On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote: > On 04/05/2018 03:51 AM, gevisz wrote: > > Yes, the Host is running Windows. > > Seeing as how both the ""Host and the ""Client are running Windows, I > would think seriously about trying to leverage Windows' built in VPN > capabilities. > > The following things come to mind: > > - (raw) IPSec - this might be somewhat challenging b/c reasons
I think you mean IKEv2 + IPSec? IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will all be encrypted when sent through through the IPSec encrypted tunnel. > - L2TP+IPSec - probably less challenging b/c of wizards This is using L2TP for encapsulating the frames + IKEv1 for secure key exchange + IPsec for encryption of the L2TP tunnel. > - PPTP - just don't unless you haveto Well said: https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security It is an obsolete method with poor security. I would not use it under any circumstances, unless security is of no importance. > I'd encourage your friend to check out the VPN capabilities built into > Windows. He may need to install / configure (R)RAS to enable the features. As I mentioned before, there is also IKEv2+IPSec, which allows the client to roam between networks without dropping the connection. Finally, there is SSTP encrypting PPP frames within TLS. I don't know why one would use this instead of OpenVPN, except that it comes as part of the MSWindows package, while OpenVPN has to be installed separately. > In my experience, using native features that come from the software > vendor is often simpler to maintain long term. +1 They are also easier to set up initially, because both MSWindows peers will use the same combo of encryption suites, ciphers, etc. Half of the pain of getting MSWindows to work with a Linux VPN gateway is often finding how to configure the cipher, hash and X509v3 extensions of a TLS certificate in a way that MSWindows will not barf; e.g. IIRC, last time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would only accept AES128 keys and SHA1. Anything more onerous would not be accepted by the MSoft TLS key manager. -- Regards, Mick
Description: This is a digitally signed message part.