Product SiteDocumentation Site

8.5. 虚拟专用网

一个虚拟专用网(VPN)至少由两台以上计算机系统组成, 典型的通过公网访问私有网络, 实现在公网的安全通信. VPNs 可能是将单机连入一个私有网络(客户端-服务器), 也可能是将一个远程局域网与一个私有网络相连(服务器-服务器). VPNs 通常包括使用加密, 远程用户或主机的强认证, 和隐藏私有网络拓扑结构的方法.
Debian provides quite a few packages to set up encrypted virtual private networks:
FIXME: Update the information here since it was written with FreeSWAN in mind. Check Bug #237764 and Message-Id: <200412101215.04040.rmayr@debian.org>.
The OpenSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html (covers IPsec and PPTP), http://www.tldp.org/HOWTO/VPN-HOWTO.html (covers PPP over SSH), http://www.tldp.org/HOWTO/mini/Cipe+Masq.html, and http://www.tldp.org/HOWTO/mini/ppp-ssh/index.html.
Also worth checking out is http://yavipin.sourceforge.net/, but no Debian packages seem to be available yet.

8.5.1. 点对点隧道

如果您想为混合环境(微软操作系统和 linux 客户端)提供隧道服务, 并且不能选 IPsec(它是基于 Windows 2000 和 Windows XP 的), 那么可以使用 pptpd 软件包中提供的 PoPToP (点对点隧道服务).
如果您想使用 PPP 包中提供的微软的认证和加密服务, 注意下边的FAQ:
It is only necessary to use PPP 2.3.8 if you want Microsoft compatible
MSCHAPv2/MPPE authentication and encryption. The reason for this is that
the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP
2.3.8. If you don't need Microsoft compatible authentication/encryption
any 2.3.x PPP source will be fine.
然而, 您还必须使用 kernel-patch-mppe 软件包提供的内核补丁才行, 它为 pppd 提供了 pp_mppe 模块.
Take into account that the encryption in ppptp forces you to store user passwords in clear text, and that the MS-CHAPv2 protocol contains http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/.