Linux:2, Cisco:1
Larry Schmid
larry-schmid@home.net
Fri, 10 Mar 2000 15:52:55 GMT
Hi,
I've got FreeS/WAN running a multi-leg VPN out of my office. I can
recommend it for a fast and stable Linux--Linux VPN solution. All our
nodes are running either DSL or cable modems. The freeswan tunnel
generally adds 10 ms to the ping times. I haven't done raw throughput
testing yet, but it has been in use for almost two months, and the
only times I get complaints about speed are when the DSLs are crapping
out (a different subject, don't get me started).
A gotcha: Freeswan uses ipfwadm/ipchains in its startup scripts to
establish its own routing through the box. The freeswan startup must
happen before your firewall script runs. If your firewalling and
masquerading rules get put into place first, your tunnels will still
come up and look like they are functioning perfectly, but no traffic
will get through. This piece isn't well documented and
troubleshooting that took the majority of the configuration and
testing time. The latest release (1.3) addresses this with hooks for
running your firewall script at the right time, but I haven't tried it
out yet.
For Cisco, there is mention of getting it to work in the Compatibility
FAQ, but is offered on a YMMV basis.
http://www.freeswan.org/freeswan_trees/freeswan-1.3/doc/compatibility.html
It lists a sample configuration for both freeswan and cisco sides.
The VPN mini-HOWTO and other implementations like VPNstarter use ssh
in a packet-forwarding scheme, so those resources wouldn't address
your Cisco issues.
Do you have to have Cisco on the far end? A Linux router over there
would be one more for our side. :)
Larry
On Thu, 9 Mar 2000 23:51:44 -0700, you wrote:
>Hi for Linux you can try FreeS/WAN (www.freeswan.org). Or here is a
>miniHOWTO (http://www.linuxdoc.org/HOWTO/mini/VPN.html). Or ... will I
>get crucified for mentioning it ... you can take a look at OpenBSD
>(www.openbsd.org). I've found it to be an excellent server/gateway OS
>although I haven't used IPSec/VPN functionality.
>
>Austin
>godber@asu.edu
>
>
>On Thu, Mar 09, 2000 at 11:23:30PM -0700, Digital Wokan wrote:
>> Well, in a mixed blessing kind of way, the Cisco router my employer
>> bought for future use in a VPN crapped out on us the other day. An
>> upgraded IOS introduced me to an interesting ISDN bug they have. And
>> their last attempt involved installing an IOS still in beta testing. So
>> I dragged a 5x86-133 into work last night and put us back on the
>> Internet with good ol' Linux while the Cisco gets troubleshot.
>> Looks like this box, which was the predecessor to the Cisco, got it's
>> day in the sun again. Maybe I can keep it in place. Anyone out there
>> experienced with setting up VPN's between Linux boxes and Cisco
>> routers? (Running 12.0.x IOS.)
>> Care to share the howtos and what to expect to deviate from said howtos?
>> (Oh, and Linux scores 2 because it was the first system to impress the
>> boss with sharing a single IP across a LAN instead of individual
>> dialups. So 1 point for each time it's been in place.)
>> --
>> Digital Wokan
>> Tribal mage of the electronics age
>> Guerilla Linux Warrior
>>
>> _______________________________________________
>> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>_______________________________________________
>Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
Provoke not your SA to anger, for he is a jealous SA, vengeful,
keeper of root, and quick to wrath.