Re: Open VPN - Anybody interested / suggestions

Fri, 05 Jan 2001 05:46:57 -0800 

Peter Stamfest wrote:
> 
> On Fri, 5 Jan 2001, Michael Strvder wrote:
> 
> > SSL sits on top of a connection-oriented protocol like e.g. TCP or
> > PPP. Some VPN products use SSL over PPP over UDP. Did you mean that?
> 
> What I have in mind is not SSL over UDP.

Off course since UDP is not a connection-oriented protocol.

> It shares the same ideas,
> though. The problem with SSL for encapsulation of PPP traffic is the
> retransmit problem.

I don't understand you. I meant:

+-------+
|TCP/SPX|
+-------+
| IP/IPX|
+-------+
|  LLC  |
+-------+
|  SSL  |
+-------+
|  PPP  |
+-------+
|  UDP  |
+-------+
|  IP  |
+-------+

Are we talking about the same thing?

> The most important things I want:
> * Freely available
> * No extra hardware on the client side (this is why it needs a windows
>   part).
> 
> > But what's wrong with IPSec, S/WAN and http://www.freeswan.org ? Ok,
> > there's no direct IPX support but this gets more and more
> > unimportant...
> 
> IP/Sec is a possibility, but what I think of is more of what MicroSoft did
> with its VPN (aka PPTP) solution, but based on certificates. (and with
> only one channel for control and data [to ease the setup of firewalls]).

Did you ever have a closer look at FreeS/WAN? You have to add three
firewall rules. That's it. Not a big deal but well-defined.

For interoperability with Windows clients check
http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/interop.html

> The PPP inside of the tunnel is good for routing data in and out of an
> office lan, something one would have to do with an IPsec tunnel as
> well.

Make sure you describe the protocol stacks exactly...

> So do you think it is a waste of time to start such a project?

Somewhat...

It's non-trivial to design and implement a really secure encryption
protocol. I would not claim to be able myself to start such a
project.

IMHO it would be more promising to add X.509 support to Free S/WAN.
There was a patch available some months ago but the Free S/WAN folks
were not willing to add it to their distribution.

Well, it's getting off-topic here...

Ciao, Michael.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to