All right. Now i know the reason why OpenVPN deviates from the IPsec standard, and that is to resolve the issue of NPAT breaking IPsec tunnels.
My applications right now are geared towards bridging private networks via permanent tunnels. OpenSWAN is definitely the way to go. However, I will try OpenVPN as well for future "road warrior" applications.
Thanks man.
-----Original Message-----
Frankly, I would not recommend using OpenSWAN if you wanted to build a
road warrior setup where you have mobile users that want to be able to
access a private office network from wherever they are. IPsec suffers
from the unfortunate inability to work with network address translation,
and more often than not a road warrior will have Internet access only
via a NAT. Yes, yes, I know all about the NAT traversal patches, but in
my experiments with them they don't work. For some fairly common NAT
configurations these NAT traversal patches wind up failing because of
path MTU discovery issues, and fortunately for us, we were given a
routable IP address during the conference where we used it to phone home
(both literally and figuratively).
OpenVPN does not suffer from this disadvantage, making it more suitable
for road warrior configurations. IPsec, on the other hand, despite
Bruce Schneier's misgivings that it's much too complicated, has
undergone a fair bit of analysis and no one has found any security flaws
in it. OpenVPN also uses a well-analyzed protocol for its key exchange
(SSL/TLS), but it has not undergone nearly as much analysis.
I would recommend that you make use of OpenVPN if you want to handle
road warriors. My engineer instinct says that in spite of its lack of
analysis it's probably secure enough for that application. For bridging
two separate networks over a more permanent VPN connections, I would
recommend OpenS/WAN IPsec instead.
--
dido
From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]
Sent: Tuesday, December 07, 2004 6:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [plug] Open VPN, OpenSWAN or FreeSWAN
All right. I prefer sticking with the standard so I'd rather choose OpenSWAN.
thanks man.
More suggestions are welcome.
-----Original Message-----
From: Paolo Alexis Falcone [SMTP:[EMAIL PROTECTED]
Sent: Tuesday, December 07, 2004 6:29 PM
To: Philippine Linux Users Group Mailing List
Subject: Re: [plug] Open VPN, OpenSWAN or FreeSWAN
On Tue, 7 Dec 2004 18:02:24 +0800, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
>
>
> Hi guys,
>
> Im trying to implement vpn tunnels via broadband in order to eliminate the
> need for leased lines. Based on your experiences, which of the three is the
> best to utilize with reliability as the main factor? I'm planning to create
> IPSec tunnels with Windows and SOHO routers (say Zyxel P-334) as clients.
>
The only standards-compliant VPN solutions out of the two are OpenSWAN
and FreeSWAN (as they can implement IPSec, while OpenVPN implements
it's own mechanism using SSL certificates). Among those two there's
the issue of active maintenance - as FreeSWAN's already a dead
project.
Your best option would be the only option left standing if you're
looking for a standards-compliant VPN solution. However, if you don't
mind using a non-standard tunnelling solution then OpenVPN or even
tinc would do.
--
Paolo Alexis Falcone
[EMAIL PROTECTED]
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: <http://plug.linux.org.ph>
Searchable Archives: <http://marc.free.net.ph>
.
To leave, go to <http://lists.q-linux.com/mailman/listinfo/plug>
.
Are you a Linux newbie? To join the newbie list, go to
<http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie>
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to <http://www.F-Secure.com/>
______________________________________________________________________
The information contained in this e-mail message is company-privileged and confidential, and intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivery, you are hereby notified that any dissemination, distribution or copying of this communication/message is strictly prohibited. If you have mistakenly received this e-mail message, please immediately notify Eastern Telecom by returning the original message to above e-mail address.
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.F-Secure.com/
______________________________________________________________________
The information contained in this e-mail message is company-privileged and confidential, and intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivery, you are hereby notified that any dissemination, distribution or copying of this communication/message is strictly prohibited. If you have mistakenly received this e-mail message, please immediately notify Eastern Telecom by returning the original message to above e-mail address.
<<ATT133208.txt>>
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
