<HTML>
<HEAD>
<TITLE>Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN</TITLE>
</HEAD>
<BODY>
<FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>Thanks Andrew!<BR>
<BR>
Ethernet tunneling would solve that, but also OpenVPN allows for using TCP as it’s transport mechanism instead of UDP (thus doing what you mentioned).<BR>
<BR>
I’ll look at openswan to compare it to openvpn<BR>
<BR>
-Doug<BR>
<BR>
<BR>
On 10/31/06 9:40 AM, "Andrew A Rowley" <Andrew.Rowley@manchester.ac.uk> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT COLOR="#000080"><FONT SIZE="4"><FONT FACE="Arial"><SPAN STYLE='font-size:13.0px'>Hi,<BR>
<BR>
You are restricted to using UDP for AG, whether you are using multicast or unicast. What you need is to get your VPN client/server to tunnel the UDP packets through TCP, and therefore you don’t need to open any firewalls. There is a VPN server called OpenSwan. This is a linux-only server I think, but you can use Windows XP as a client (as well as other OSs I would think). There are instructions for that here: <a href="http://www.natecarlson.com/linux/ipsec-x509.php">http://www.natecarlson.com/linux/ipsec-x509.php</a><BR>
<BR>
What this does is allows your machine to act as if it were on the same VLan as your VPN server. So if your VPN server is on a multicast enabled network outside the firewall, your AG machine will appear to be multicast enabled and outside the firewall. If your VPN server is not on a multicast network, you will have to set the AG client to use unicast (as I do when I use the Manchester VPN).<BR>
<BR>
Andrew </SPAN></FONT><SPAN STYLE='font-size:13.0px'><FONT FACE="Verdana, Helvetica, Arial">J<BR>
</FONT></SPAN></FONT></FONT><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'><BR>
</SPAN></FONT><FONT COLOR="#000080"><FONT SIZE="4"><FONT FACE="Times New Roman"><SPAN STYLE='font-size:13.0px'>============================================<BR>
Access Grid Support Centre,<BR>
RSS Group,<BR>
Manchester Computing,<BR>
Kilburn Building,<BR>
University of Manchester,<BR>
Oxford Road,<BR>
Manchester,<BR>
M13 9PL,<BR>
UK<BR>
Tel: +44(0)161-275 0685<BR>
Email: Andrew.Rowley@manchester.ac.uk<BR>
</SPAN></FONT></FONT></FONT><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>
</SPAN></FONT>
<P ALIGN=CENTER>
<FONT SIZE="5"><FONT FACE="Times New Roman"><SPAN STYLE='font-size:16.0px'><HR ALIGN=CENTER SIZE="2" WIDTH="100%"></SPAN></FONT></FONT>
<P>
<FONT SIZE="4"><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:13.0px'><B>From:</B> Doug Baggett [<a href="mailto:dbaggett@nsf.gov]">mailto:dbaggett@nsf.gov]</a> <BR>
<B>Sent:</B> 31 October 2006 12:08<BR>
<B>To:</B> Andrew.Rowley@manchester.ac.uk; Many Ayromlou<BR>
<B>Cc:</B> ag-tech<BR>
<B>Subject:</B> Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN<BR>
</SPAN></FONT></FONT><FONT SIZE="5"><FONT FACE="Times New Roman"><SPAN STYLE='font-size:16.0px'> <BR>
</SPAN></FONT></FONT><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'>I'm really trying to avoid using bridges if possible. Most bridging(non VPN bridges like AG) solutions use UDP and my users are UDP incapable :(<BR>
<BR>
On OpenVPN, they don't use L2TP or PPTP but use SSL.<BR>
<BR>
--<BR>
Does OpenVPN support IPSec or PPTP?<BR>
<BR>
There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP.<BR>
<BR>
The IPSec protocol is designed to be implemented as a modification to the IP stack in kernel space, and therefore each operating system requires its own independent implementation of IPSec.<BR>
<BR>
By contrast, OpenVPN's user-space implementation allows portability across operating systems and processor architectures, firewall and NAT-friendly operation, dynamic address support, and multiple protocol support including protocol bridging.<BR>
<BR>
There are advantages and disadvantages to both approaches. The principal advantages of OpenVPN's approach are portability, ease of configuration, and compatibility with NAT and dynamic addresses. The learning curve for installing and using OpenVPN is on par with that of other security-related daemon software such as ssh.<BR>
<BR>
Historically, one of IPSec's advantages has been multi-vendor support, though that is beginning to change as OpenVPN support is beginning to appear on dedicated hardware devices.<BR>
<BR>
While the PPTP protocol has the advantage of a pre-installed client base on Windows platforms, analysis by cryptography experts has revealed security vulnerabilities.<BR>
---<BR>
<BR>
<BR>
<BR>
On 10/31/06 5:20 AM, "Andrew A Rowley" <Andrew.Rowley@manchester.ac.uk> wrote:<BR>
<BR>
<FONT COLOR="#0000FF">> Hi,<BR>
> <BR>
> I have often used the VPN at Manchester from various locations, mostly in the <BR>
> UK. I think this is a hardware VPN solution, so this may explain why it works <BR>
> well. It certainly allows you to use the AG bridged (our VPN network is not <BR>
> multicast enabled) from behind a restrictive firewall, so long as the VPN <BR>
> outgoing port is enabled. I have even used this to run AG over wireless, <BR>
> where our wireless network only allows traffic outgoing over TCP ports 80 and <BR>
> the VPN port.<BR>
> <BR>
> Regarding a software VPN, this should work if it is configured correctly, but <BR>
> configuring VPNs can be quite hard. I would think that an L2TP IPSec VPN with <BR>
> IKE configuration would probably work well. I am fairly sure that this sort <BR>
> of set up would be possible with OpenVPN.<BR>
> <BR>
> Andrew :)<BR>
> <BR>
> ============================================<BR>
> Access Grid Support Centre,<BR>
> RSS Group,<BR>
> Manchester Computing,<BR>
> Kilburn Building,<BR>
> University of Manchester,<BR>
> Oxford Road,<BR>
> Manchester, <BR>
> M13 9PL, <BR>
> UK<BR>
> Tel: +44(0)161-275 0685<BR>
> Email: Andrew.Rowley@manchester.ac.uk <BR>
> <BR>
</FONT><FONT COLOR="#008000">>> -----Original Message-----<BR>
>> From: owner-ag-tech@mcs.anl.gov [<a href="mailto:owner-ag-tech@mcs.anl.gov]">mailto:owner-ag-tech@mcs.anl.gov]</a> <a href="mailto:owner-ag-tech@mcs.anl.gov%5d"><mailto:owner-ag-tech@mcs.anl.gov%5d></a> On<BR>
>> Behalf Of Many Ayromlou<BR>
>> Sent: 30 October 2006 21:57<BR>
>> To: Doug Baggett<BR>
>> Cc: ag-tech<BR>
>> Subject: Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN<BR>
>> <BR>
>> Hi Doug,<BR>
>> <BR>
>> A while back I tried OpenVPN (mac client @ home behind NAT/Router---<BR>
</FONT><FONT COLOR="#FF0000">>>> linux server on open network) and although other stuff worked, I<BR>
</FONT><FONT COLOR="#008000">>> could not get AG going (I was not using bridged mode though.....I was<BR>
>> using the other mode.....don't remember right now).<BR>
>> <BR>
>> I have since tried to run it with an L2TP type VPN (Mac notebook<BR>
>> running osx behind NAT/Router --> Mac OSX Server on open network) and<BR>
>> AG3 works quite well. I've been able to get somewhere near 14-16<BR>
>> videos smoking my 6Mb dsl link. I've also tried this from behind a<BR>
>> firewall at work (mac notebook behind a really strict firewall<BR>
>> blocking ports 1024+ UDP/TCP ---> same mac OSX server on open<BR>
>> network) and AG3 works fine.<BR>
>> <BR>
>> So to answer your question OpenVPN did not work for me and I admit it<BR>
>> was not the same situation you're describing. L2TP worked fine behind<BR>
>> NAT and also behind a pretty strict firewall.<BR>
>> <BR>
>> TTYL<BR>
>> Many<BR>
>> On 30-Oct-06, at 1:35 PM, Doug Baggett wrote:<BR>
>> <BR>
</FONT><FONT COLOR="#FF0000">>>> Has anybody tried using Access Grid using bridged Ethernet and<BR>
>>> OpenVPN?<BR>
>>> (www.openvpn.net)<BR>
>>> <BR>
>>> OpenVPN supports TCP instead of UDP, and I have users behind<BR>
>>> Firewalls that<BR>
>>> restrict outbound UDP and I have a server that I could use as the<BR>
>>> endpoint<BR>
>>> that sits<BR>
>>> <BR>
>>> I know there would be a performance hit using TCP, but on a high<BR>
>>> performance<BR>
>>> network it would be interesting to know if anybody has given it a try.<BR>
>>> <BR>
>>> -Doug B<BR>
>>> OCI/NSF<BR>
>>> <BR>
</FONT><FONT COLOR="#008000">>> <BR>
</FONT><BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:12.0px'><BR>
</SPAN></FONT>
</BODY>
</HTML>