On Fri, Apr 6, 2018 at 12:58 PM, Mick <michaelkintz...@gmail.com> wrote: > On Friday, 6 April 2018 00:10:00 BST Grant Taylor wrote: >> On 04/05/2018 03:51 AM, gevisz wrote: >> > Yes, the Host is running Windows. >> >> Seeing as how both the ""Host and the ""Client are running Windows, I >> would think seriously about trying to leverage Windows' built in VPN >> capabilities. >> >> The following things come to mind: >> >> - (raw) IPSec - this might be somewhat challenging b/c reasons > > I think you mean IKEv2 + IPSec? > > IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the > tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will all > be encrypted when sent through through the IPSec encrypted tunnel. > > >> - L2TP+IPSec - probably less challenging b/c of wizards > > This is using L2TP for encapsulating the frames + IKEv1 for secure key > exchange + IPsec for encryption of the L2TP tunnel. > > >> - PPTP - just don't unless you haveto > > Well said: > > https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security > > It is an obsolete method with poor security. I would not use it under any > circumstances, unless security is of no importance. > > >> I'd encourage your friend to check out the VPN capabilities built into >> Windows. He may need to install / configure (R)RAS to enable the features. > > As I mentioned before, there is also IKEv2+IPSec, which allows the client to > roam between networks without dropping the connection. > > Finally, there is SSTP encrypting PPP frames within TLS. I don't know why one > would use this instead of OpenVPN, except that it comes as part of the > MSWindows package, while OpenVPN has to be installed separately. > > >> In my experience, using native features that come from the software >> vendor is often simpler to maintain long term. > > +1 > > They are also easier to set up initially, because both MSWindows peers will > use the same combo of encryption suites, ciphers, etc.
You mean the same horribly insecure ciphers? The built in options are so weak that I am not aware of anyone seriously using them; most setups tunnel Windows technologies like RDP (which may sometimes insist on being set up with encryption) over Linux based technologies.