Peter Clay wrote: > On Thu, 9 Oct 2003, Peter Gutmann wrote: > > >>I would add to this the observation that rather than writing yet another SSL >>library to join the eight hundred or so already out there, it might be more >>useful to create a user-friendly management interface to IPsec implementations >>to join the zero or so already out there. The difficulty in setting up any >>IPsec tunnel is what's been motivating the creation of (often insecure) non- >>IPsec VPN software, so what'd be a lot more helpful than (no offense, but) yet >>another SSL implementation is some means of making IPsec easier to use >>(although that may not be possible... OK, let's say "less painful to use" :-). > > > Having spent much of the past few weeks trying to sort out a workable VPN > solution, I think this is a good but doomed idea. http://vpn.ebootis.de/ > has the best free windows IPsec configuration tool I've found, but that > doesn't help. Why? Because IPsec traffic is not TCP traffic and therefore > gets dropped by random networks. > > If you want a VPN that road warriors can use, you have to do it with > IP-over-TCP. Nothing else survives NAT and agressive firewalling, not even > Microsoft PPTP.
PPTP uses GRE, so aggressive firewalls are likely to kill it, however, it isn't hard to stop them :-) However, I've seen UDP surive some fairly aggressive firewalling, and that's what you really want for a VPN. > If someone out there wants to write VPN software that becomes widely used, > then they should make a free IP-over-TCP solution that works on Windows > and Linux which uses password authentication. Doesn't OpenVPN have that option? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]