Open Source (was Simple SSL/TLS - Some Questions)

Ben Laurie ben at algroup.co.uk
Fri Oct 10 07:35:40 EDT 2003


Peter Clay wrote:

> On Thu, 9 Oct 2003, Peter Gutmann wrote:
> 
> 
>>I would add to this the observation that rather than writing yet another SSL
>>library to join the eight hundred or so already out there, it might be more
>>useful to create a user-friendly management interface to IPsec implementations
>>to join the zero or so already out there.  The difficulty in setting up any
>>IPsec tunnel is what's been motivating the creation of (often insecure) non-
>>IPsec VPN software, so what'd be a lot more helpful than (no offense, but) yet
>>another SSL implementation is some means of making IPsec easier to use
>>(although that may not be possible... OK, let's say "less painful to use" :-).
> 
> 
> Having spent much of the past few weeks trying to sort out a workable VPN
> solution, I think this is a good but doomed idea. http://vpn.ebootis.de/
> has the best free windows IPsec configuration tool I've found, but that
> doesn't help. Why? Because IPsec traffic is not TCP traffic and therefore
> gets dropped by random networks.
> 
> If you want a VPN that road warriors can use, you have to do it with
> IP-over-TCP. Nothing else survives NAT and agressive firewalling, not even
> Microsoft PPTP.

PPTP uses GRE, so aggressive firewalls are likely to kill it, however,
it isn't hard to stop them :-)

However, I've seen UDP surive some fairly aggressive firewalling, and
that's what you really want for a VPN.

> If someone out there wants to write VPN software that becomes widely used,
> then they should make a free IP-over-TCP solution that works on Windows
> and Linux which uses password authentication.

Doesn't OpenVPN have that option?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list