Home

The FreeBSD Corporate Networker's Guide

Frequently Asked Questions

I glanced through the TOC at the publisher's site, and there doesn't seem to be anything present about VPNs (which is one of my primary interests). Is there anything meaningful coverage re: VPNs (Virtual Private Networks)?

Not really. I had originally planned on it, but according to the first round of reviewers, it's too advanced a topic for the book. The book is really aimed at the beginning to intermediate FreeBSD administrator. There have been a few requests for a more advanced FreeBSD networking handbook that specifically covers those areas, and I've been doing some preliminary work aimed at putting something like this together for my own use. I may put some of this up on the Web site in the Tech Notes section.

Historically, UNIX/FreeBSD VPNs generally fell into one of these 4 categories:

  • Encrypted tunnels using PPP-over-TCP/IP plus OpenSSH or unencrypted tunnels using just PPP-over-TCP/IP. This works, but the performance is jerky - TCP encapsulated within TCP is a performance killer.
  • Various PPTP stuff. This is unencrypted, client-to-server stuff, primariarly Windows connectivity. There are 2 PPTP programs in the ports that handle this. They are poptop-1.0.0, which is a Windows 9x compatible PPTP (VPN) server, and pptpclient-1.0.2, which is a PPTP client for establishing a VPN link with an NT server. The problems here are that the licensing morass that's Microsoft will never permit this stuff to become integrated in the base FreeBSD distributions. Besides which, this is really only good for dynamic, client-server VPNs, not LAN2LAN VPNs.
  • Sun wrote a VPN program and protocol called SKIP. This worked for FreeBSD 2 FreeBSD up to FreeBSD version 4 then broke. While the code for SKIP is available, it's totally proprietary and never was standardized.
  • There's a program in the Ports called Vtun which originated on Linux but works very well for VPNs constructed with FreeBSD (or Linux) servers on both ends.

The biggest problem with all these methods is interoperability - they are all specialty. As a result, more and more interest has been created in IPSec. A good starting point is a tutorial on getting IPSecure running between a Windows 2K system and a FreeBSD system at http://www.daemonnews.org/200101/ipsec-howto.html. IPSec also works with Cisco routers too.

With the release of FreeBSD 5.0, there are now 2 additional VPN standards that have been badly needed. The first is GRE. While GRE tunnels are often derided as unencrypted and subject to certain MTU restrictions, they are simple to set up, are not restricted to carrying specific protocols, and work very well in specific situations. Cisco also supports them on its plain unencrypting IOS.

The second standard is L2TP. Originally, there was (and still is) some old l2tp code on http://www.marko.net that will compile on FreeBSD 2.X (with some tweaks). With FreeBSD 5.0, L2TP support is implemented in a Netgraph module. L2TP originated with support of remote terminal servers and is also supported in the newest Microsoft Windows operating systems.

Back to FAQ

Site hostingSite design and maintenance
Internet Partners Inc.
info@ipinc.net 		Web-Strider Enterprises
jeanm@web-strider.com

© Copyright 2000-2003 Ted Mittelstaedt. All rights reserved.