[AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN

Doug Baggett dbaggett at nsf.gov
Tue Oct 31 10:13:18 CST 2006


Thanks Andrew!

Ethernet tunneling would solve that, but also OpenVPN allows for using TCP
as it¹s transport mechanism instead of UDP (thus doing what you mentioned).

I¹ll look at openswan to compare it to openvpn

-Doug


On 10/31/06 9:40 AM, "Andrew A Rowley" <Andrew.Rowley at manchester.ac.uk>
wrote:

> Hi,
>  
> You are restricted to using UDP for AG, whether you are using multicast or
> unicast.  What you need is to get your VPN client/server to tunnel the UDP
> packets through TCP, and therefore you don¹t need to open any firewalls.
> There is a VPN server called OpenSwan. This is a linux-only server I think,
> but you can use Windows XP as a client (as well as other OSs I would think).
> There are instructions for that here:
> http://www.natecarlson.com/linux/ipsec-x509.php
>  
> What this does is allows your machine to act as if it were on the same VLan as
> your VPN server.  So if your VPN server is on a multicast enabled network
> outside the firewall, your AG machine will appear to be multicast enabled and
> outside the firewall.  If your VPN server is not on a multicast network, you
> will have to set the AG client to use unicast (as I do when I use the
> Manchester VPN).
>  
> Andrew J
> 
> ============================================
> Access Grid Support Centre,
> RSS Group,
> Manchester Computing,
> Kilburn Building,
> University of Manchester,
> Oxford Road,
> Manchester,
> M13 9PL,
> UK
> Tel: +44(0)161-275 0685
> Email: Andrew.Rowley at manchester.ac.uk
> 
> 
> From: Doug Baggett [mailto:dbaggett at nsf.gov]
> Sent: 31 October 2006 12:08
> To: Andrew.Rowley at manchester.ac.uk; Many Ayromlou
> Cc: ag-tech
> Subject: Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN
>  
> I'm really trying to avoid using bridges if possible. Most bridging(non VPN
> bridges like AG) solutions use UDP and my users are UDP incapable :(
> 
> On OpenVPN, they don't use L2TP or PPTP but use SSL.
> 
> --
> Does OpenVPN support IPSec or PPTP?
> 
> There are three major families of VPN implementations in wide usage today:
> SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with
> IPSec, L2TP, or PPTP.
> 
> The IPSec protocol is designed to be implemented as a modification to the IP
> stack in kernel space, and therefore each operating system requires its own
> independent implementation of IPSec.
> 
> By contrast, OpenVPN's user-space implementation allows portability across
> operating systems and processor architectures, firewall and NAT-friendly
> operation, dynamic address support, and multiple protocol support including
> protocol bridging.
> 
> There are advantages and disadvantages to both approaches. The principal
> advantages of OpenVPN's approach are portability, ease of configuration, and
> compatibility with NAT and dynamic addresses. The learning curve for
> installing and using OpenVPN is on par with that of other security-related
> daemon software such as ssh.
> 
> Historically, one of IPSec's advantages has been multi-vendor support, though
> that is beginning to change as OpenVPN support is beginning to appear on
> dedicated hardware devices.
> 
> While the PPTP protocol has the advantage of a pre-installed client base on
> Windows platforms, analysis by cryptography experts has revealed security
> vulnerabilities.
> ---
> 
> 
> 
> On 10/31/06 5:20 AM, "Andrew A Rowley" <Andrew.Rowley at manchester.ac.uk> wrote:
> 
>> > Hi,
>> > 
>> > I have often used the VPN at Manchester from various locations, mostly in
>> the 
>> > UK.  I think this is a hardware VPN solution, so this may explain why it
>> works 
>> > well.  It certainly allows you to use the AG bridged (our VPN network is
>> not 
>> > multicast enabled) from behind a restrictive firewall, so long as the VPN
>> > outgoing port is enabled.  I have even used this to run AG over wireless,
>> > where our wireless network only allows traffic outgoing over TCP ports 80
>> and 
>> > the VPN port.
>> > 
>> > Regarding a software VPN, this should work if it is configured correctly,
>> but 
>> > configuring VPNs can be quite hard.  I would think that an L2TP IPSec VPN
>> with 
>> > IKE configuration would probably work well.  I am fairly sure that this
>> sort 
>> > of set up would be possible with OpenVPN.
>> > 
>> > Andrew :)
>> > 
>> > ============================================
>> > Access Grid Support Centre,
>> > RSS Group,
>> > Manchester Computing,
>> > Kilburn Building,
>> > University of Manchester,
>> > Oxford Road,
>> > Manchester, 
>> > M13 9PL, 
>> > UK
>> > Tel: +44(0)161-275 0685
>> > Email: Andrew.Rowley at manchester.ac.uk
>> > 
>>> >> -----Original Message-----
>>> >> From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov]
>>> <mailto:owner-ag-tech at mcs.anl.gov%5d> On
>>> >> Behalf Of Many Ayromlou
>>> >> Sent: 30 October 2006 21:57
>>> >> To: Doug Baggett
>>> >> Cc: ag-tech
>>> >> Subject: Re: [AG-TECH] Using Access Grid with Ethernet Bridged OpenVPN
>>> >> 
>>> >> Hi Doug,
>>> >> 
>>> >> A while back I tried OpenVPN (mac client @ home behind NAT/Router---
>>>> >>> linux server on open network) and although other stuff worked, I
>>> >> could not get AG going (I was not using bridged mode though.....I was
>>> >> using the other mode.....don't remember right now).
>>> >> 
>>> >> I have since tried to run it with an L2TP type VPN (Mac notebook
>>> >> running osx behind NAT/Router --> Mac OSX Server on open network) and
>>> >> AG3 works quite well. I've been able to get somewhere near 14-16
>>> >> videos smoking my 6Mb dsl link. I've also tried this from behind a
>>> >> firewall at work (mac notebook behind a really strict firewall
>>> >> blocking ports 1024+ UDP/TCP ---> same mac OSX server on open
>>> >> network) and AG3 works fine.
>>> >> 
>>> >> So to answer your question OpenVPN did not work for me and I admit it
>>> >> was not the same situation you're describing. L2TP worked fine behind
>>> >> NAT and also behind a pretty strict firewall.
>>> >> 
>>> >> TTYL
>>> >> Many
>>> >> On 30-Oct-06, at 1:35 PM, Doug Baggett wrote:
>>> >> 
>>>> >>> Has anybody tried using Access Grid using bridged Ethernet and
>>>> >>> OpenVPN?
>>>> >>> (www.openvpn.net)
>>>> >>> 
>>>> >>> OpenVPN supports TCP instead of UDP, and I have users behind
>>>> >>> Firewalls that
>>>> >>> restrict outbound UDP and I have a server that I could use as the
>>>> >>> endpoint
>>>> >>> that sits
>>>> >>> 
>>>> >>> I know there would be a performance hit using TCP, but on a high
>>>> >>> performance
>>>> >>> network it would be interesting to know if anybody has given it a try.
>>>> >>> 
>>>> >>> -Doug B
>>>> >>> OCI/NSF
>>>> >>> 
>>> >> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20061031/ef978b8f/attachment.htm>


More information about the ag-tech mailing list