NOTE: I do occasionally post notes about new VPN options and such on my blog; see the VPN category at: http://www.natecarlson.com/blog/category/geek-stuff/vpn. Also, if you are interested in consulting services to help you set things up, I am available on a very limited basis - please see my consulting page
Contents:
Changes made to this document
IPSec VPN's (Openswan, KAME)
SSL-Based VPN's (OpenVPN)
PPTP-Based VPN's (PoPToP)
Commercial VPN software
Changes made to this document
$Id: linux-vpn.php,v 1.8 2005/11/22 18:27:32 natecars Exp $
[03/08/2005] Minor updates; commercial VPN clients.
[03/07/2005] Initial revision.
IPSec VPN's (Openswan, KAME)
IPSec is one of the older VPN standards, and is still very secure and useful when properly configured. There are two major separate implementations of IPSec under Linux. The first is the project that was originally called FreeS/WAN, but has now forked into Openswan and Strongswan. This implementation provides it's own IPSec kernel stack, and it can also use the code included in recent kernels. The second is a port of KAME from BSD. KAME can only use the kernel stack. The main IPSec specification itself does not provide a virtual IP for the remote host on the local network, but there are various extensions that offer this. You can also run L2TP over IPSec, which is well supported by Microsoft's recent operating systems.
Pros: IPSec is an established protocol, and is well supported by many commercial routers. The Openswan implementation works with the proprietary XAUTH extension, and can work as a client to Cisco, Nortel, and many other VPN concentrators. IPSec makes it reasonably easy to secure what can and cannot go over a tunnel, at the kernel level, without having to set up extra firewall rules. Very flexible for subnet<->subnet configurations, host<->subnet configurations, and so on.
Cons: IPSec can be difficult to get set up and working. It also does not work behind some types of NAT gateways, although this case has improved with NAT-Traversal support.
Links:
Openswan
IPSec-tools, KAME port for Linux
My article on configuring Openswan with X.509 and Windows XP's client
My article on configuring Openswan with L2TP and Windows XP's client
Consulting information, if you need help
SSL-Based VPN's (OpenVPN)
Recently, SSL-based VPN have been gaining popularity. The big benefit to SSL VPN's is that you only require a single TCP or UDP port to tunnel your traffic on, so you can easily traverse most firewalls. The best implementation under Linux is OpenVPN. OpenVPN is fairly mature, and very feature-rich.
Pros: Trivial firewall configuration; just needs a single TCP or UDP port. Uses SSL, which is a very mature protocol. Available for most operating systems, including Windows. Flexible configuration options.
Cons: Requires more firewall configuration that IPSec to control access to internal resources. Not supported in most commercial VPN concentrators.
Links:
OpenVPN's home page; very informative.
PPTP-Based VPN's (PoPToP)
PPTP is the protocol that Microsoft originally supported somewhere around Windows 95. It's been used for a long time, but there are many questions about the security of it. Basically it tunnels a PPP connection over the GRE protocol. PoPToP is the main PPTP server for Linux. I highly recommend that if you think you need PPTP you look at L2TP over IPSec instead - L2TP over IPSec is more secure, and offers all the same features.
Pros: Easy configuration under Windows, supported by many commercial routers/firewalls.
Cons: Questionable security, firewalling problems similar to IPSec. Requires kernel patches to offer encryption.
Links:
PoPToP home page.
Analysis of the MSCHAP-v2 protocol
Commercial VPN software
There are various commercial VPN clients available for Linux, but as far as I am aware, there are not any commercial servers. If you are aware of any commercial servers for Linux, please let me know. Below is a list of some of the better-known commercial clients.
Links:
Cisco Client -- link is to reference manual; if you have a CCO login you can download the client.
Nortel VPN Client
Apani VPN client for Nortel