Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] VPN?

On 23 June 2018 at 00:21, Attila Kinali wrote:
Quite honestly, I think that IPsec ist the worst protocol to be used
for VPNs. It's so overly complex that just trying to understand how
all the bits and pieces work together takes days at least.

If you are setting up an IPsec tunnel between your laptop and your router/server back home, where you are in control of all the settings on both ends, and probably use the same software on both ends, the IPsec is rather simple to set up. It can get tricky when you only control one end and the configuration at other end isn't well documented or the administrator there is not willing to cooperate. But that doesn't seem to be the case here.

And because IPsec
grew out of the idea of authenticating and encrypting IP packets (ie not
being tunnels but doing it on a connection by connection basis),

You are probably thinking of a long abandoned feature of OpenSWAN called opportunistic encryption, where the idea was that any connection that goes out would first try to talk to the other end asking if it also supports opportunistic encryption and if both sides agreed on that, then they would start an IPsec tunnel adhoc and run that specific connection through that. This was actually a nice idea and if if had spread, we would have a much more secure internet by now since just about all traffic would be encrypted. Unfortunately though this was only ever supported by OpenSWAN and not many OpenSWAN boxen appeard to have enabled it, so it eventually disappeared.

The typical IPsec setup is just a tunnel between two ends and then all traffic between those two ends goes through that tunnel. In fact it is things like https and other such s-suffixed protocols where there is an encrypted connection on a per protocol basis at a higher layer. IPsec is designed to encrypt all traffic regardless of protocol at a lower layer.

it behaves quite weirdly in the normal network stack. As for configuration,
it's still very difficult and brittle and, depending on the solution you
are using, hard to debug.

I have set up an uncountable number of IPsec tunnels using pfSense at both ends, or using pfSense as a server and some IPsec client on laptops, and I have never found that to be difficult. It always worked at the first attempt, unless I mistyped something and it always worked reliably like a charm.

Earlier, I had used a linux based firewall called Wolverine which supported IPsec through OpenSWAN and that was also straightforward.

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links