Hi Just wanted to chime in on my experience with PKI...like you guys said, initially I found it to be a PITA especially combining it with site to site tunneling (using ISAKMPD). But after getting the configs down and on the client side using Shrew VPN client (if there is something else out there better and free please let me know!) with a detailed document, none of my users seem to have issues doing the initial connection.
So my experience has been a pleasure so far. I do have some routing issues where I have trouble getting the vpn user to connect to the endpoints on the site to site but I hope to solve those soon. Regards, *Marc Epstein* Senior IT Manager Mobile: (415) 994-4625 Email: [email protected] On Tue, Nov 12, 2013 at 2:42 PM, Kapetanakis Giannis < [email protected]> wrote: > On 12/11/13 19:29, Daniel Polak wrote: > >> ==== Original message from Kapetanakis Giannis at 8-11-2013 13:38 >> >>> I would like to discuss some suggestions about VPN to multiple road >>> warriors. >>> >>> So far we're using OpenVPN, but I want to change that or at maybe >>> offer L2TP/IPsec in addition to OpenVPN. >>> >> Have you considered using isakmpd? >> > > Yes my test implementation was with isakmpd and npppd. The problem is the > authentication on the ipsec path. > I don't want to use the same PSK for every-one. > > > Playing around with npppd was straight forward and I was quite >>> impressed with it. Good job. >>> EAP-TLS would also be a very nice feature to have. >>> >>> What I'm wondering is what you guys do to setup the ipsec path of the >>> tunnel. >>> >>> One option is to use a unique pre-shared key for all clients. But this >>> is probably insecure since >>> it opens MITM attacks. Isn't it? >>> >>> Best option would be is to use a PKI infrastructure for your clients. >>> Isn't that a pain in the ass for users (user registration, key >>> deliveries etc). >>> How do you guys manage this for best user experience and compatibility >>> with most OSes? >>> >> PKI is a bit of a PITA but it is doable. You could use a PKCS#12 package >> to deliver the certificates to the client. >> >> Daniel >> >> > Agree with you that PKI is a PITA especially for the users. > > I'm thinking a solution with either OpenCA or Dogtag where user would > ideally > login, generate and download their certificate... > > However the whole process is much more difficult for the end user than > New Connection -> Define Connection type -> Enter username/password -> > done. > > IKEv2 looks promising but don't know if it's supported in something else > except windows 8. > I want to cover windows XP,7,Vista,8, MAC OSx (xxx) and varius flavors of > Linux + smart phones. > > The only type that works in all these is PPTP but this suxxx a lot in > terms of security... > > G
