On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote:
> On 04/05/2018 03:51 AM, gevisz wrote:
> > Yes, the Host is running Windows.
> 
> Seeing as how both the ""Host and the ""Client are running Windows, I
> would think seriously about trying to leverage Windows' built in VPN
> capabilities.
> 
> The following things come to mind:
> 
>   - (raw) IPSec - this might be somewhat challenging b/c reasons

I think you mean IKEv2 + IPSec?

IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the 
tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will all 
be encrypted when sent through through the IPSec encrypted tunnel.


>   - L2TP+IPSec - probably less challenging b/c of wizards

This is using L2TP for encapsulating the frames + IKEv1 for secure key 
exchange + IPsec for encryption of the L2TP tunnel.


>   - PPTP - just don't unless you haveto

Well said:

https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security

It is an obsolete method with poor security.  I would not use it under any 
circumstances, unless security is of no importance.


> I'd encourage your friend to check out the VPN capabilities built into
> Windows.  He may need to install / configure (R)RAS to enable the features.

As I mentioned before, there is also IKEv2+IPSec, which allows the client to 
roam between networks without dropping the connection.

Finally, there is SSTP encrypting PPP frames within TLS.  I don't know why one 
would use this instead of OpenVPN, except that it comes as part of the 
MSWindows package, while OpenVPN has to be installed separately.


> In my experience, using native features that come from the software
> vendor is often simpler to maintain long term.

+1

They are also easier to set up initially, because both MSWindows peers will 
use the same combo of encryption suites, ciphers, etc.  Half of the pain of 
getting MSWindows to work with a Linux VPN gateway is often finding how to 
configure the cipher, hash and X509v3 extensions of a TLS certificate in a way 
that MSWindows will not barf;  e.g. IIRC, last time I looked at a Windows 7 
IKEv2/IPSec VPN, the TLS certificates would only accept AES128 keys and SHA1.  
Anything more onerous would not be accepted by the MSoft TLS key manager.
-- 
Regards,
Mick

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to