LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-30-2012, 01:28 PM   #1
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
Why are VPNs so hard to get set up?


Personally I have done few VPN setups and mostly I've not had too many troubles. But colleagues are often setting them up for various reasons, and troubles seem to always be there. Usually it is getting all the configurations just right so everything works everywhere. Though the first VPN being set up often does have problems, the real nightmares begin once a 2nd or 3rd VPN is configured.

It's not a case of just network configuration woes. VPNs troubles tend to be 30 or more times worse. And this seems to be across the board from open VPNs to proprietary VPNs. And that's not even counting all the compatibility problems that exist where some VPN appliance, or router, or software, will just not communicate with some other because there is no common ground on supported protocols or supported authentication.

I'd like to get some input on this. Are there TECHNICAL reasons for these problems to be so extensive? If so, is it more amount networking issues themselves, or is it about the security.

Comments about "IWFM ... I set one up and it works" probably don't add info ... I've gotten them to "just work", too. But that seems to generally happen well when using the same thing (appliance, router, software) on both ends. Do you have any "magic" for making a VPN "just work" when dealing with two completely different kinds of things on each end?

Right now, where it can be used, I use "ssh -w" to set up tunnels. It "just works" because I've figured out the template to make it work, and I'm only using it between hosts where ssh exists. But I can't just use ssh everywhere. Sometimes the other end is something else someone else uses, or someone else decided I had to use (I hate when that happens). Maybe I need to communicate with a router I have zero access on instead of another host I have root access on.

Is there anything the world can do to make VPNs work better, easier?
 
Old 12-19-2012, 03:22 AM   #2
solarisguy
LQ Newbie
 
Registered: Aug 2010
Location: Seattle
Distribution: CentOS, RHEL, Oracle Enterprise Linux, Solaris, BSD
Posts: 28

Rep: Reputation: 8
Quote:
Originally Posted by Skaperen View Post
Personally I have done few VPN setups and mostly I've not had too many troubles. But colleagues are often setting them up for various reasons, and troubles seem to always be there. Usually it is getting all the configurations just right so everything works everywhere. Though the first VPN being set up often does have problems, the real nightmares begin once a 2nd or 3rd VPN is configured.

It's not a case of just network configuration woes. VPNs troubles tend to be 30 or more times worse. And this seems to be across the board from open VPNs to proprietary VPNs. And that's not even counting all the compatibility problems that exist where some VPN appliance, or router, or software, will just not communicate with some other because there is no common ground on supported protocols or supported authentication.

I'd like to get some input on this. Are there TECHNICAL reasons for these problems to be so extensive? If so, is it more amount networking issues themselves, or is it about the security.

Comments about "IWFM ... I set one up and it works" probably don't add info ... I've gotten them to "just work", too. But that seems to generally happen well when using the same thing (appliance, router, software) on both ends. Do you have any "magic" for making a VPN "just work" when dealing with two completely different kinds of things on each end?

Right now, where it can be used, I use "ssh -w" to set up tunnels. It "just works" because I've figured out the template to make it work, and I'm only using it between hosts where ssh exists. But I can't just use ssh everywhere. Sometimes the other end is something else someone else uses, or someone else decided I had to use (I hate when that happens). Maybe I need to communicate with a router I have zero access on instead of another host I have root access on.

Is there anything the world can do to make VPNs work better, easier?

OpenVPN makes life much easier. Certificates can be a bit tricky, but there is lots of information available on how certs work.

VPN's are complex due to the variety of public networks they transverse, a wide variety of hardware vendors, and many different encryption algorithms on top of different protocols. There are three major protocols that I see used (PPTP, L2TP, IPSEC) with a multitude of encryption algorithms running on top of the tunnel. Once you really dig into the network side of things, it becomes quite evident why it is so tricky for the uninitiated. I manage VPN's for thousands of sites in a nationwide network, so I'm quite familiar with VPN technology and the challenges that come with it.

First recommendation: choose one vendor, and standardize on it (as well as platform and firmware revision, if possible). Some vendors are not 100% standards compliant, so interoperability between vendors may be an unnecessary or untenable difficulty.

Second: Decide which tunnel technology you want to use. IPSEC over GRE works well and is a very common implementation for site-to-site VPN. OpenVPN servers also do this very well, both for routing and bridging, using UDP or TCP (I recommend using TCP due to the elusive issues that can occur due to fragmenting encrypted packets over UDP; reassembly is nearly impossible in many scenarios).

Third: Choose an encryption scheme. AES-256 or 512 is quite secure and fast on modern VPN platforms.

Fourth: Develop a template and STICK TO IT, or revise it globally. Managing a single template across multiple sites is much easier than managing multiple one-off's.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question on VPNs and DMZ setup (plus ssh) knowabitnotalot Linux - Security 5 10-17-2008 01:48 AM
VPNs with Hamachi (and using them for gaming ) cbj4074 Linux - Networking 9 05-12-2008 09:58 AM
LXer: About vservers, VPNs, and more LXer Syndicated Linux News 0 05-22-2006 05:33 PM
LXer: VPNs Illustrated: Tunnels, VPNS, and IPsec -- A Book Review LXer Syndicated Linux News 0 04-17-2006 07:54 PM
Linux, VPNs, PPTP, and Me oopicmaster Linux - Networking 1 03-22-2004 05:41 AM


All times are GMT -5. The time now is 06:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration