Re: VPN: SSH or IPSec???

Wed, 16 Apr 2003 13:35:58 -0500 

>       Should I use SSH or IPSec to set up my VPN?
>       Which are the drawbacks and advantages of both?
Read this: http://www.tldp.org/HOWTO/mini/ppp-ssh/
 contains very nice drawbacks/benefits.

ssh vpn seems to be easiest to setup. You just run ppp one one side, it
runs ssh to another and runs ppp there. Voile'a. You've got tunnel set UP.
 You'll notice many problems though:
 - you need to monitor your link, if it dies, you need to rerun your ppp.
   apt-get install secvpn 'll help you with that part.
   It's not that easy to tell if your link died, and how should you bring it
   up ( is ppp on another side running? maybe it died? maybe it's just lagg )
 - latency is high, data is going from kernel to userland, and from ppp to
   ssh...
 - it's also not very wise to run tcp inside tcp .. look:
        http://sites.inka.de/sites/bigred/devel/tcp-tcp.html  
 - also ran into some strange problems trying to ssh via ssh based vpn with
   key based authentication
 - not quite clear how to set it up securely. You need to run ppp on
   another end of link as root. You can do this with sudo, with suid ppp
   or something like that. You need to be carefull.
With IPsec you won't have those problems, you have a very nice daemon for
 bringing your link up ON DEMAND, latency is way lower, no problems with
 retransmission coming from tcp over tcp, and no running no ppp as root.
But you'll have to compile your own kernel, you may use
kernel-patch-freeswan.
But anyhoo, freeswan is still evolving, and it's playing catch up on bsd's
racoon. Actually there are some port-style activities in 2.5.x trying to
run racoon on linux. FreeSWAN seems like it's not very stable piece of
soft, not many people understand this well.
For example I'm having problems with routing on wolk kernels, it's not
freeswan's problem, but it triggers it. 
 With ppp/ssh all parts of soft are known and tested well.
On another hand, IPSec is widely known standard, used by largish
enterprises, you can even buy hardware routers using ipsec, and ppp/ssh is
more of a toy/temporary solution.

regards,
-- 
Dariush Pietrzak,
She swore and she cursed, that she never would deceive me
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Reply via email to