From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-183356-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 816D51382C5
	for <garchives@archives.gentoo.org>; Fri,  6 Apr 2018 18:20:20 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6BF3BE08C3;
	Fri,  6 Apr 2018 18:20:13 +0000 (UTC)
Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [IPv6:2600:3c00::f03c:91ff:fe26:8849])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id F2D34E0864
	for <gentoo-user@lists.gentoo.org>; Fri,  6 Apr 2018 18:20:12 +0000 (UTC)
Received: from REDACTED ([IPv6:2620:0:102a:11:fe50:e322:5780:92c6])
	(authenticated bits=0)
	by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id w36IK9v4008501
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
	for <gentoo-user@lists.gentoo.org>; Fri, 6 Apr 2018 13:20:11 -0500
ARC-Filter: OpenARC Filter v0.1.0 tncsrv06.tnetconsulting.net w36IK9v4008501
Authentication-Results: tncsrv06.tnetconsulting.net; arc=none header.d=tnetconsulting.net
ARC-Seal: i=1; a=rsa-sha256; d=tnetconsulting.net; s=2015; t=1523038811;
	cv=none; b=GSk6STcm8BpVoiuNQz7/ZDzicYMDmtvrIT+wXRwx2AUItNjKvPem97DztNAG4B7A9tAkbuF8NMd2uBtEqkwWb5KrLF+tL9QZv+QzaO5m34ONOzpCGqMxonmYIgguP7X+7xnGlNyGKxPKEmQupKrwdNIAXqd8Jy0B0FchTllFLts=
ARC-Message-Signature: i=1; a=rsa-sha256; d=tnetconsulting.net; s=2015;
	t=1523038811; c=relaxed/simple;
	bh=nes4o0C+SKara4nuQisdKDr76H6os4KP7hjzQcw9utM=;
	h=Subject:To:From:Message-ID:Date:User-Agent:MIME-Version:
	 Content-Type:Content-Language:Content-Transfer-Encoding; b=7jTm36W6GmQ2GnY6Np08gRBUI/SEv2kmAG/yoyu8GKKMA1NpN5Z24VfJP2mLPRVJCTzn8W9Dgf4Sa3sIrXkRC/lwA4ArZNduhgv+QolN/9TL/rNgvSBS9Kiyuplp+87DkQDeOUnNxCMtjXfXqSWCtjOOx5QVoaaVr0n3i/D7nL0=
ARC-Authentication-Results: i=1; tncsrv06.tnetconsulting.net; none
Subject: Re: [gentoo-user] [OT] What is the best open-source VPN server for
 Linux?
To: gentoo-user@lists.gentoo.org
References: <CA+t6X7f1u7X0Q376C1+PrP7mSjDmQU8fyLj9eh5ktXVF=Xm-cQ@mail.gmail.com>
 <CA+t6X7eRwRthm_JQyjURjgqDMsdrALMwr+FZwNsTMef6=_XE3A@mail.gmail.com>
 <b28c261d-8982-740d-9ff9-d4e7c8e85ece@spamtrap.tnetconsulting.net>
 <1992980.6RBP82CMcb@dell_xps>
From: Grant Taylor <gtaylor@gentoo.tnetconsulting.net>
Organization: TNet Consulting
Message-ID: <fea5575e-727b-16a2-77fa-711e7fd48b9d@spamtrap.tnetconsulting.net>
Date: Fri, 6 Apr 2018 12:20:09 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
In-Reply-To: <1992980.6RBP82CMcb@dell_xps>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 25fcd790-7f59-4294-80b4-8d5ccace3548
X-Archives-Hash: a77dec7606007a29927234439662b5df

On 04/06/2018 11:58 AM, Mick wrote:
> I think you mean IKEv2 + IPSec?

I don't remember IKE<anything> involved the last time I had to manually 
set up an IPSec connection between two Windows systems (or Windows and a 
Netgear router).  I think it was /completely/ manual and PSK.

> IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the 
> tunnel itself.  The tunnel is operating at layer 2, so TCP/UDP/ICMP will 
> all be encrypted when sent through through the IPSec encrypted tunnel.

I remember doing a little bit with IKE 10+ years ago back when it was 
OpenSWAN / FreeSWAN.

> This is using L2TP for encapsulating the frames + IKEv1 for secure key 
> exchange + IPsec for encryption of the L2TP tunnel.

ACK

> Well said:

*chuckle*

> https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security
> 
> It is an obsolete method with poor security.  I would not use it under 
> any circumstances, unless security is of no importance.

Agreed.

> As I mentioned before, there is also IKEv2+IPSec, which allows the client 
> to roam between networks without dropping the connection.

Intriguing.  I've never considered IPSec with a road warrior, much less 
an established connection with a changing IP address.  I would have been 
much more likely to look at OpenVPN or Wireguard or OpenSSH.

> Finally, there is SSTP encrypting PPP frames within TLS.  I don't know 
> why one would use this instead of OpenVPN, except that it comes as part 
> of the MSWindows package, while OpenVPN has to be installed separately.

SSTP is a new one on me.

> +1
> 
> They are also easier to set up initially, because both MSWindows peers 
> will use the same combo of encryption suites, ciphers, etc.  Half of 
> the pain of getting MSWindows to work with a Linux VPN gateway is often 
> finding how to configure the cipher, hash and X509v3 extensions of a 
> TLS certificate in a way that MSWindows will not barf;  e.g. IIRC, last 
> time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would 
> only accept AES128 keys and SHA1.  Anything more onerous would not be 
> accepted by the MSoft TLS key manager.

Agreed.



-- 
Grant. . . .
unix || die