From: Grant Taylor <gtaylor@gentoo.tnetconsulting.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] [OT] What is the best open-source VPN server for Linux?
Date: Fri, 6 Apr 2018 12:20:09 -0600 [thread overview]
Message-ID: <fea5575e-727b-16a2-77fa-711e7fd48b9d@spamtrap.tnetconsulting.net> (raw)
In-Reply-To: <1992980.6RBP82CMcb@dell_xps>
On 04/06/2018 11:58 AM, Mick wrote:
> I think you mean IKEv2 + IPSec?
I don't remember IKE<anything> involved the last time I had to manually
set up an IPSec connection between two Windows systems (or Windows and a
Netgear router). I think it was /completely/ manual and PSK.
> IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the
> tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will
> all be encrypted when sent through through the IPSec encrypted tunnel.
I remember doing a little bit with IKE 10+ years ago back when it was
OpenSWAN / FreeSWAN.
> This is using L2TP for encapsulating the frames + IKEv1 for secure key
> exchange + IPsec for encryption of the L2TP tunnel.
ACK
> Well said:
*chuckle*
> https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security
>
> It is an obsolete method with poor security. I would not use it under
> any circumstances, unless security is of no importance.
Agreed.
> As I mentioned before, there is also IKEv2+IPSec, which allows the client
> to roam between networks without dropping the connection.
Intriguing. I've never considered IPSec with a road warrior, much less
an established connection with a changing IP address. I would have been
much more likely to look at OpenVPN or Wireguard or OpenSSH.
> Finally, there is SSTP encrypting PPP frames within TLS. I don't know
> why one would use this instead of OpenVPN, except that it comes as part
> of the MSWindows package, while OpenVPN has to be installed separately.
SSTP is a new one on me.
> +1
>
> They are also easier to set up initially, because both MSWindows peers
> will use the same combo of encryption suites, ciphers, etc. Half of
> the pain of getting MSWindows to work with a Linux VPN gateway is often
> finding how to configure the cipher, hash and X509v3 extensions of a
> TLS certificate in a way that MSWindows will not barf; e.g. IIRC, last
> time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would
> only accept AES128 keys and SHA1. Anything more onerous would not be
> accepted by the MSoft TLS key manager.
Agreed.
--
Grant. . . .
unix || die
next prev parent reply other threads:[~2018-04-06 18:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-04 20:18 [gentoo-user] [OT] What is the best open-source VPN server for Linux? gevisz
2018-04-04 22:02 ` Grant Taylor
2018-04-04 23:03 ` Mick
2018-04-05 9:57 ` gevisz
2018-04-05 9:51 ` gevisz
2018-04-05 10:28 ` gevisz
2018-04-05 11:51 ` Mick
2018-04-05 14:42 ` gevisz
2018-04-05 13:14 ` Bill Kenworthy
2018-04-05 14:51 ` gevisz
2018-04-05 22:45 ` Bill Kenworthy
2018-04-06 18:13 ` gevisz
2018-04-05 22:53 ` Grant Taylor
2018-04-05 16:29 ` Grant Taylor
2018-04-05 21:04 ` gevisz
2018-04-05 23:10 ` Grant Taylor
2018-04-06 17:55 ` gevisz
2018-04-07 12:19 ` Mick
2018-04-07 13:33 ` R0b0t1
2018-04-06 17:58 ` Mick
2018-04-06 18:20 ` Grant Taylor [this message]
2018-04-06 22:51 ` Mick
2018-04-06 23:21 ` Grant Taylor
2018-04-07 1:44 ` R0b0t1
2018-04-04 23:55 ` R0b0t1
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fea5575e-727b-16a2-77fa-711e7fd48b9d@spamtrap.tnetconsulting.net \
--to=gtaylor@gentoo.tnetconsulting.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox