[NBLUG/talk] got vpn?

Devin Carraway nblug-talk-list at devin.com
Sat Jun 5 17:18:03 PDT 2004


On Sat, Jun 05, 2004 at 08:45:26AM -0700, Daniel Smith wrote:
> * $100-$200 per unit
> * can handle more than one incoming VPN session at a time
> * emails log files to me, or talks to syslog
> * no artificially small limit on IP addresses (dole out
> enough via DHCP to keep every machine in the house happy, even
> if they are running things like Virtual PC processes with
> their own IP addr)
> * don't need wireless, got enough APs as it is

If the hardware-solution approach is what you're after, I'll relay a
recommendation for Netgear's "FV" routers.  They're fairly cheap and have
an excellent ipsec implementation, for fairly simple vpn-bridging or
roadwarrior uses.  They include a simple IDS which I'm not as crazy
about, but never looked deeply at fixing or disabling.  The ipsec in the
things is (or at least was as of 2002) one of the most nearly
spec-compliant consumer implementations available -- it got several
things right that freeswan (then the only linux ipsec implementation)
got wrong.

Linksys has an ipsec-capable vpn router -- linuxdevices.com had an
article on it a while back
(http://linuxdevices.com/news/NS3238024255.html).  The good part is that
it's based on Linux; the bad part is that, consequently for the period,
it uses freeswan.

Snapgear makes a number of VPN appliances based on Linux; they're out of
your cited price range, but snapgear has been an active contributor to
uclinux, maintains their own distro; they ported freeswan to the SuperH
architecture and managed to smooth over some of the worst parts of
freeswan (their distro is now based on 2.6, but whether they've adopted
its ipsec I don't know.)  A good option if you feel like voting with
your wallet.  My company uses tons of these things.  One feature
snapgear provides that some routers don't is a discrete cryptoprocessor;
most routers that don't have these tend to have fairly low capacity
owing to the computational cost of keying and cipher throughput (even
with modern CPU-tuned ciphers, sustaining multi-megabit streaming cipher
throughput isn't trivial).


> I'm not keen on having a dedicated Linux box with 2 NICs for this,
> unless it was a diskless (noise...) unit with a really small form factor.

If you're into the tinkering factor, I wouldn't write this option off;
you can build a pretty decent ipsec router that either seldom spins up
the disk or runs off flash.  A strippped 2.6 kernel and racoon are small
enough to run off a floppy if you work at it.



-- 
Devin  \ aqua(at)devin.com, 1024D/E9ABFCD2;  http://www.devin.com
Carraway \ IRC: Requiem  GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://nblug.org/pipermail/talk/attachments/20040605/a5e21740/attachment.pgp


More information about the talk mailing list