|
»
»
« Return to Thread: vpnc or openvpn
Re: vpnc or openvpn
by Robert G. Brown
::
Rate this Message:
On Thu, 13 Mar 2008, Kevin Miller wrote:
> Robert,
> You are right in that VPN has not been our #1 priority. In the last few
> months, we have rolled out the new core network, upgraded the wired
> network in several buildings, announced plans to roll out a next
> generation 802.11n wireless network, planned the network facilities in
> the new enterprise data center, worked towards improved connectivity
> between medical and non-medical research facilities, retired our legacy
> DNS servers, deployed a virtual firewall service, and evaluated several
> vendors for replacement intrusion detection and prevention services.
Dear Kevin,
All good, but as I said this is a very old problem -- years old, not
months old -- and one that only has required a small FTE investment to
"fix" all along at least at the level of maintaining a functional,
tested vpnclient for linux. In fact, volunteers on this list (myself
included) would do -- and have in the past offered to and indeed done on
their own anyway -- the required patching of the existing vpnclient FOR
you, so that all your organization has needed to do is spend a couple of
hours testing it and then dropping a link to a functional one in place
on the OIT website for general use.
However, we REQUIRE at least that much OIT participation, because as I
noted, according to the cisco license in the sources themselves it is
technically illegal for us as end users to redistribute functionally
patched sources (not to mention difficult for us to access current
sources to patch) while as I understand it you guys do have the right to
do so within the organization. I've now twice patched it myself (for FC
6 and FC 7), twice offered to pass it back to OIT, and twice been
largely ignored. Chris Walter has duplicated this effort. I'm guessing
that at least four or five others have as well. Ultimately, working
versions have been passed around through the grapevine, routing around
the barrier, which is not appropriate for the mission critical service
of providing secured remote connectivity and leaves ME taking the risks
associated with violating a license (however annoying it might be that
Cisco doesn't provide a functional product so that I'm more or less
forced to to connect at all).
I'll offer again: If you will accept a patched vpnclient for Fedora 8
and put it on the website for general distribution to help bridge the
gap between now and when SSL VPN comes on line, I (perhaps with the help
of others on the list) will take the time to build it and test it and
then hand it over. All I'd need is a copy of the latest/greatest Cisco
tarballs for i386 and x86_64 if there is one more recent than the 4.8 or
4.6 sources I have now (and if the differences matter).
You guys in OIT don't have to work all alone on this, in other words. I
>>do<< understand that you're busy and that you have many priorities
(and absolutely, fixing some of the semi-broken WAPs around campus is a
very good one to have). Just realize that you have help -- we can work
together on things to our common benefit.
I'll even apologize for the rant, although to the extent that it has
attracted your attention to the ongoing problem it may have still been a
good thing. As I said before, I don't particularly like having to
publically complain about things like this to get a constructive
response, but somethings there is little alternative.
> Alongside all this, though, we have worked methodically to build our
> next-generation SSL VPN service. This is truly a tunneled service, not
> merely a web proxy. It uses a thin client architecture, and we have been
> testing on all 3 major platforms (L, M, W) during the development. A lot
> of the time is spent making sure that we have the redundancy and
> scalability that is needed of this sort of service. The service will be
> virtualized: your VPN may be different from your neighbor's VPN.
>
> The motivation for replacing the VPN service were several, and were
> culled from dozens of conversations with IT staff across campus. Among
> them, the need for good support across the major platforms, the ability
> to virtualize, and a simplified user interface. As well, the current
> platform is more than 4 years old and not redundant.
>
> We have shared these plans with CLAC and ITAC before, during, and after
> the implementation process (though obviously SSL VPN is still in
> progress.) Beyond that, we are more than happy to meet with anyone that
> is interested in discussing the services. (If there are other forums
> where an opportunity to discuss our services and requirements would be
> valued, please let me know.)
Excellent. I'm glad the SSL VPN will indeed be a scalable tunnelling
architecture and hopefully easy for novice-level users to operate from
userspace on the LMW platform base as you describe. From discussions on
this list I'd have to say that there has been something of a
communications problem even to the campus sysadmin base, but perhaps
this particular discussion we're having now is helping to rectify that
which is all to the good. Any technical description of the service you
wanted to post to this list or the A&SiST list -- what it's running on,
how it works, what the clients are and where they come from, its overall
cost, an estimate of when it would start to be available -- would
doubtless be appreciated by me and I'm sure many others.
> While work on the SSL VPN continues, we are preparing to open it to a wider
> circle of testers to start gathering feedback on its usability,
> functionality, interoperability across platforms, and so forth. Based on the
> feedback from this test, we will make changes as necessary to provide a
> useful service to the broadest set of uses.
Again, an excellent, rational plan. Sign me up.
rgb
--
Robert G. Brown Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
> Robert,
> You are right in that VPN has not been our #1 priority. In the last few
> months, we have rolled out the new core network, upgraded the wired
> network in several buildings, announced plans to roll out a next
> generation 802.11n wireless network, planned the network facilities in
> the new enterprise data center, worked towards improved connectivity
> between medical and non-medical research facilities, retired our legacy
> DNS servers, deployed a virtual firewall service, and evaluated several
> vendors for replacement intrusion detection and prevention services.
Dear Kevin,
All good, but as I said this is a very old problem -- years old, not
months old -- and one that only has required a small FTE investment to
"fix" all along at least at the level of maintaining a functional,
tested vpnclient for linux. In fact, volunteers on this list (myself
included) would do -- and have in the past offered to and indeed done on
their own anyway -- the required patching of the existing vpnclient FOR
you, so that all your organization has needed to do is spend a couple of
hours testing it and then dropping a link to a functional one in place
on the OIT website for general use.
However, we REQUIRE at least that much OIT participation, because as I
noted, according to the cisco license in the sources themselves it is
technically illegal for us as end users to redistribute functionally
patched sources (not to mention difficult for us to access current
sources to patch) while as I understand it you guys do have the right to
do so within the organization. I've now twice patched it myself (for FC
6 and FC 7), twice offered to pass it back to OIT, and twice been
largely ignored. Chris Walter has duplicated this effort. I'm guessing
that at least four or five others have as well. Ultimately, working
versions have been passed around through the grapevine, routing around
the barrier, which is not appropriate for the mission critical service
of providing secured remote connectivity and leaves ME taking the risks
associated with violating a license (however annoying it might be that
Cisco doesn't provide a functional product so that I'm more or less
forced to to connect at all).
I'll offer again: If you will accept a patched vpnclient for Fedora 8
and put it on the website for general distribution to help bridge the
gap between now and when SSL VPN comes on line, I (perhaps with the help
of others on the list) will take the time to build it and test it and
then hand it over. All I'd need is a copy of the latest/greatest Cisco
tarballs for i386 and x86_64 if there is one more recent than the 4.8 or
4.6 sources I have now (and if the differences matter).
You guys in OIT don't have to work all alone on this, in other words. I
>>do<< understand that you're busy and that you have many priorities
(and absolutely, fixing some of the semi-broken WAPs around campus is a
very good one to have). Just realize that you have help -- we can work
together on things to our common benefit.
I'll even apologize for the rant, although to the extent that it has
attracted your attention to the ongoing problem it may have still been a
good thing. As I said before, I don't particularly like having to
publically complain about things like this to get a constructive
response, but somethings there is little alternative.
> Alongside all this, though, we have worked methodically to build our
> next-generation SSL VPN service. This is truly a tunneled service, not
> merely a web proxy. It uses a thin client architecture, and we have been
> testing on all 3 major platforms (L, M, W) during the development. A lot
> of the time is spent making sure that we have the redundancy and
> scalability that is needed of this sort of service. The service will be
> virtualized: your VPN may be different from your neighbor's VPN.
>
> The motivation for replacing the VPN service were several, and were
> culled from dozens of conversations with IT staff across campus. Among
> them, the need for good support across the major platforms, the ability
> to virtualize, and a simplified user interface. As well, the current
> platform is more than 4 years old and not redundant.
>
> We have shared these plans with CLAC and ITAC before, during, and after
> the implementation process (though obviously SSL VPN is still in
> progress.) Beyond that, we are more than happy to meet with anyone that
> is interested in discussing the services. (If there are other forums
> where an opportunity to discuss our services and requirements would be
> valued, please let me know.)
Excellent. I'm glad the SSL VPN will indeed be a scalable tunnelling
architecture and hopefully easy for novice-level users to operate from
userspace on the LMW platform base as you describe. From discussions on
this list I'd have to say that there has been something of a
communications problem even to the campus sysadmin base, but perhaps
this particular discussion we're having now is helping to rectify that
which is all to the good. Any technical description of the service you
wanted to post to this list or the A&SiST list -- what it's running on,
how it works, what the clients are and where they come from, its overall
cost, an estimate of when it would start to be available -- would
doubtless be appreciated by me and I'm sure many others.
> While work on the SSL VPN continues, we are preparing to open it to a wider
> circle of testers to start gathering feedback on its usability,
> functionality, interoperability across platforms, and so forth. Based on the
> feedback from this test, we will make changes as necessary to provide a
> useful service to the broadest set of uses.
Again, an excellent, rational plan. Sign me up.
rgb
--
Robert G. Brown Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
« Return to Thread: vpnc or openvpn
| Free embeddable forum powered by Nabble | Forum Help |
