On Fri, 2004-05-21 at 17:52, Jason Tackaberry wrote: > There seem to be two general approaches to VPNs, each with their own > advantages and disadvantages: kernel space, and user space. I feel the > only kernel solutions worth considering are those which implement IPsec. > There exist several packages implementing VPN solutions in userspace, > such as vtun, tinc, and OpenVPN. I would stick with industry-standard technologies, like IPSec, as much as possible. I have used IPSec in tunnel mode to setup VPN tunnels between several branch offices. --- BEGIN ADVICE --- However, I must say there are some problems with automatic keying and 2.6 kernels regarding the use of ISAKMP/IKE. The problem is that settings an SPD between both tunnel end-points causes the first packet between any of them to start negotiating the Security Association. But the kernel, instead of queueing the packet that triggered the ISAKMP/IKE exchange (in order to set up the SA), discards it and returns -EGAIN error to the userspace caller which, in turn, translates into "Resource temporarily unavailable" for user space programs. This happened to me when using "racoon" to manage an automatically keyed SA, based on X.509 certificates. Doing a ping to force the ISAKMP/IKE exchange, and to set up the SA, caused the first ping packet to fail with "Resource temporarily unavailable". Once the SA had been set up, no more packets were discared. --- END ADVICE --- Don't know if this behavior is applicable to 2.4 kernels, Free/SWAN or Open/SWAP IPSec stacks.
