RE: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at home?

From: Brian (blanda_at_mnsi.net)
Date: Wed Sep 11 2002 - 06:14:49 CEST

• Next message: Ken Bantoft: "Re: [Users] ipsec over static dialup"
• Previous message: Teemu Torma: "Re: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at home?"
• In reply to: Ken Price: "RE: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at home?"
• Next in thread: Ken Bantoft: "RE: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at home?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am running FreeS/Wan and it's working great here...

-----Original Message-----
From: users-admin_at_lists.freeswan.org
[mailto:users-admin_at_lists.freeswan.org]On Behalf Of Ken Price
Sent: Tuesday, September 10, 2002 7:28 PM
To: users_at_lists.freeswan.org
Subject: RE: [Users] Is a VPN appliance better than FreeS/WAN for an
ADSL at home?

I want to thank everyone for your responses and opinions on the Linksys
router ... Ken, your site is invaluable. Joe, you are exactly right. I've
been playing with a few FreeS/WAN tunnels today and noticed that ALL had the
same timeout problem - and only one is ADSL. Then I realized that it *WAS*
in fact a stateful packet filtering issue. While I allow related and
established packets into the INPUT chain, I wasn't allowing *NEW*
connections (for obvious reasons). Once I allowed connections explicitly
from the other FreeS/WAN gateway(s), all was well in the world once more
:-)

I'll continue to test over the next week before I push into production, but
it's a beauty right now.

With the speed issue, I'll just have to play around a bit more with the
486/66. It's held in there for so long that I just don't have the heart to
mothball it!

Ken Price
AgentWare, Inc.
kprice_at_agentware.net

-----Original Message-----
From: Joe Patterson [mailto:jpatterson_at_asgardgroup.com]
Sent: Tuesday, September 10, 2002 7:16 PM
To: Ken Price; users_at_lists.freeswan.org
Subject: RE: [Users] Is a VPN appliance better than FreeS/WAN for an
ADSL at home?

I run a lot of freeswan tunnels, and I have very few lockups like you're
talking about.

My first suspicion, and what I would look at before giving up on Freeswan,
is that you have a netfilter/iptables statefull firewalling problem.

I've written about this before, first at
http://lists.freeswan.org/pipermail/users/2001-October/004493.html.

It may not apply to you, but take a look at your firewall config anyway.
Make sure you have udp 500 and ip proto 50 specifically allowed inbound and
outbound on both sides. In general, I've found freeswan tunnels (after
getting my firewalling right) to be extremely stable and maintenance-free.

As for speed, with the limited hardware you have, you're only going to be
able to do one or two Mbit/sec with 3des. AES could speed that up a bit.
Then again, I'm not sure what the performance of the linksys vpn will be.
Probably fairly good, since I believe they're doing their 3des in asic
hardware, but I don't know.

-Joe

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Ken Price
> Sent: Tuesday, September 10, 2002 12:08 PM
> To: users_at_lists.freeswan.org
> Subject: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at
> home?
>
>
>
> I'm in the planning stage of setting up several VPNs for my
> company. One of
> which being from the Office to my home LAN. I've been testing FreeS/WAN
> over the last 2 weeks and am quite frustrated by how often the
> link dies if
> idle (ADSL with static IP). The only way to get it working again
> is to ping
> hosts from both sides, which kinda defeats the purpose. On top
> of that, my
> home firewall (486/66 with 24Mb RAM, RedHat 7.3) that FreeS/WAN is running
> on is starting to feel the strain of IPSEC plus PPPoE and can't
> utilize all
> available DSL bandwidth through the VPN tunnel. So, as far as
> the annoying
> ADSL disconnects go, will a VPN Firewall appliance such as the Linksys
> BEFVP41 help eliminate those? Or at least handle them more eloquently?
>
> FYI- I'm running RedHat7.3 with Ken's RPMS from freeswan.ca on both
> gateways: Freeswan-1.98b plus x509 for Kernel 2.4.18-5
>
> Thank you, everyone, for your replies.
>
>
> Ken Price
> AgentWare, Inc.
> kprice_at_agentware.net
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] ipsec over static dialup"
• Previous message: Teemu Torma: "Re: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at home?"
• In reply to: Ken Price: "RE: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at home?"
• Next in thread: Ken Bantoft: "RE: [Users] Is a VPN appliance better than FreeS/WAN for an ADSL at home?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Sep 12 2002 - 05:20:02 CEST