Building Linux Virtual Private Networks (VPNs): A Book Review
Title: Building Linux Virtual Private Networks (VPNs)Authors: Oleg Kolesnikov and Brian HatchPublisher: New Riders PublishingISBN: 1578702666
As an enthusiastic Linux newbie trapped in the body of a Windows/Netware IT consultant, I gladly welcomed another opportunity to push Linux to my clients. When I heard about the publication of this book, I was eager to get my hands on a copy to see if I could feasibly begin using Linux VPN gateway/firewalls with some of my smaller clients as a low-cost replacement for some of the Intel and Cisco VPN gateway products.
Despite the fact that virtual private networking is one of the hottest terms in today's computing world, there still seems to be no definitive book for Linux-based VPNs. I hoped this book would help me get a foothold on what could be a new niche for Linux in the small business market.
The first few chapters are on the administrative basics of VPNs. There are some helpful introductory concepts like topology, cost comparisons, leased lines and methods of remote key exchange. Aside from a few reminders about password security, the opening section can be skipped entirely by anyone with any prior WAN experience.
The meat of this book is the second section. In part two, there are three detailed chapters on the main players in the Linux VPN world: SSH, FreeS/WAN and PPTP. The authors do a thorough job of explaining the basic setups for each one and highlighting the pros and cons of the different technologies. The level of instruction here assumes very little Linux knowledge and even includes step-by-step walkthroughs for kernel recompilation. Unfortunately, when I hit an IPSec security authorization rule hurdle, there was little included in the way of troubleshooting help. After a lengthy session on the Web and thanks to some Usenet friends I was able to solve my problem. I spent quite a bit of time reading over the IPSec and FreeS/WAN chapters and found the simple definitions of the different hashing algorithms easy to digest. Encryption can be tough to grasp, and the authors explain enough to allow you to understand the basic configuration fully, yet not so much as to bog the reader down in numeric details.
The final section of the book deals with "nonstandard" VPN protocols with a chapter each on Tinc, cIPe and VTun. I found these sections concise and intriguing, but not nearly enough to support the design and implementation of a production-level VPN. As with all the other chapters, there are samples of the three basic configurations: host to host, network to host and network to network. If an administrator were to decide to use one of these lesser-known protocols for their setup, they surely would have to do a great deal of additional research because what is provided in the book is understandably superficial.
Perhaps I'm going to be crucified for saying this, but my main complaint about this book is that it just didn't have enough Windows material in it. The simplistic diagrams and streamlined config files Hatch and Kolesnikov provide make it easy for any intermediate or advanced user to get a basic VPN up and running but do little to help you deal with the complexities of a cross platform VPN. When confronted with the task of getting my Windows 2000 laptop up and running with the base FreeS/WAN setup on my Linux gateway I was unable to get it working. The author omits the "Windows Road Warrior" configuration stating that Windows remote-client connectivity is still fairly unreliable and thus out of the scope of the text. This proved a major hurdle for me given that the majority of the VPN environments I work in are those with remote salespeople on the road with Windows laptops.
As much as I would like to voice my frustrations with this book, saying that the one configuration of the one piece of software that I wanted to use (Windows/Linux via FreeS/WAN) was not available, I cannot overlook the fact that for a first delve into the Linux-VPN sector, this text is adequate.
I would recommend this book to intermediate and advanced administrators who are evaluating potential Linux VPN solutions. For those looking for a step-by-step HOWTO to support a corporate solution, you may have to get on-line with me and wait for something from our friends at O'Reilly.