[svlug] PPTP?

Will Lowe harpo at thebackrow.net
Sat Jul 21 10:34:02 PDT 2001


> You know, the position of Global Village Idiot has a long waiting list.

Heh.  So is the line for Global Village asshole; keep trying.  And
given that your suggested Google string was nearly a complete bust,
I'm tempted to ask if your name is ahead of mine on the Global Village
Idiot list, too.

> Out of idle curiosity:  Have you stumbled across the LDP's VPN HOWTO,
> yet, or is that going to take you a few more days of research?

Sure.  I take it that you haven't stumbled across this yet:
http://sites.inka.de/bigred/devel/tcp-tcp.html

Let's start over here;  I concede that my intial query wasn't
well-formatted.  You stated that there were "plenty of available
alternatives" for Linux VPNs,  presumably in a corporate environment,
because that's what the discussion was about.

Here's what I should've said:

1) PPTP : insecure.  Linux support (for encrypted pptp tunnels that
interoperate well with other vendors,  such as Cisco and M$) is ...
immature,  at best.

2) CIPE: it's awesome.  I've had some CIPE tunnels up linking remote
sites and data centers to our office now since November,  and I've had
NO trouble with them. There's even a windows implementation.  BUT I'm
not sure I want to try to configure it for the 100+ Windows-using
non-geeks in the office,  including having each one have to connect to
a different IP address or Port.  They'll be immensly confused. Yes,
one or two of these people might belong in the line of Global Idiots, but
for the most part they're just secretaries and marketing guys who
want to do their jobs without also doing mine.

* At this point,  let's acknowledge that VERY few people have the
ability to disregard Windows at work.  I hate it, you hate it,
sometimes I think even Mr. Gates must hate it,  but it's a reality, and
I'm unlikely to convince my CEO that he has to learn to use Linux just
to read his email from home and grab a .ppt he left on his desktop at
work (which he'll then be unable to open anyway).  Attitudes like the
one you fed me last night don't help get rid of the corporate fear of
anything non-M$, and therefore don't help you collect your consulting
fees. 

3) PPP-over-SSH:  suffers from the backoff (and MTU?) problems
associated with TCP-in-TCP.  Non-windows only.  Otherwise, 
generally workable,  but many users are stuck at home behind lossy 
or congested lines,  where the aforementioned problems are worst.

4) FreeS/WAN: seems like long-term this might be the best solution,
but when I last tried it (nearly 6 months ago now) there were serious
interoperation problems.  It looks like some of those may have been
resolved in more recent releases:

http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/interop.html

5) vtun and vpnd: again, Unixish things only.  Also suffer from
the config problems of CIPE,  IIRC.  I haven't played with them
myself,  but the reports I've had from friends are that they work
pretty well.

This leaves us with ONE reliable, multiplatform (required by the
"corporate environment" postulate above) interoperable (maybe?),
relatively-mainstream VPN solution involving Linux.  What I MEANT to be
asking last night was "what else can you think of,  and do you have any
experience with it that makes you want to recommend it?"

-- 
					sheesh,
		
					Will

----- End forwarded message -----

-- 
					thanks,
		
					Will




More information about the svlug mailing list