Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 48
  1. #11
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    I read a lot a features not implemented in untangle, most popular are:
    Ipsec
    Proxy
    Reverse proxy
    UPS support
    Cluster
    More features in on line reports
    Wi FI access point
    And there is only a small list from my alzheimer´s memory.
    All request are valid, but I suspect the design staff choice with the feasibility criterion.
    In brief with your request:
    If you are according with the others features, but need IPSec, put and ASA in front of untangle box in bridge mode.
    I dont know another product in the market with this features at this prize (from zero in lite version). Is not perfect, not fit ALL my needs, but is the better plattform I found to make a security foundation to my customers.
    The world is divided into 10 kinds of people, who know binary and those not

  2. #12
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,022

    Default

    I would love to see us support IPSEC and HA. That being said, these aren't *easy* to implement nor set up. That's the main reason we haven't implemented them yet.

    Demand / Effort for this feature is a lower number than the other things we've implemented. We and our community have filed over 8000 bugs since we've started this project. We've closed the vast majority of them. We'll keep working on closing them.

    Believe me, I'd love for Untangle to do everything. That isn't possible. We're a small team of folks working very hard to make Untangle as great as we can. Sometimes we screw up, sometimes we hit the ball out of the park.

    Feedback is always welcome, even if it is presented in a less than genteel manner.
    m.
    <BR>
    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
    <BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com<B>

  3. #13
    Untanglit
    Join Date
    Aug 2010
    Posts
    24

    Default

    Out of curiousity is this how openvpn implements a site to site on untangle?. It looks like it's implemented as a service node.
    And needs to make a variety of uvm exceptions.


    *
    2 * $HeadURL$
    3 * Copyright (c) 2003-2007 Untangle, Inc.
    4 *
    5 * This program is free software; you can redistribute it and/or modify
    6 * it under the terms of the GNU General Public License, version 2,
    7 * as published by the Free Software Foundation.
    8 *
    9 * This program is distributed in the hope that it will be useful, but
    10 * AS-IS and WITHOUT ANY WARRANTY; without even the implied warranty of
    11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, TITLE, or
    12 * NONINFRINGEMENT. See the GNU General Public License for more details.
    13 *
    14 * You should have received a copy of the GNU General Public License
    15 * along with this program; if not, write to the Free Software
    16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
    17 */
    18
    19 package com.untangle.node.openvpn;
    20
    21 import javax.persistence.MappedSuperclass;
    22
    23 import org.hibernate.annotations.Type;
    24
    25 import com.untangle.uvm.node.IPaddr;
    26 import com.untangle.uvm.node.Rule;
    27 import com.untangle.uvm.node.Validatable;
    28 import com.untangle.uvm.node.ValidateException;
    29
    30 /**
    31 * A network that is available at a site.
    32 *
    33 * @author <a href="mailto:rbscott@untangle.com">Robert Scott</a>
    34 * @version 1.0
    35 */
    36 @SuppressWarnings("serial")
    37 @MappedSuperclass
    38 public abstract class SiteNetwork extends Rule implements Validatable
    39 {
    40
    41 private IPaddr network;
    42 private IPaddr netmask;
    43
    44 // constructors -----------------------------------------------------------
    45
    46 public SiteNetwork() { }
    47
    48 // accessors --------------------------------------------------------------
    49
    50 /**
    51 * @return network exported by this client or server.
    52 */
    53 @Type(type="com.untangle.uvm.type.IPaddrUserType")
    54 public IPaddr getNetwork()
    55 {
    56 return this.network;
    57 }
    58
    59 public void setNetwork( IPaddr network )
    60 {
    61 this.network = network;
    62 }
    63
    64 /**
    65 * Get the range of netmask on the client side(null for site->machine).
    66 *
    67 * @return This is the network that is reachable when this client connects.
    68 */
    69 @Type(type="com.untangle.uvm.type.IPaddrUserType")
    70 public IPaddr getNetmask()
    71 {
    72 return this.netmask;
    73 }
    74
    75 public void setNetmask( IPaddr netmask )
    76 {
    77 this.netmask = netmask;
    78 }
    79
    80 public void validate() throws ValidateException
    81 {
    82 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
    83 }
    84 }

  4. #14
    Untanglit
    Join Date
    Aug 2010
    Posts
    24

    Default

    Quote Originally Posted by mrunkel View Post
    I would love to see us support IPSEC and HA. That being said, these aren't *easy* to implement nor set up. That's the main reason we haven't implemented them yet.

    Demand / Effort for this feature is a lower number than the other things we've implemented. We and our community have filed over 8000 bugs since we've started this project. We've closed the vast majority of them. We'll keep working on closing them.

    Believe me, I'd love for Untangle to do everything. That isn't possible. We're a small team of folks working very hard to make Untangle as great as we can. Sometimes we screw up, sometimes we hit the ball out of the park.

    Feedback is always welcome, even if it is presented in a less than genteel manner.
    Well sorry if I'm less than genteel. And I realize that you are working hard. Sorry If I'm beating a dead horse here.

  5. #15
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by dell4242 View Post
    Out of curiousity is this how openvpn implements a site to site on untangle?. It looks like it's implemented as a service node.
    And needs to make a variety of uvm exceptions.
    Yes, It is a service node. I'm not sure of your question though...
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,482

    Default

    IPSec as far as I understand it is on the front burner soon. So that issue will go away.

    As for HA, if you don't have the SAN investment, and the cluster of blade servers operating VMWare, you don't have an environment that is HA ready. In short, Untangle doesn't need HA because your network doesn't need it.

    If you want redundancy, buy a cold spare. If you want a hot spare... well we're working on that. Jim Martin of Proactive Network solutions and myself are >< close to having active - passive clustering working. What we need is the central management console. Another feature we've been waiting forever for.

    So if you want to make this akin to another "why this sucks" post go for it. But what you aren't understanding is the volumes of work that have already gone into, and will continue to go into to solve these issues.

    Besides, at the end of the day, and as an Untangle reseller and technical support professional. I can honestly say, I have found NO NETWORK I can't successfully deploy Untangle in. So you say you can't recommend it, I say you're missing the point, missing the boat, and passing up money on the table.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untanglit
    Join Date
    Aug 2010
    Posts
    24

    Default

    Quote Originally Posted by dmorris View Post
    Yes, It is a service node. I'm not sure of your question though...
    Sorry reading the code I posted this just finds the ip address of the local server and throws an exception (teach me to post before leaving work).
    I guess my question is what makes ipsec fundamently different than ssl?
    From my understanding you would still need a no nat statement, routing changes (etc)... would these be the same in both cases?
    Ipsec obviously listens on different ports, but if you could get the same no nat statements etc from the existing code, and change the process... would that work? Obviously the config files are different... But I'm wondering if there is a quick and dirty fix here.
    Thanks

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,482

    Default

    Simply tossing strong/openswan on the box and configuring it will allow a connection to another IPSec device. But our testing has yielded odd stability issues on the platform we haven't been able to lock down. Some of it appears to be related to key issues... but the rest makes little sense.

    And, to make matters worse, at the end of it all the traffic didn't appear to be transiting the UVM like it should. So the rack defenses aren't brought to bear on the traffic, removing the potential of firewall control.

    So sure, if you want to think quick and dirty on stuff we've been arguing with for over a year go right ahead.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untanglit
    Join Date
    Aug 2010
    Posts
    24

    Default

    Quote Originally Posted by sky-knight View Post
    IPSec as far as I understand it is on the front burner soon. So that issue will go away..
    Nice to hear... who's working on it? Is the project already started? How's it going to be implemented?

    As for HA, if you don't have the SAN investment, and the cluster of blade servers operating VMWare, you don't have an environment that is HA ready. In short, Untangle doesn't need HA because your network doesn't need it.

    Not necessarily true, there is still application level clustering. Also failure of one server is not a service outage for a site, no internet/email blackberrys would be considered one by the hedge funds I support. For a vmware deployment with a san, vmware licenses, etc, you're looking at least 100k (if your not using openfiler, nexenta or similar).


    If you want redundancy, buy a cold spare. If you want a hot spare... well we're working on that. Jim Martin of Proactive Network solutions and myself are >< close to having active - passive clustering working. What we need is the central management console. Another feature we've been waiting forever for.
    I'm happy to hear it's being worked on. how are you accomplishing this? A cold spare is nice assuming you have someone onsite 24 hours.

    So if you want to make this akin to another "why this sucks" post go for it. But what you aren't understanding is the volumes of work that have already gone into, and will continue to go into to solve these issues.
    The question is not why this sucks, but how are you guys making it better. I think these are the features that people have been asking about, and haven't gotten answer to. The threads die and come up again repeatidly over the years. Apparently it's getting more attention than I thought.
    Last edited by dell4242; 08-05-2010 at 06:38 PM.

  10. #20
    Untanglit
    Join Date
    Aug 2010
    Posts
    24

    Default

    Quote Originally Posted by sky-knight View Post
    Simply tossing strong/openswan on the box and configuring it will allow a connection to another IPSec device. But our testing has yielded odd stability issues on the platform we haven't been able to lock down. Some of it appears to be related to key issues... but the rest makes little sense.

    And, to make matters worse, at the end of it all the traffic didn't appear to be transiting the UVM like it should. So the rack defenses aren't brought to bear on the traffic, removing the potential of firewall control.

    So sure, if you want to think quick and dirty on stuff we've been arguing with for over a year go right ahead.
    Were there any specific adjustments on the platform that you had to make for the ssl vpn to work?
    Do ssl connections site to site go through the uvm, should these connections be treated differently?
    Have you tried connecting to device with robust debuging like a cisco?
    I don't think people are concerned about having remote access vpns over ipsec, just site to site ones.

Page 2 of 5 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2