How about L2TP and IPSec
Feature Description PPTP/ L2TP L2TP/
IPSec IPSec
PPP PPP IPSec
Xport Tunnel
User Authentication Can authenticate
the user that is
initiating the
communications. Yes Yes Yes
WIP WIP
Machine Authentication Authenticates
the machines
involved in the
communications. Yes Yes Yes
Yes Yes
NAT Capable Can pass through
Network Address
Translators to hide
one or both
end-points of the
communications. Yes Yes No
No No
Multiprotocol Support Defines a standard
method for carrying
IP and non-IP
traffic. Yes Yes Yes
No WIP
Dynamic Tunnel IP
Address Assignment Defines a standard
way to negotiate an
IP address for the
tunneled part of the
communications.
Important so that
returned packets are
routed back through
the same session rather
than through a non-tunneled
and unsecured path
and to eliminate static,
manual end-system
configuration. Yes Yes
Yes N/A WIP
Encryption Can encrypt traffic
it carries. Yes Yes
Yes Yes Yes
Uses PKI Can use PKI to
implement encryption
and/or authentication. Yes Yes
Yes Yes Yes
Packet Authenticity Provides an authenticity
method to ensure packet
content is not changed
in transit. No No
Yes Yes Yes
Multicast support Can carry IP multicast
traffic in addition
to IP unicast traffic. Yes Yes
Yes No Yes
-----Original Message-----
From: michael [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 05, 2001 5:47 AM
To: openssl-users
Cc: michael
Subject: Re: Open VPN - Anybody interested / suggestions
Peter Stamfest wrote:
>
> On Fri, 5 Jan 2001, Michael Strvder wrote:
>
> > SSL sits on top of a connection-oriented protocol like e.g. TCP or
> > PPP. Some VPN products use SSL over PPP over UDP. Did you mean that?
>
> What I have in mind is not SSL over UDP.
Off course since UDP is not a connection-oriented protocol.
> It shares the same ideas,
> though. The problem with SSL for encapsulation of PPP traffic is the
> retransmit problem.
I don't understand you. I meant:
+-------+
|TCP/SPX|
+-------+
| IP/IPX|
+-------+
| LLC |
+-------+
| SSL |
+-------+
| PPP |
+-------+
| UDP |
+-------+
| IP |
+-------+
Are we talking about the same thing?
> The most important things I want:
> * Freely available
> * No extra hardware on the client side (this is why it needs a windows
> part).
>
> > But what's wrong with IPSec, S/WAN and http://www.freeswan.org ? Ok,
> > there's no direct IPX support but this gets more and more
> > unimportant...
>
> IP/Sec is a possibility, but what I think of is more of what MicroSoft
did
> with its VPN (aka PPTP) solution, but based on certificates. (and with
> only one channel for control and data [to ease the setup of
firewalls]).
Did you ever have a closer look at FreeS/WAN? You have to add three
firewall rules. That's it. Not a big deal but well-defined.
For interoperability with Windows clients check
http://www.freeswan.org/freeswan_trees/freeswan-1.8/doc/interop.html
> The PPP inside of the tunnel is good for routing data in and out of an
> office lan, something one would have to do with an IPsec tunnel as
> well.
Make sure you describe the protocol stacks exactly...
> So do you think it is a waste of time to start such a project?
Somewhat...
It's non-trivial to design and implement a really secure encryption
protocol. I would not claim to be able myself to start such a
project.
IMHO it would be more promising to add X.509 support to Free S/WAN.
There was a patch available some months ago but the Free S/WAN folks
were not willing to add it to their distribution.
Well, it's getting off-topic here...
Ciao, Michael.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
