Can't find suitable firewall/VPN software for dynamic IPs

Is there _any_ open source firewall solution that provides VPN endpoints
with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
XP?

I've been asked to build a software firewall for a small business network.
I can't seem find anything Linux (or equiv.) based, that meets my needs,
which are:

- it should provide NAT service for outbound connections, although I do NOT
need it to provide DHCP or DNS services. So far no problem. Smoothwall,
e.g., handles this nicely.

- must act as a VPN endpoint (i.e., NOT passthrough) for the local network,
providing remote access for remote Windows XP Pro workstations using
Microsoft VPN clients.

- must support VPN with dynamic IP on both ends. Most Linux firewalls only
support IPsec, and hence static IPs; I think we're down to PPTP and L2TP.
This blows it for ITShield, too; for some crazy reason, even though it
supports PPTP, it requires a static IP. Those things ain't cheap.

- do NOT want to use pinholes or VPN pass-through; i.e., no direct access
to internal systems by any clients not authenticated to the firewall. I
can buy a cheap hardware firewall if I'm just going to poke holes in it.

- must be quick and easy to set up. The client won't pay for a day's worth
of my time to figure out unmaintainable patches, scripts, etc.

What I really want is an 386 ISO image with PoPToP already incorporated, I
think. Nothing of the sort seems to exist.

Before people rag on me about PPTP security, let's be clear about whether
we're talking about PPTP v1 or v2; it makes a big difference. With a
firewall endpoint, I control the passwords; they're good, and used nowhere
else. And if anybody's got a better solution for dynamic IPs, I'm
listening.

BTW, there's one other solution I might possibly use in this situation: an
HTTP/HTTPS inbound proxy server -- since all I _really_ need right now is
to allow secure remote access to a web-based app running on a Win2K server.
Do such beasts really exist, or would I need some sort of stateful
inspection? Using MS' IIS on that server is not an option I want to think
about.

/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net

Leythos <void@nowhere.com> wrote:

>In article <fe9d20l0ddemoq23mj3kuaa414qg8bm4b3@4ax.com>, kenw@kmsi.net
>says...
>> Is there _any_ open source firewall solution that provides VPN endpoints
>> with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
>> XP?
>...
>A simple Linksys VPN router will do all of this an more. The VPN routers
>allow IPSec over dynamic IP's using the user name and key method.
>--

Personally, if I were going hardware, I'd use a Netopia -- say, their
3381-ENT. It's more flexible.

But I wanted an open source software-based solution, and although I plenty
of mention of dynamic DNS, I see little about dynamic IPs for VPN
endpoints.

For example, the SmoothWall FAW says:
>< Pre-shared Key (PSK/Shared Secret) authentication and Dynamic IP
>< addresses are not compatible. This is a general VPN issue and is
>< not specific to SmoothWall systems.
and:
>< The SmoothTunnel and SmoothNode VPN Add-On modules for Corporate
>< Server both support dynamic IP addresses.

Admittedly, I wasn't really thinking of IPsec with dynamic IPs, although
it's an intriguing possibility. But I don't see any simple, open source
solutions for that, either.

The hardware firewall solution certainly looks better at the moment.

/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net

kenw@kmsi.net wrote:

> Is there any open source firewall solution that provides VPN endpoints
> with dynamic IPs, and supports Microsoft (or free) VPN clients for Windows
> XP?
>
> I've been asked to build a software firewall for a small business network.
> I can't seem find anything Linux (or equiv.) based, that meets my needs,
> which are:
>

I use CIPE, which works well. I've always used it with dhcp at both ends.
The fact that it's dhcp is irrelevant, provided you have a known &
consistent host name.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.