On Fri, Apr 6, 2018 at 12:58 PM, Mick <michaelkintz...@gmail.com> wrote:
> On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote:
>> On 04/05/2018 03:51 AM, gevisz wrote:
>> > Yes, the Host is running Windows.
>>
>> Seeing as how both the ""Host and the ""Client are running Windows, I
>> would think seriously about trying to leverage Windows' built in VPN
>> capabilities.
>>
>> The following things come to mind:
>>
>>   - (raw) IPSec - this might be somewhat challenging b/c reasons
>
> I think you mean IKEv2 + IPSec?
>
> IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the
> tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will all
> be encrypted when sent through through the IPSec encrypted tunnel.
>
>
>>   - L2TP+IPSec - probably less challenging b/c of wizards
>
> This is using L2TP for encapsulating the frames + IKEv1 for secure key
> exchange + IPsec for encryption of the L2TP tunnel.
>
>
>>   - PPTP - just don't unless you haveto
>
> Well said:
>
> https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security
>
> It is an obsolete method with poor security.  I would not use it under any
> circumstances, unless security is of no importance.
>
>
>> I'd encourage your friend to check out the VPN capabilities built into
>> Windows.  He may need to install / configure (R)RAS to enable the features.
>
> As I mentioned before, there is also IKEv2+IPSec, which allows the client to
> roam between networks without dropping the connection.
>
> Finally, there is SSTP encrypting PPP frames within TLS.  I don't know why one
> would use this instead of OpenVPN, except that it comes as part of the
> MSWindows package, while OpenVPN has to be installed separately.
>
>
>> In my experience, using native features that come from the software
>> vendor is often simpler to maintain long term.
>
> +1
>
> They are also easier to set up initially, because both MSWindows peers will
> use the same combo of encryption suites, ciphers, etc.

You mean the same horribly insecure ciphers? The built in options are
so weak that I am not aware of anyone seriously using them; most
setups tunnel Windows technologies like RDP (which may sometimes
insist on being set up with encryption) over Linux based technologies.

Reply via email to