Remote User Access VPNs
Virtual Private Network (VPN) are used primarily in two situations: bridges between private networks and remote user access. While BSD systems had most of the required features to fullfill the network to network case, remote user access was an area where existing tools were a bit frustrating.
The paper examines the solutions available for building a VPN with the following goals.
Here is a quick tour of the available solutions: PPP over SSH, tunnelling over SSL, PPTP, plain IPsec, and L2TP over IPsec. The temporary conclusion is that no IPsec based solution seems to meet the goals.
The paper then covers the various IPsec extensions that some vendors developped in order to correctly support the remote user access scenario with IPsec VPN: Xauth, Hybrid auth, NAT-Traversal, Dead Peer Detection, IKE fragmentation, and ESP fragmentation.
The end of the paper tells how these extensions were added to the NetBSD kernel and its IKE daemon, which is known as racoon. The enhancement of racoon led to the switch of racoon from the KAME projet to racoon from the ipsec-tools project, a KAME racoon fork initially created to bring racoon to Linux.
As a conclusion, the possible future developments around racoon are discussed.
About the author
Emmanuel Dreyfus is a system and network administrator in Paris, France, and is currently a developer for the NetBSD, ipsec-tools and milter-greylist projects.
Within the NetBSD project, Emmanuel Dreyfus mostly worked on binary compatibility: LinuxPPC, IRIX and MacOS X compatibility (the latter being the subject of a previous EuroBSDCon paper), and on improving NetBSD IPsec capabilities.
He is also the author of a french book on Unix system administration with BSD.
Copyright © 2005 by EuroBSDCon 2005. All rights reserved.