kmiller01 said: > > I'm looking for opinions on VPN's. We're planning to set up a VPN between > a couple of our offices, they won't have to interoperate with any Windows > machines or any other clients, just the 2 machines talking to each other > to link 2 networks. > > Do any of you guys have an opinion about the best VPN scheme to use?
I personally love vtun. It uses a single port, you can use either TCP or UDP, you can have virtually unlimited numbers of users connected (and all connected to the same PID), it's pretty easy to setup & understand, it's VERY reliable(I've been using it in production for more then a year without the slightest problem), It runs on multiple OSs, Linux, *BSD, and Solaris among them. Not sure if it's included with redhat or not. It requires a kernel module for best performance(this module has been included with the 2.4.x kernel for a long time, with 2.2.x you need to compile it seperate). Because it uses TCP/UDP it works great with NAT, and firewalls. You can use any port you want to establish the connections. I have also used vpnd, but while it works OK for a limited number of connections(5 or less), any more and I encountered serious scalability issues. Such as running out of PPP devices(each vpn device used a PPP interface), trying to increase this failed. Also had problems running out of entropy so connections would slow down considerably. vtun on the other hand was always very fast, never needed ppp devices(it uses 'tun' devices which are part of the kernel driver). The kernel driver is by no means required but it is reccomended for best performance. There is IPSec as well, but most IPSec Implimentations are not friendly with NAT or firewalls because they primarily do not use TCP/UDP for their communications(their design is intentional). Some see this as a benefit, I personally don't like it. Fortunately some vendors have begun to impliment IPSec-over-UDP which works around this problem. It's been a bit over a year since I played with FreeSWAN but at the time they didn't have this supported, not sure if thats still the case or not. Native IPSEC is also difficult to monitor due to the same fact that it uses IP protocol #50 (I think) rather then TCP(#6)/UDP(#17) so tools like netstat and the like don't register that data(perhaps patched versions are available). In any case, I reccomend you check out vtun, it's available I believe at http://vtun.sourceforge.net IPSec, because in it's native form doesn't use TCP/UDP it may not always work(not all providers route that traffic). It's not common to find a carrier that doesn't route it, but it's far from impossible. At my former company I had 2 employees that had to use vtun over TCP because their ISPs were somehow preventing UDP communications from working(all other users on the other ISPs were unaffected). By nature, UDP is better for VPNs then TCP. But in a "clean" network enviornment there will probably not be a noticable difference between the 2. nate -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
