<HTML>
<HEAD>
<TITLE>Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN</TITLE>
</HEAD>
<BODY>
<FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>I'm really trying to avoid using bridges if possible. Most bridging(non VPN bridges like AG) solutions use UDP and my users are UDP incapable :(<BR>
<BR>
On OpenVPN, they don't use L2TP or PPTP but use SSL.<BR>
<BR>
--<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>Does OpenVPN support IPSec or PPTP?<BR>
<BR>
There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP.<BR>
<BR>
The IPSec protocol is designed to be implemented as a modification to the IP stack in kernel space, and therefore each operating system requires its own independent implementation of IPSec.<BR>
<BR>
By contrast, OpenVPN's user-space implementation allows portability across operating systems and processor architectures, firewall and NAT-friendly operation, dynamic address support, and multiple protocol support including protocol bridging.<BR>
<BR>
There are advantages and disadvantages to both approaches. The principal advantages of OpenVPN's approach are portability, ease of configuration, and compatibility with NAT and dynamic addresses. The learning curve for installing and using OpenVPN is on par with that of other security-related daemon software such as ssh.<BR>
<BR>
Historically, one of IPSec's advantages has been multi-vendor support, though that is beginning to change as OpenVPN support is beginning to appear on dedicated hardware devices.<BR>
<BR>
While the PPTP protocol has the advantage of a pre-installed client base on Windows platforms, analysis by cryptography experts has revealed security vulnerabilities.<BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>---<BR>
<BR>
<BR>
<BR>
On 10/31/06 5:20 AM, "Andrew A Rowley" <Andrew.Rowley@manchester.ac.uk> wrote:<BR>
<BR>
<FONT COLOR="#0000FF">> Hi,<BR>
> <BR>
> I have often used the VPN at Manchester from various locations, mostly in the <BR>
> UK. I think this is a hardware VPN solution, so this may explain why it works <BR>
> well. It certainly allows you to use the AG bridged (our VPN network is not <BR>
> multicast enabled) from behind a restrictive firewall, so long as the VPN <BR>
> outgoing port is enabled. I have even used this to run AG over wireless, <BR>
> where our wireless network only allows traffic outgoing over TCP ports 80 and <BR>
> the VPN port.<BR>
> <BR>
> Regarding a software VPN, this should work if it is configured correctly, but <BR>
> configuring VPNs can be quite hard. I would think that an L2TP IPSec VPN with <BR>
> IKE configuration would probably work well. I am fairly sure that this sort <BR>
> of set up would be possible with OpenVPN.<BR>
> <BR>
> Andrew :)<BR>
> <BR>
> ============================================<BR>
> Access Grid Support Centre,<BR>
> RSS Group,<BR>
> Manchester Computing,<BR>
> Kilburn Building,<BR>
> University of Manchester,<BR>
> Oxford Road,<BR>
> Manchester, <BR>
> M13 9PL, <BR>
> UK<BR>
> Tel: +44(0)161-275 0685<BR>
> Email: Andrew.Rowley@manchester.ac.uk <BR>
> <BR>
</FONT><FONT COLOR="#008000">>> -----Original Message-----<BR>
>> From: owner-ag-tech@mcs.anl.gov [<a href="mailto:owner-ag-tech@mcs.anl.gov]">mailto:owner-ag-tech@mcs.anl.gov]</a> On<BR>
>> Behalf Of Many Ayromlou<BR>
>> Sent: 30 October 2006 21:57<BR>
>> To: Doug Baggett<BR>
>> Cc: ag-tech<BR>
>> Subject: Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN<BR>
>> <BR>
>> Hi Doug,<BR>
>> <BR>
>> A while back I tried OpenVPN (mac client @ home behind NAT/Router---<BR>
</FONT><FONT COLOR="#FF0000">>>> linux server on open network) and although other stuff worked, I<BR>
</FONT><FONT COLOR="#008000">>> could not get AG going (I was not using bridged mode though.....I was<BR>
>> using the other mode.....don't remember right now).<BR>
>> <BR>
>> I have since tried to run it with an L2TP type VPN (Mac notebook<BR>
>> running osx behind NAT/Router --> Mac OSX Server on open network) and<BR>
>> AG3 works quite well. I've been able to get somewhere near 14-16<BR>
>> videos smoking my 6Mb dsl link. I've also tried this from behind a<BR>
>> firewall at work (mac notebook behind a really strict firewall<BR>
>> blocking ports 1024+ UDP/TCP ---> same mac OSX server on open<BR>
>> network) and AG3 works fine.<BR>
>> <BR>
>> So to answer your question OpenVPN did not work for me and I admit it<BR>
>> was not the same situation you're describing. L2TP worked fine behind<BR>
>> NAT and also behind a pretty strict firewall.<BR>
>> <BR>
>> TTYL<BR>
>> Many<BR>
>> On 30-Oct-06, at 1:35 PM, Doug Baggett wrote:<BR>
>> <BR>
</FONT><FONT COLOR="#FF0000">>>> Has anybody tried using Access Grid using bridged Ethernet and<BR>
>>> OpenVPN?<BR>
>>> (www.openvpn.net)<BR>
>>> <BR>
>>> OpenVPN supports TCP instead of UDP, and I have users behind<BR>
>>> Firewalls that<BR>
>>> restrict outbound UDP and I have a server that I could use as the<BR>
>>> endpoint<BR>
>>> that sits<BR>
>>> <BR>
>>> I know there would be a performance hit using TCP, but on a high<BR>
>>> performance<BR>
>>> network it would be interesting to know if anybody has given it a try.<BR>
>>> <BR>
>>> -Doug B<BR>
>>> OCI/NSF<BR>
>>> <BR>
</FONT><FONT COLOR="#008000">>> <BR>
</FONT></SPAN></FONT>
</BODY>
</HTML>