Re: VPN: SSH or IPSec???
Vineet Kumar <debian-security@virtual.doorstop.net> writes:
> --4Ckj6UjgE2iN1+kY
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> * Anne Carasik (gator@cacr.caltech.edu) [030416 10:58]:
> > A true VPN is something like IPSec. SSH and SSL only tunnel TCP-based
> > traffic (at least that's what they are supposed to do). If you want a=20
> > true VPN, do not use SSH or SSL.
>
> Well, PPP can be used over an SSH tunnel. This way, you can send all IP
> through the encrypted tunnel. It is still a VPN, just with a different
> tunneling method.
>
> Personally, I've never used the PPP/SSH method. I can see that it would
> be good for ease of setup for simple applications, like accessing a home
> DSL machine. For ease of interoperability, ipsec may be a better way to
> go.
I've used the ssh+ppp setup for some years, and I've also used
freeswan. In my experience, there is only one setup where the
ssh+ppp model is justified, and that is if you need to tunnel
your vpn through a http proxy which you don't have control
over. Besides that it is really no good. I have had weird
problems with the tunnels going down under high traffic loads,
and when forwarding large packets, such as when I was doing
backups, and taking to long to resync the tunnel so the backup
failed. Took me quite some time to deduce this was the problem,
but also discovered this was a known issue with the setup,
(google for more info) and a lot of people were having similar
problems.
Regards
Tobbe
--
######################################################################
Torbjörn Pettersson # Email tobbe@strul.nu
Vattugatan 5 # Web www.strul.nu/~tobbe
S-111 52 Stockholm, Sweden #
######################################################################
Reply to: