Scalable Public Key Infrastructure for both OpenSWAN and OpenVPN
0 views
Skip to first unread message
elsiddik
Nov 25, 2007, 10:44:40 AM11/25/07
to unix
User management and the related cryptographic authentication
infrastructure is a major hurdle in deploying scalable, manageable
VPNs (Virtual Private Networks). After introducing VPNs and Public Key
Infrastructure (PKI) and discussing some of the benefits and
challenges of two popular VPN implementations, we'll document how to
build a scalable PKI to simplify VPN authentication management.
Two major pieces of FOSS (Free and Open Source Software) for VPNs are
OpenSWAN and OpenVPN. Generally speaking, OpenSWAN is lighter weight,
faster, and largely interoperable with other IPSec (IP Security)
implementations. For example, if you need to connect to a Cisco or a
Linksys, OpenSWAN is recommended. OpenVPN, on the other hand, provides
free client software for Linux, Windows and Mac OS, better server-side
management of the client-side network configuration (e.g., when they
are non-technical users and need some networking tweaks), you can
change the port to bypass non-standard firewall configurations, and
even change the MTU (Maximum Transmission Unit) easily in case an
intermediate gateway is acting funny.
Frequently it is necessary to support both implementations on a VPN
server because of the advantages that each confers. But then one can
quickly get an unscalable nightmare with a PKI per software and per
client. This article will document a simple, single PKI infrastructure
to manage all your users and their VPN connections with support for
both OpenSWAN and OpenVPN.
read full article on : http://www.debian-administration.org/articles/563
zaher el siddik
http://www.unixshells.nl/
http://elsiddik.blogspot.com/
infrastructure is a major hurdle in deploying scalable, manageable
VPNs (Virtual Private Networks). After introducing VPNs and Public Key
Infrastructure (PKI) and discussing some of the benefits and
challenges of two popular VPN implementations, we'll document how to
build a scalable PKI to simplify VPN authentication management.
Two major pieces of FOSS (Free and Open Source Software) for VPNs are
OpenSWAN and OpenVPN. Generally speaking, OpenSWAN is lighter weight,
faster, and largely interoperable with other IPSec (IP Security)
implementations. For example, if you need to connect to a Cisco or a
Linksys, OpenSWAN is recommended. OpenVPN, on the other hand, provides
free client software for Linux, Windows and Mac OS, better server-side
management of the client-side network configuration (e.g., when they
are non-technical users and need some networking tweaks), you can
change the port to bypass non-standard firewall configurations, and
even change the MTU (Maximum Transmission Unit) easily in case an
intermediate gateway is acting funny.
Frequently it is necessary to support both implementations on a VPN
server because of the advantages that each confers. But then one can
quickly get an unscalable nightmare with a PKI per software and per
client. This article will document a simple, single PKI infrastructure
to manage all your users and their VPN connections with support for
both OpenSWAN and OpenVPN.
read full article on : http://www.debian-administration.org/articles/563
zaher el siddik
http://www.unixshells.nl/
http://elsiddik.blogspot.com/
Reply all
Reply to author
Forward
0 new messages