[Openswan Users] Ideal VPN for this wireless deployment?

Ryan Verner xfesty at computeraddictions.com.au
Sat May 22 19:03:54 CEST 2004 

Howdy,

I'm currently investigating several VPN solutions for particular
wireless deployments.  IPSec is probably suited, although confirmation
from others is something I'd really appreciate.

(I'm assuming this project is the logical continuation of FreeS/WAN, now
that the project has seized?  Is this the best IPSec solution to be
running on Linux 2.4?)

Currently, I'm using pptpd (poptop) + pptp-linux for most of these
links.  I toyed with FreeS/WAN back in 2002, and it didn't seem to deal
with packet loss very well, whereas pptpd did.

These deployments are usually point to point, and have a Linux box
either side running a 2.4 kernel.  My requirements are:

* Needs to be able to deal with small amounts of packet loss (1%) - that
is, tunnels remain robust for large periods of time, and don't die
randomly
* Not hugely CPU intensive; i.e. can run tunnels on older Pentium
machines without having resources fly out the window.
* Crypto doesn't eat up a lot of bandwidth overhead; that is, I don't
want a 600kb/sec link to turn into a 200kb/sec one :-(
* Linux client/server
* Crypto is strong enough not to allow trivial cracking.

Things I'd like, but aren't essential:

* Can handle many (i.e. 50-100) connections
* In the case of point->point, can tunnel broadcast stuff directed at
the subnet
* Plays with ospfd nicely
* Has Windows / OSX clients - sometimes, clients will want to jump on
the VPN directly.
* Encrypts everything within the tunnel, not just the content of
packets.

Right now, I'm on a ~10km wireless link which is doing around
600kb/sec.  There's a Pentium 100 at one end; with a pptp connection
doing mppe-128, I'm finding I can get around 450kb/sec, although the
pptp daemon does eat up 85% CPU :-)

Obviously though, PPTP itself is flawed, and the pptpd daemon does do
wierd things and connections have to be restarted manually often.  It's
the best solution I've tried so far, though.

I realise (I think?) that some IPSec implementations can be tuned for
higher/lower crypto levels.  Is it possible to run at a lower crypto
level (so bandwidth is maximised), but 'cycle' the keys or whatever is
used at particular periods without dropouts?

Thanks,

R

More information about the Users mailing list