Encapsulation in VPN
in [Cisco]
|
Prev: enable cli command logging howto
Next: SPAM
From: Dave Warren on 3 Jan 2010 15:54 In message <jwv1vi85jff.fsf-monnier+comp.os.linux.networking(a)gnu.org> Stefan Monnier <monnier(a)iro.umontreal.ca> was claimed to have wrote: >> OpenVPN is proprietary and will not work with a Draytek router. > >In which sense is OpenVPN proprietary? In the sense that OpenVPN built their own protocol rather than relying on one of the existing standards. There is a lot I like about OpenVPN, but the client side stuff is just downright nasty to configure, maintain, or even use. It's great for techies, but I couldn't imagine putting it in front of an end user.
From: David Brown on 4 Jan 2010 03:24 Dave Warren wrote: > In message <jwv1vi85jff.fsf-monnier+comp.os.linux.networking(a)gnu.org> > Stefan Monnier <monnier(a)iro.umontreal.ca> was claimed to have wrote: > >>> OpenVPN is proprietary and will not work with a Draytek router. >> In which sense is OpenVPN proprietary? > > In the sense that OpenVPN built their own protocol rather than relying > on one of the existing standards. > > There is a lot I like about OpenVPN, but the client side stuff is just > downright nasty to configure, maintain, or even use. It's great for > techies, but I couldn't imagine putting it in front of an end user. I would say the same thing about any VPN solution other than OpenVPN. For the most part, we have windows clients and linux servers. When someone needs OpenVPN access, I just give them a copy of the windows installer, and generate a key and a configuration file (which is simply a sample config file with the remote address modified appropriately). The setup is vastly easier than other ways to handle VPNs, especially if the client is behind a router or needs to connect to multiple VPNs. In other cases, we've provided routers with OpenWRT installed and the client configured. The user plugs in the router, and has VPN access via one of the network ports. It couldn't be easier.
From: David Brown on 4 Jan 2010 03:32
Stefan Monnier wrote: >> IPSEC is very widely used for infrastructure VPNs and is not >> proprietary. Cisco interoperates with Checkpoint interoperates with >> Draytek interoperates with OpenVPN ....... Never found a problem in >> dozens of cases. > > In which sense do they "interoperate"? > >> OpenVPN is proprietary and will not work with a Draytek router. > > In which sense is OpenVPN proprietary? > I think the poster means that the protocol is not an official standard held by an independent body. That's true, even though it is built around existing standards and is freely available. >> If you do not, setting up and maintaining this simply to support a few >> dialup VPN clients is a big ask. Making a few changes to your firewall for >> GRE is pretty minor by comparison. > > I went to the trouble of setting up a personal OpenVPN server (and > corresponding clients) specifically because of the endless problems > I had with firewalls when using PPTP (and I don't know about other > people, but I can't make any change to most of the firewalls to which > I'm exposed; and even when I could I still had problems when several > machines within the same NAT subnet tried to use the same VPN). > I have no doubt that OpenVPN is much easier to configure and work with both for the server and clients. Most of the servers I have configured have been on small, cheap LinkSys routers using OpenWRT, with multiple OpenVPN configurations - an independent OpenVPN network for each network port on the device. Different clients have OpenVPN connections to different servers, and can easily connect to or disconnect from the networks as they require. Each server can have multiple clients for the different VPN networks as needed. Each client can be connected to multiple servers. And both the servers and clients are typically behind at a NAT router. This kind of flexibility is simply impossible with other VPN solutions. |