Re: Setting up VPN's

To: Raphael SurcouF <surcouf@nocternity.net>
Cc: debian-security@lists.debian.org
Subject: Re: Setting up VPN's
From: Marcel Weber <mmweber@ncpro.com>
Date: Sun, 18 May 2003 02:59:24 +0200
Message-id: <3EC6DAEC.4010304@ncpro.com>
In-reply-to: <pan.2003.05.17.19.27.42.546203@nocternity.net>
References: <EKEFJFPGECILAOEPADMKCEGBDBAA.craigsc@zdata.co.za> <3EC3583B.4030503@thing.dyndns.org> <20030515184538.69604ba4.listscc@terra.com.br> <3EC42108.5070409@ncpro.com> <pan.2003.05.17.19.27.42.546203@nocternity.net>

Raphael SurcouF wrote:

On Fri, 16 May 2003 01:21:44 +0200, Marcel Weber wrote:
I do this with vpnd. The server has a dyndns domain name. On the clientside, you can put in the fully qualified domain name of the serverinstead of the ip address. Works quite reliable. Of course from time totime the link goes down: Each time the isp cuts the server's connectionto set a new IP adress for it, you will get an interruption until theclient is able to resolve the new IP.
This is not secure...
You must use DNSSEC if possible to ensure than FQDN is coming from the
right DNS server.

Yes, but the other side that does the dns spoofing would need theencryption key, as the data is encrypted using blowfish. You would havethe same problem, if someone could manage to do an ip spoofing, wouldn'tyou? Of course this kind of vpn is quite vulnerable to a DoS.

Using ipsec is better, of course, as not only the payload is secured butalso the ip header.


Regards

Marcel

Reply to:

References:
- Setting up VPN's
  - From: "Craig" <craigsc@zdata.co.za>
- Re: Setting up VPN's
  - From: thing <thing@katrina.thing.dyndns.org>
- Re: Setting up VPN's
  - From: Philipe Gaspar <listscc@terra.com.br>
- Re: Setting up VPN's
  - From: Marcel Weber <mmweber@ncpro.com>
- Re: Setting up VPN's
  - From: "Raphael SurcouF" <surcouf@nocternity.net>

Prev by Date: Re: Setting up VPN's
Next by Date: Re: Spam
Previous by thread: Re: Setting up VPN's
Next by thread: Re: Setting up VPN's
Index(es):
- Date
- Thread