Date: Wed, 07 May 2003 22:04:32 -0600 From: Brett Glass <brett@lariat.org> To: Michael Collette <metrol@metrol.net>, FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: VPN through BSD for Win2k, totally baffled Message-ID: <4.3.2.7.2.20030507220032.00bcec10@localhost> In-Reply-To: <200305071921.33596.metrol@metrol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I've been using PPTP for this purpose. Microsoft's PPTP implementation is pretty brain dead, but if you're willing to bend the configuration of your network a little to accommodate it and configure your clients carefully, you can set up a VPN that's accessible from most versions of Windows. Not super-secure, but secure enough for most purposes. I have been interested in trying L2TP, but am not sure about the stability of the server software for FreeBSD. And I can't find a FreeBSD client. (There's an L2TP netgraph node, but there are no docs on how to use it with mpd and likewise nothing on how to use it with userland PPP.) --Brett At 08:21 PM 5/7/2003, Michael Collette wrote: >Scenario: >FreeBSD box running IPFW acting as a gateway to private network. The private >network is made up of entirely routeable IP addresses. External users >running Win2k and XP on DSL connections with dynamic IPs. > >Goal: >To have the FreeBSD gateway securely authenticate and encrypt the traffic >between the outside users and the internal network. > > >I've spent the last 3 days running up and down Google and reading any books >that approach the subject of setting up a VPN. The further down this road >I've travelled the more confused I am. > >I assume the following: > * Need to have a certificate setup with OpenSSL. > * Racoon needs to deal with a key exchange. > * Some kind of tunneling gets put into play. > * Setkey needs appropriate policies. > >I happened across the Google cache of a tutorial that seems to cover this >subject. There seems to be a couple of key points missing, as well as some >apparently out of date syntax. I did manage to create a CA and client cert >from a mix of this tutorial and the AbsoluteBSD book. > >http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 > >Managed to get a certificate generated from that process installed on a test >XP box per the following... > >http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 > >Where I totally lost it was on the FreeBSD setup. The author is referring to >certificates that he never described how they should be created. I didn't >know what in the heck to do here. > >http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 > >Am I even on the right path? Aside from this one tutorial I've been through >several others, as well as looking at a variety of IPSec related pages. >There's obviously a number of different approaches out there to take, but I'm >simply looking for one that works. Just to know that I'm heading in the >correct direction or not would be an incredible help. > >Thanks, >-- >"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark >to read." > - Groucho Marx >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20030507220032.00bcec10>