Can't find suitable firewall/VPN software for dynamic IPs

Can't find suitable firewall/VPN software for dynamic IPs

Post by k.. » Tue, 10 Feb 2004 06:28:57



Is there _any_ open source firewall solution that provides VPN endpoints
with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
XP?

I've been asked to build a software firewall for a small business network.
I can't seem find anything Linux (or equiv.) based, that meets my needs,
which are:

- it should provide NAT service for outbound connections, although I do NOT
need it to provide DHCP or DNS services.  So far no problem.  Smoothwall,
e.g., handles this nicely.

- must act as a VPN endpoint (i.e., NOT passthrough) for the local network,
providing remote access for remote Windows XP Pro workstations using
Microsoft VPN clients.  

- must support VPN with dynamic IP on both ends.  Most Linux firewalls only
support IPsec, and hence static IPs; I think we're down to PPTP and L2TP.
This blows it for  ITShield, too; for some crazy reason, even though it
supports PPTP, it requires a static IP.  Those things ain't cheap.  

- do NOT want to use pinholes or VPN pass-through; i.e., no direct access
to internal systems by any clients not authenticated to the firewall.  I
can buy a cheap hardware firewall if I'm just going to poke holes in it.

- must be quick and easy to set up.  The client won't pay for a day's worth
of my time to figure out unmaintainable patches, scripts, etc.

What I really want is an 386 ISO image with PoPToP already incorporated, I
think.  Nothing of the sort seems to exist.

Before people rag on me about PPTP security, let's be clear about whether
we're talking about PPTP v1 or v2; it makes a big difference.  With a
firewall endpoint, I control the passwords; they're good, and used nowhere
else.  And if anybody's got a better solution for dynamic IPs, I'm
listening.

BTW, there's one other solution I might possibly use in this situation: an
HTTP/HTTPS inbound proxy server -- since all I _really_ need right now is
to allow secure remote access to a web-based app running on a Win2K server.
Do such beasts really exist, or would I need some sort of stateful
inspection?  Using MS' IIS on that server is not an option I want to think
about.

/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535

www.kmsi.net

 
 
 

Can't find suitable firewall/VPN software for dynamic IPs

Post by k.. » Wed, 11 Feb 2004 00:19:03




>says...
>> Is there _any_ open source firewall solution that provides VPN endpoints
>> with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
>> XP?
>...
>A simple Linksys VPN router will do all of this an more. The VPN routers
>allow IPSec over dynamic IP's using the user name and key method.
>--

Personally, if I were going hardware, I'd use a Netopia -- say, their
3381-ENT.  It's more flexible.

But I wanted an open source software-based solution, and although I plenty
of mention of dynamic DNS, I see little about dynamic IPs for VPN
endpoints.

For example, the SmoothWall FAW says:

Quote:><   Pre-shared Key (PSK/Shared Secret) authentication and Dynamic IP
><   addresses are not compatible. This is a general VPN issue and is
><   not specific to SmoothWall systems.
and:
><   The SmoothTunnel and SmoothNode VPN Add-On modules for Corporate
><   Server both support dynamic IP addresses.

Admittedly, I wasn't really thinking of IPsec with dynamic IPs, although
it's an intriguing possibility.  But I don't see any simple, open source
solutions for that, either.  

The hardware firewall solution certainly looks better at the moment.

/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535

www.kmsi.net

 
 
 

Can't find suitable firewall/VPN software for dynamic IPs

Post by James Knot » Wed, 11 Feb 2004 10:48:56



> Is there any open source firewall solution that provides VPN endpoints
> with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
> XP?

> I've been asked to build a software firewall for a small business network.
> I can't seem find anything Linux (or equiv.) based, that meets my needs,
> which are:

I use CIPE, which works well.  I've always used it with dhcp at both ends.  
The fact that it's dhcp is irrelevant, provided you have a known &
consistent host name.

--

Fundamentalism is fundamentally wrong.


james.knott.

 
 
 

Can't find suitable firewall/VPN software for dynamic IPs

Post by Chri » Sat, 13 Mar 2004 03:00:00





>>says...

>>>Is there _any_ open source firewall solution that provides VPN endpoints
>>>with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
>>>XP?

>>...
>>A simple Linksys VPN router will do all of this an more. The VPN routers
>>allow IPSec over dynamic IP's using the user name and key method.
>>--

> Personally, if I were going hardware, I'd use a Netopia -- say, their
> 3381-ENT.  It's more flexible.

> But I wanted an open source software-based solution, and although I plenty
> of mention of dynamic DNS, I see little about dynamic IPs for VPN
> endpoints.

> For example, the SmoothWall FAW says:

>><   Pre-shared Key (PSK/Shared Secret) authentication and Dynamic IP
>><   addresses are not compatible. This is a general VPN issue and is
>><   not specific to SmoothWall systems.

> and:

>><   The SmoothTunnel and SmoothNode VPN Add-On modules for Corporate
>><   Server both support dynamic IP addresses.

> Admittedly, I wasn't really thinking of IPsec with dynamic IPs, although
> it's an intriguing possibility.  But I don't see any simple, open source
> solutions for that, either.  

> The hardware firewall solution certainly looks better at the moment.

Have you looked at m0n0wall?  It's FreeBSD based, which originally
caused me some skepticism, but I'm using it as my FW applicance now.
EXTREMELY nice.  High-powered for $0.  (Unbelieveable)  Comes with an
ISO if you want to run on commodity PC HW (read "junk 486 with two
NICs"), or will run with a nice footprint using Soekris Engineering
boards.  I didn't read all your requirements, but I think you would be
surprised.  Blows Smoothwall out of the water IMO.  OTS fw/routers
(Linksys, Netgear, etc.) don't even compare.

http://m0n0.ch/wall
http://www.soekris.com

-ceo

 
 
 

1. VPN with ADSL (dynamic IPs)

Hi

I have two office that have ADSL conection to internet (with dynamics
IPs) and a internal network.

I want to create a VPN between the internal netwoks  with Freebsd.

I can do it with dynamic IPs ?

What software must I use ?

Do you knows a tutorial or howto about it ?

I readed the handbook and I think that ipsec need statics ips.

Thanks a lot

roberto

2. ReWritable CD drives

3. Can't get VPN software working with pf firewall (OBSD3.3)

4. Kmail and local mail boxes

5. firewall-config with dynamic-IPs

6. dclock source for solaris

7. Solutions for Dynamic IPs and firewall

8. HELP !!!! Kermit for SCO Unixware 7.1

9. Solaris 8 x86 installer can't find a suitable disk?

10. Can't find suitable hard disk

11. VPN Client Software through Linux Firewall

12. Checkpoint VPN-1 firewall software

13. Pass 3 static IPs' trafic through a ipchains firewall with new iproute2 tools: How?