On Tue, Dec 07, 2004 at 06:48:30PM +0800, [EMAIL PROTECTED] wrote: > All right. I prefer sticking with the standard so I'd rather choose > OpenSWAN.
Frankly, I would not recommend using OpenSWAN if you wanted to build a road warrior setup where you have mobile users that want to be able to access a private office network from wherever they are. IPsec suffers from the unfortunate inability to work with network address translation, and more often than not a road warrior will have Internet access only via a NAT. Yes, yes, I know all about the NAT traversal patches, but in my experiments with them they don't work. For some fairly common NAT configurations these NAT traversal patches wind up failing because of path MTU discovery issues, and fortunately for us, we were given a routable IP address during the conference where we used it to phone home (both literally and figuratively). OpenVPN does not suffer from this disadvantage, making it more suitable for road warrior configurations. IPsec, on the other hand, despite Bruce Schneier's misgivings that it's much too complicated, has undergone a fair bit of analysis and no one has found any security flaws in it. OpenVPN also uses a well-analyzed protocol for its key exchange (SSL/TLS), but it has not undergone nearly as much analysis. I would recommend that you make use of OpenVPN if you want to handle road warriors. My engineer instinct says that in spite of its lack of analysis it's probably secure enough for that application. For bridging two separate networks over a more permanent VPN connections, I would recommend OpenS/WAN IPsec instead. -- dido The foundation of all mental illness is the avoidance of legitimate suffering. http://stormwyrm.blogspot.com/ -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
