Peter Clay <[EMAIL PROTECTED]> writes: > Having spent much of the past few weeks trying to sort out a workable VPN > solution, I think this is a good but doomed idea. http://vpn.ebootis.de/ > has the best free windows IPsec configuration tool I've found, but that > doesn't help. Why? Because IPsec traffic is not TCP traffic and therefore > gets dropped by random networks. > > If you want a VPN that road warriors can use, you have to do it with > IP-over-TCP. Nothing else survives NAT and agressive firewalling, not even > Microsoft PPTP.
Unfortunately, IP over TCP has very bad properties. TCP stacks figure out what the maximum bandwidth they can send is by increasing the transmission rate until they get drops, and then backing off. However, the underlying TCP carrying the IP packets is a reliable, retransmitting service, so there will never be any drops seen by the overlayed TCP sessions. You end up with really ugly problems, in short. Port-forwarded TCP sessions, a la ssh, work a lot better. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
