[clug] IPSec / L2TP as dial-in access for remote netbook

Daniel Pittman daniel at rimspace.net
Wed Aug 19 08:00:13 MDT 2009 

Ian McLeod <ianmcleod75 at gmail.com> writes:

> Has anyone figured out the rocket science behind configuring a IPSec / L2TP
> capable router as a 'dial-in' server (remote access - not LAN2LAN) for a
> netbook or laptop (with Ubuntu)?
>
> I hear PPTP is easy to set up - but insecure.
>
> Basically I have a Billion 7404-VGO-M VPN capable modem with PPTP, IPSec and
> L2TP, and a small netbook running Ubuntu - and not a clue how to get VPN
> working.

Well, I have not done this in the last few (ahem.  nine, I think) months, so
I may be a bit rusty, but a general guide...

First, get IPSec working between your client and your server.  Tunnel mode is
probably easiest, but whatever.  Get that providing secure IP between your
client and your server.

This also involves selecting an IPSec implementation.  I used pipsecd[1]
myself, but you probably want the in-kernel IPSec stuff.  Anyway, that will
require an ISAKMP daemon; IIRC, the OpenBSD option is reasonably sane, and
I /still/ hate the OpenSWAN daemon for being baroque and awful to work with.

Any option should work, though.  Um, and getting that talking to the Billion:
just give them the same configuration and you should be good to go.


I would advise you pick an ISAKMP daemon, set the Billion to tunnel mode, and
then work to get the two talking together.


Finally, once that is done you have an IP link between the two systems, and
you get to decide you actually give a damn about putting L2TP in place or not.
(This gives you a "bridged" connection, rather than just routed IP.  I never
 really saw the point of this for !Windows clients.)

> I have searched over the Net and found instructions resembling Ikea manuals
> for how to construct a kit nuclear reactor - nothing straight forward - if
> this is possible.

Yeah.  If you can, I advise you to just use OpenVPN.  It sucks a lot less, and
seems to be reasonably secure to date.[2]

Regards,
        Daniel

Footnotes: 
[1]  Not packaged any more, sorry.  They hate it now, even though it was one
     of the few simple and easy to use implementations.  Oh, well.

[2]  As in, not seriously validated or investigated by an expert (boo), but
     having been looked at by a number of them who concluded that it was a
     reasonably implementation.  The actual crypto parts are absolutely boring
     and uncreative, which is *exactly* what you want.

-- 
✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons
   Looking for work?  Love Perl?  In Melbourne, Australia?  We are hiring.

More information about the linux mailing list