[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Thu Feb 24 22:47:56 2005 -->
- <!--x-from-r13: psbjyre ng bhgcbfgfragvary.pbz (Quevfgbcure Tbjyre) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] SSL-based VPNs (OpenVPN) vs IPSec -->
- <li><em>date</em>: Thu Feb 24 22:47:56 2005</li>
- <li><em>from</em>: cfowler at outpostsentinel.com (Christopher Fowler)</li>
- <li><em>in-reply-to</em>: <[email protected]></li>
- <li><em>references</em>: <<a href="msg00859.html">[email protected]</a>> <[email protected]> <<a href="msg00928.html">[email protected]</a>> <[email protected]></li>
- <li><em>subject</em>: [ale] SSL-based VPNs (OpenVPN) vs IPSec</li>
On Thu, 2005-02-24 at 21:31, Michael H. Warfield wrote:
> On Thu, 2005-02-24 at 20:48 -0500, Christopher Fowler wrote:
> > My #1 problem with IPSec is how it has to be used. I have two devices
> > that needs a tunnel between them. Both devices are behind a NAT
> > Firewall. They do not have a public interface. This is where IPSec is
> > useless. IPSec requires that these devices have public interfaces. In
> > my case I can only use a SSL based VPN like Vtun. There are not any
> > other options.
>
> > Maybe I'm wrong about IPSec but based on what I've read it can't be
> > natted. It has to be on a public interface.
>
> IPSec can be NAT'ed under a variety of circumstances. Some devices
> actually attempt to NAT protocols 50 and 51 but this is highly
> unreliable. A better option is IPSec NAT-T, which is IPSec over UDP,
> which is now supported by a released RFC. What happens there is that
> BOTH IKE and IPSec AH/ESP get encapsulated in UDP on port 4500. That
> fixes the single NAT case. FreeSwan / Openswan / Stronswan all support
> IPSec NAT-T, as does L2TP on Windows XP. If you have a double NAT case,
> I'm not sure how you would manage the "meet in the middle" negotiation
> issue. How does OpenVPN handle it? In the IPv6 world, we have critters
> such as Teredo which operate between two NAT'ed clients but it requires
> the mediation of a Teredo server on a public address. I can see
> establishing a VPN tunnel (IPSec or SSL or IPv6) across clients that are
> each NAT'ed as long as you have a public "touch stone" where they can
> negotiate across a server. But, one way or the other, the two NAT'ed
> clients have to establish their endpoints from behind those NAT devices.
>
> > On Thu, 2005-02-24 at 18:54, Michael H. Warfield wrote:
> > > On Tue, 2005-02-22 at 15:06 -0500, M Raju wrote:
> > > > I have been thinking of playing with OpenVPN and convert my existing
> > > > setup at home which comprises of mainly an IPSec VPN for WiFi/External
> > > > access - OpenBSD Firewall/Access Point running (ISAkmpd), Racoon on OS
> > > > X and OpenSWAN for Linux.
> > >
> > > > Anyone prefer SSL over IPSec? Found an interesting paper on OpenVPN Security ->
> > >
> > > > <a rel="nofollow" href="http://www.sans.org/rr/papers/20/1459.pdf";>http://www.sans.org/rr/papers/20/1459.pdf</a>
> > >
> > > Personally, I would avoid an ssl based VPN like the plague. There is
> > > no "perfect forward secrecy" or rekeying and the session keys can be
> > > determined from the PKI authentication keys (in other words, if you
> > > compromise the key from either end, you can decrypt the traffic, which
> > > is not the case with IPSec w/ PFS and Diffie-Hellman).
>
>
> > > > _Raju
>
> Mike
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00935" href="msg00935.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00859" href="msg00859.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
<ul><li><em>From:</em> protocoljunkie at gmail.com (M Raju)</li></ul></li>
<li><strong><a name="00927" href="msg00927.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
<li><strong><a name="00928" href="msg00928.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00930" href="msg00930.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00931.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00933.html">[ale] Hosting in Atlanta</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00930.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00935.html">[ale] SSL-based VPNs (OpenVPN) vs IPSec</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00932"><strong>Date</strong></a></li>
<li><a href="threads.html#00932"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>