On Tue, Sep 18, 2007 at 03:39:01PM +0200, Ian Brown wrote: > Hello, > > - Thanks! > > - I agree that openVPN is easy manage, as you say. > > - I am interested in comparing it to IPSec; ignore the management > issues; I agree they > are **very** important, but I am interested to compare the essence of > these two options: > which is better in terms of performance ? which is more secure ? which > seems to be > the one which will be the preferred option in the future? pros and cons ? How long is a piece of string ?
What context is this in ? ipsec and openvpn (ssl) - use similar encryption technics - aes, blowfish, .... > > This is a citation from openswan book (Packt Publishing): > (chapter 10, Encrypting the local network) > > "- One popular solution is VPNs based on SSL, but the problem with SSL > of course is that it uses a > TCP connection. An attacker can send a single spoofed TCP-RST packet > to kill an SSL-based > VPN tunnel. Another popular solution is OpenVPN, which provides a > relatively easy to set up and > use UDP-based VPN. However, OpenVPN clients are only available for a > limited number of > operating systems. It also needs pre-arrangement; you need to know > each others' SSL credentials. This was true with the old psk's, but 2.x allows for x509 pki, send a certificate out . > OpenVPN has also been exposed to much less scrutiny from the crypto > research community. > Other alternatives used are stunnel (SSL wrapping) or CIPE. The CIPE > protocol has turned out to > be fundamentally flawed, and should not be used at all. Stunnel > solutions suffer from the TCPRST flag issue already mentioned". > > What do you have to say about this citation? I think this was written on the old openvpn 1.0 version. there has been a lot of changes into 2.x some security stuff is addressed on the openvpn site http://openvpn.net/security.html and a faq http://openvpn.net/faq.html#security-issues I would suggest the next place to go is the openswan and openvpn mailing lists and pose these questions there - short of looking through the code your self. One think I have found to be a pain though between ipsec (openswan on 2.6) v's openvpn is openvpn gives you an interface easy to write iptables rules against. With ipsec packets are encapsulated as they enter an interface dependant on your ipsec filtering rules - this used to be a pain for writing iptables rules. There was also problems with NAT and ipsec. propper routing settings - setting the right source address to fit your ipsec filters > > Regards, > Ian > > > > > > On 9/18/07, Alex Samad <[EMAIL PROTECTED]> wrote: > > On Tue, Sep 18, 2007 at 11:34:10AM +0200, Ian Brown wrote: > > > Hi, > > > - Can anybody recommend on a free VPN for linux ? > > > > > > - I know that it can be installed on top of IPSec (with > > > userspace tools like Openswan , http://www.openswan.org/). > > > > > > - I know that you can create a VPN using PPTP (Point-to-Point > > > Tunneling Protocol) > > > > > > - What are the advantages/disadvantages of using solution like > > > openswan IPSec VPN > > > comparing to PPTP ? > > > > I would recommend openvpn, it works with linux and windows. it works through > > http proxies and can be authorised and authenticated with x509 cert's. > > > > I have found it a lot simple to install and manage than ipsec > > > > http://openvpn.net/ > > > > > > > > > > rgs, > > > Ian > > > -- > > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFG770kkZz88chpJ2MRAiFcAJ9cyA9Vpb41zXm+x41UMKpuDn0sAgCfboD3 > > tv29EhZld3xu9QaJ6YSQrPA= > > =Wppl > > -----END PGP SIGNATURE----- > > > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
