From owner-freebsd-net  Tue Oct 30 13: 0:17 2001
Delivered-To: freebsd-net@freebsd.org
Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26])
	by hub.freebsd.org (Postfix) with ESMTP id AB1F637B405
	for <freebsd-net@FreeBSD.ORG>; Tue, 30 Oct 2001 13:00:13 -0800 (PST)
Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20])
	by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id MAA58202;
	Tue, 30 Oct 2001 12:56:57 -0800 (PST)
Received: (from archie@localhost)
	by arch20m.dellroad.org (8.11.6/8.11.6) id f9UKuuv08305;
	Tue, 30 Oct 2001 12:56:56 -0800 (PST)
	(envelope-from archie)
From: Archie Cobbs <archie@dellroad.org>
Message-Id: <200110302056.f9UKuuv08305@arch20m.dellroad.org>
Subject: Re: Reply Hazy (Encrypted VPN across FBSD, W2k, RHL, etc...)
In-Reply-To: <200110271449.KAA11184@leviathan.umiacs.umd.edu>
 "from Gary Jackson at Oct 27, 2001 10:49:01 am"
To: Gary Jackson <bargle@umiacs.umd.edu>
Date: Tue, 30 Oct 2001 12:56:56 -0800 (PST)
Cc: freebsd-net@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL82 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Gary Jackson writes:
> I have a suspicion that the limiting factor here is going to be the
> Microsoft product.  It appears as if it will do encrypted VPNs two
> ways:
> 
> 1.  PPTP with proprietary MPPE encryption/compression
> 2.  IPSec/l2tp proprietary hybrid
> 
> I looked in to option (1).  It seems to be the easiest, with the
> exception that apparently I need some proprietary code (as per the
> following quote from the ng_mppc(4) manual page:
> 
>      The MPPC protocol requires proprietary compression code available from
>      Hi/Fn (formerly STAC).  These files must be obtained elsewhere and added
>      to the kernel sources before this node type will compile with the
>      NETGRAPH_MPPC_COMPRESSION option.

That's only required if you want to do compression, which is optional.
So the net/mpd-netgraph port will do PPTP with encryption but not
compression.

> Option (2) looks even less likely.  I've only been able to find one
> implementation of l2tp, and it looks like it's still a pretty flaky
> piece of software that hasn't been integrated with IPSec.

You can configure Win2k to do pure IPSec without the L2TP part,
and this works with FreeBSD/IPSec/racoon. Search the MSoft knowledge
base for how to configure it this way (it's non-trivial).

-Archie

__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message