From owner-freebsd-net@FreeBSD.ORG Tue Mar 19 07:21:31 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D1A665CE for ; Tue, 19 Mar 2013 07:21:31 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (unknown [IPv6:2001:470:1f09:14c0::2]) by mx1.freebsd.org (Postfix) with ESMTP id 633328B7 for ; Tue, 19 Mar 2013 07:21:31 +0000 (UTC) Received: from [192.168.248.32] ([192.168.248.32]) by elf.hq.norma.perm.ru (8.14.5/8.14.5) with ESMTP id r2J7LRBB019118 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 19 Mar 2013 13:21:28 +0600 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <514811F1.4060706@norma.perm.ru> Date: Tue, 19 Mar 2013 13:21:21 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: mpd5 and multiple route to send to clients References: <9EC8E2D3-A52B-4FF1-B840-3D962DF8D917@gmail.com> <5147EE5D.5070203@norma.perm.ru> <1306548A-C393-44DF-9B8D-9A34D806622E@gmail.com> In-Reply-To: <1306548A-C393-44DF-9B8D-9A34D806622E@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [192.168.3.10]); Tue, 19 Mar 2013 13:21:29 +0600 (YEKT) X-Spam-Status: No hits=-101.0 bayes=0.5 testhits ALL_TRUSTED=-1, USER_IN_WHITELIST=-100 autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2013 07:21:31 -0000 Hi. On 19.03.2013 12:56, Yoann Gini wrote: > Even if it’s not built-in the L2TP / PPTP standard, the rest of the world do it, and need it by the way. Using the VPN gateway as a default one is not acceptable when it’s made to secure access to specific resources only (i.e: Split Tunneling), as a provider, I don’t want to handle all network traffic from road-warriors, I don’t care about their FaceBook traffic, I just want they corporate one. No questions here, this feature is highly demanded, but still, standard pptp/l2tp implementation just doesn't support it by design. > With VPN, also regularly come VPN on Demand, a settings on the client side allowing the system to automatically start VPN connection when the user request for a specific domain (like private.example.com). And if the authentication is fully based on certificate, the user don’t see any authentication request. > > This kind of highly demanded feature today can’t be address if at the beginning we don’t have split tunneling… > > Well, that’s a big big problem for me and force me to review all my plan about this network and also with my OS X Server replacement project made from a standard FreeBSD… Ofc there's many VPN implementation that supports this feature. But most of them are not compatible with each other, or just aren't available on some platforms. There are lots of modern fancy SSL-VPNs, but their ideology is an ideology of a custom VPN client, like Cisco EzVPN, or even openvpn (which I personally hate). In the same time, mpd is good where you need to have interoperability. Unfortunately, there's bo silver bullet yet. Eugene.