[ale] SSL-based VPNs (OpenVPN) vs IPSec
Christopher Fowler
cfowler at outpostsentinel.com
Thu Feb 24 20:54:42 EST 2005
My #1 problem with IPSec is how it has to be used. I have two devices
that needs a tunnel between them. Both devices are behind a NAT
Firewall. They do not have a public interface. This is where IPSec is
useless. IPSec requires that these devices have public interfaces. In
my case I can only use a SSL based VPN like Vtun. There are not any
other options.
Maybe I'm wrong about IPSec but based on what I've read it can't be
natted. It has to be on a public interface.
On Thu, 2005-02-24 at 18:54, Michael H. Warfield wrote:
> On Tue, 2005-02-22 at 15:06 -0500, M Raju wrote:
> > I have been thinking of playing with OpenVPN and convert my existing
> > setup at home which comprises of mainly an IPSec VPN for WiFi/External
> > access - OpenBSD Firewall/Access Point running (ISAkmpd), Racoon on OS
> > X and OpenSWAN for Linux.
>
> > Anyone prefer SSL over IPSec? Found an interesting paper on OpenVPN Security ->
>
> > http://www.sans.org/rr/papers/20/1459.pdf
>
> Personally, I would avoid an ssl based VPN like the plague. There is
> no "perfect forward secrecy" or rekeying and the session keys can be
> determined from the PKI authentication keys (in other words, if you
> compromise the key from either end, you can decrypt the traffic, which
> is not the case with IPSec w/ PFS and Diffie-Hellman).
>
>
> > _Raju
>
> Mike
More information about the Ale
mailing list