On Tue, 2004-09-14 at 12:07, Nick Drage wrote: > On Tue, Sep 14, 2004 at 10:42:27AM -0400, John A. Sullivan III wrote: > > On Tue, 2004-09-14 at 09:46, Peter Marshall wrote: > > <snip> > > > I would suggest an IPSec VPN using either the native IPSec stack in the > > latest Linux or either StrongSWAN (www.strongswan.org) or OpenSWAN > > (www.openswan.org) and placing access control and VPN on the same > > device. That is how we design most devices for use in the ISCS project > > (http://iscs.sourceforge.net). > > Reading "Network Security Hacks" recently I liked the look of VTun. Any > thoughts on that? How does it interface with IPTables? Keyword being hack. Always see if ipsec will meet your needs first, any encapsulation using tcp for its upper layer may be easier, but can create all kinds of interesting thing with multiple flows and tcp timers expiring. Great stuff if you want to be an expert at debugging tcp problems, otherwise stick to something that uses udp for its upper layer. Although for simple traffic with minimal flows is is definitely usable. Interop with Openswan is excellent as well these days. Plus with Novell sponsoring Openswan it gives many people a warm fuzzy feeling, and the list is one of the best their is, no spam assaults like the old freeswan list. Ted
