Some good information for evaluating potential Linux VPN setups, but if you're looking for a HOWTO, this isn't it.
Title: Building Linux Virtual Private Networks (VPNs)
Authors: Oleg Kolesnikov and Bri Hatch
As an enthusiastic Linux newbie trapped in the body of a Windows/Netware
IT consultant, I gladly welcomed another opportunity to push Linux to my
clients. When I heard about the publication of this book, I was eager to
get my hands on a copy to see if I could feasibly begin using Linux VPN
gateway/firewalls with some of my smaller clients as a low-cost replacement
for some of the Intel and Cisco VPN gateway products.
Despite the fact that virtual private networking is one of the hottest
terms in today's computing world, there still seems to be no definitive
book for Linux-based VPNs. I hoped this book would help me get a foothold
on what could be a new niche for Linux in the small business market.
The first few chapters are on the administrative basics of VPNs. There
are some helpful introductory concepts like topology, cost comparisons,
leased lines and methods of remote key exchange. Aside from a few
reminders about password security, the opening section can be skipped
entirely by anyone with any prior WAN experience.
The meat of this book is the second section. In part two, there are
three detailed chapters on the main players in the Linux VPN world:
SSH, FreeS/WAN and PPTP. The authors do a thorough job of explaining
the basic setups for each one and highlighting the pros and cons of the
different technologies. The level of instruction here assumes very little
Linux knowledge and even includes step-by-step walkthroughs for kernel
recompilation. Unfortunately, when I hit an IPSec security authorization
rule hurdle, there was little included in the way of troubleshooting
help. After a lengthy session on the Web and thanks to some Usenet friends
I was able to solve my problem. I spent quite a bit of time reading over
the IPSec and FreeS/WAN chapters and found the simple definitions of
the different hashing algorithms easy to digest. Encryption can be tough
to grasp, and the authors explain enough to allow you to understand the
basic configuration fully, yet not so much as to bog the reader down in
The final section of the book deals with "nonstandard" VPN protocols
with a chapter each on Tinc, cIPe and VTun. I found these sections
concise and intriguing, but not nearly enough to support the design
and implementation of a production-level VPN. As with all the other
chapters, there are samples of the three basic configurations: host to
host, network to host and network to network. If an administrator were
to decide to use one of these lesser-known protocols for their setup,
they surely would have to do a great deal of additional research because
what is provided in the book is understandably superficial.
Perhaps I'm going to be crucified for saying this, but my main complaint
about this book is that it just didn't have enough Windows material
in it. The simplistic diagrams and streamlined config files Hatch and
Kolesnikov provide make it easy for any intermediate or advanced user to
get a basic VPN up and running but do little to help you deal with the
complexities of a cross platform VPN. When confronted with the task of
getting my Windows 2000 laptop up and running with the base FreeS/WAN
setup on my Linux gateway I was unable to get it working. The author
omits the "Windows Road Warrior" configuration stating that Windows
remote-client connectivity is still fairly unreliable and thus out of
the scope of the text. This proved a major hurdle for me given that
the majority of the VPN environments I work in are those with remote
salespeople on the road with Windows laptops.
As much as I would like to voice my frustrations with this book,
saying that the one configuration of the one piece of software that I
wanted to use (Windows/Linux via FreeS/WAN) was not available,
I cannot overlook the fact that for a first delve into the Linux-VPN
sector, this text is adequate.
I would recommend this book to intermediate and advanced administrators
who are evaluating potential Linux VPN solutions. For those looking for
a step-by-step HOWTO to support a corporate solution, you may have to
get on-line with me and wait for something from our friends at O'Reilly.