know I will be able to connect to most of the commercial equipment out there without using a Microsoft designed protocol, and we all know Microsofts security record to date. How secure is your vpn? Darren </blockquote> <div class="moz-signature">-- <meta http-equiv="Content-Type" content="text/html; "> <meta name="GENERATOR" content="GtkHTML/3.0.10"> ______________________________________________________________________ Markus Räipiö Chief Executive Officer Stinghorn P.O. Box 212 FIN - 53101 LAPPEENRANTA FINLAND Visiting Address: Elimäenkatu 12-16 6B, FIN-00510 HELSINKI tel: +358 (0)201 442 550 fax: +358 (0)201 442 559 gsm: +358 (0)40 503 8813 email: <a href="mailto:markus.raipio@stinghorn.com">markus.raipio@stinghorn.com</a> web: <a href="http://www.stinghorn.com">http://www.stinghorn.com</a> ______________________________________________________________________ <pre><tt>This message and any attachment is intended only for the use of the Addressee and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank You. Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although we have taken steps to ensure that this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.</tt></pre> </div> </body> </html>