[ale] Why I Chose IPsec over OpenVPN (Was: Re: How to test your public internet connection for open ports)

Michael H. Warfield mhw at WittsEnd.com
Fri Feb 11 13:48:20 EST 2011


On Fri, 2011-02-11 at 13:32 -0500, Michael B. Trausch wrote: 
> On Fri, 2011-02-11 at 13:14 -0500, Michael H. Warfield wrote:

<-- quick snip -->

> > IPsec:
> > - Cannot do over TCP (Cisco is about the only one I know that does)

> Maybe I'm missing something, but why would you want to do that?  I mean,
> you can do IP by sneakernet or carrier pigeon, too, but I wouldn't want
> to... ;-)

Because OpenVPN has it and the Cisco's have it and some people have
asked for it for sites where they block all outbound UDP.  Yeah, we do
actually run into that from time to time.  It's used as an excuse to
foist TCP based SSL tunnels on some of us and I just can't drive a stake
through the heart of that argument.  If you're going to use SSL (real
SSL) for a VPN then DTLS (Datagram TLS - aka SSL over UDP) is good.  The
Cisco AnyConnect OpenSource OpenConnnect is an example of an SSL VPN
that supports both SSL over TCP and DTLS UDP.

OpenVPN, OTOH, claims to use ESP-in-UDP encapsulation, which is IPsec
NAT-T encapsulation, but it's not really IPsec compatible and their key
exchange negotiation is definitely not IKE compatible.  So they're not
really SSL over UDP (DTLS) but they're also not IPsec but something sort
of in-betwixt.

> > - Can be blocked at some sites (proto 50/51 and/or udp 500/4500)
> 
> Indeed.  Though I was very happy to see that RFC 6092 explicitly
> recommends that IPsec be left untouched and permitted to pass.
> Hopefully, vendors will take the recommendations from that as a default
> configuration.

> I for one would like to see (native) IPsec used much more than it is.

Wouldn't we all.  Been fighting that fight for a long time.

> 	--- Mike

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/11eb3ab1/attachment.bin 


More information about the Ale mailing list