[AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN
dbaggett at nsf.gov
Tue Oct 31 06:08:09 CST 2006
I'm really trying to avoid using bridges if possible. Most bridging(non VPN
bridges like AG) solutions use UDP and my users are UDP incapable :(
On OpenVPN, they don't use L2TP or PPTP but use SSL.
> Does OpenVPN support IPSec or PPTP?
> There are three major families of VPN implementations in wide usage today:
> SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with
> IPSec, L2TP, or PPTP.
> The IPSec protocol is designed to be implemented as a modification to the IP
> stack in kernel space, and therefore each operating system requires its own
> independent implementation of IPSec.
> By contrast, OpenVPN's user-space implementation allows portability across
> operating systems and processor architectures, firewall and NAT-friendly
> operation, dynamic address support, and multiple protocol support including
> protocol bridging.
> There are advantages and disadvantages to both approaches. The principal
> advantages of OpenVPN's approach are portability, ease of configuration, and
> compatibility with NAT and dynamic addresses. The learning curve for
> installing and using OpenVPN is on par with that of other security-related
> daemon software such as ssh.
> Historically, one of IPSec's advantages has been multi-vendor support, though
> that is beginning to change as OpenVPN support is beginning to appear on
> dedicated hardware devices.
> While the PPTP protocol has the advantage of a pre-installed client base on
> Windows platforms, analysis by cryptography experts has revealed security
On 10/31/06 5:20 AM, "Andrew A Rowley" <Andrew.Rowley at manchester.ac.uk>
> I have often used the VPN at Manchester from various locations, mostly in the
> UK. I think this is a hardware VPN solution, so this may explain why it works
> well. It certainly allows you to use the AG bridged (our VPN network is not
> multicast enabled) from behind a restrictive firewall, so long as the VPN
> outgoing port is enabled. I have even used this to run AG over wireless,
> where our wireless network only allows traffic outgoing over TCP ports 80 and
> the VPN port.
> Regarding a software VPN, this should work if it is configured correctly, but
> configuring VPNs can be quite hard. I would think that an L2TP IPSec VPN with
> IKE configuration would probably work well. I am fairly sure that this sort
> of set up would be possible with OpenVPN.
> Andrew :)
> Access Grid Support Centre,
> RSS Group,
> Manchester Computing,
> Kilburn Building,
> University of Manchester,
> Oxford Road,
> M13 9PL,
> Tel: +44(0)161-275 0685
> Email: Andrew.Rowley at manchester.ac.uk
>> -----Original Message-----
>> From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On
>> Behalf Of Many Ayromlou
>> Sent: 30 October 2006 21:57
>> To: Doug Baggett
>> Cc: ag-tech
>> Subject: Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN
>> Hi Doug,
>> A while back I tried OpenVPN (mac client @ home behind NAT/Router---
>>> linux server on open network) and although other stuff worked, I
>> could not get AG going (I was not using bridged mode though.....I was
>> using the other mode.....don't remember right now).
>> I have since tried to run it with an L2TP type VPN (Mac notebook
>> running osx behind NAT/Router --> Mac OSX Server on open network) and
>> AG3 works quite well. I've been able to get somewhere near 14-16
>> videos smoking my 6Mb dsl link. I've also tried this from behind a
>> firewall at work (mac notebook behind a really strict firewall
>> blocking ports 1024+ UDP/TCP ---> same mac OSX server on open
>> network) and AG3 works fine.
>> So to answer your question OpenVPN did not work for me and I admit it
>> was not the same situation you're describing. L2TP worked fine behind
>> NAT and also behind a pretty strict firewall.
>> On 30-Oct-06, at 1:35 PM, Doug Baggett wrote:
>>> Has anybody tried using Access Grid using bridged Ethernet and
>>> OpenVPN supports TCP instead of UDP, and I have users behind
>>> Firewalls that
>>> restrict outbound UDP and I have a server that I could use as the
>>> that sits
>>> I know there would be a performance hit using TCP, but on a high
>>> network it would be interesting to know if anybody has given it a try.
>>> -Doug B
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ag-tech