Re: Why more than 1 hole in FW for IPSec
From: erik (erik_at_geenspam.vanwesten.net)
Date: 08/30/03
- Previous message: res0nlrn: "Re: IPTables rule"
- In reply to: Stephen J. Bevan: "Re: Why more than 1 hole in FW for IPSec"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 30 Aug 2003 12:41:36 +0200
Stephen J. Bevan wrote:
> jim2002@yonan.net (James Yonan) writes:
>> > SSL/TLS was designed to run over a reliable transport (e.g. TCP) it
>> > wasn't designed to run over unreliable ones (any type of datagram).
>> > Also running TCP over TCP, as would be necessary if you tunnel
>> > everything via SSL, has various documented drawbacks.
>>
>> OpenVPN is designed to multiplex SSL/TLS + actual IP datagrams over a
>> single UDP port. It does this by: ...
>
> With your other followup it is now clear that what you mean by SSL/TLS
> and what I mean by it are not quite the same thing. When I write
> SSL/TLS I mean the whole protocol, not just the part that does keying.
> Taking just the keying part and marrying it with your own format for
> encrypting IP packets is is an interesting approach. However, it
> isn't entirely clear to me how this an improvement over using
> IKE+IPsec. I have the same reaction to a bunch of other VPN solutions
> :-
>
> CIPE http://sites.inka.de/bigred/devel/cipe.html
> SLAN http://sourceforge.net/projects/slan/
> TINC http://tinc.nl.linux.org/
> VPND http://sunsite.dk/vpnd/
> VTUN http://vtun.sourceforge.net/
> YAVIPIN http://yavipin.sourceforge.net/
> ZEBEDEE http://www.winton.org.uk/zebedee/
>
> BTW it is not that I think IKE+IPsec is perfect by any means, it is
> just that it isn't clear to me that any of the alternative are better.
It is not so much that they are 'better', but sometimes better suited to
fit the needs. IKE+IPsec (and in particular some implementations like
frees/wan) do not really like nat. This is where one of the others come
in.
EJ
-- Remove the obvious part (including the dot) for my email address
- Previous message: res0nlrn: "Re: IPTables rule"
- In reply to: Stephen J. Bevan: "Re: Why more than 1 hole in FW for IPSec"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
