[ale] SSL-based VPNs (OpenVPN) vs IPSec
Michael H. Warfield
mhw at wittsend.com
Thu Feb 24 19:03:50 EST 2005
On Tue, 2005-02-22 at 15:06 -0500, M Raju wrote:
> I have been thinking of playing with OpenVPN and convert my existing
> setup at home which comprises of mainly an IPSec VPN for WiFi/External
> access - OpenBSD Firewall/Access Point running (ISAkmpd), Racoon on OS
> X and OpenSWAN for Linux.
> Anyone prefer SSL over IPSec? Found an interesting paper on OpenVPN Security ->
> http://www.sans.org/rr/papers/20/1459.pdf
Personally, I would avoid an ssl based VPN like the plague. There is
no "perfect forward secrecy" or rekeying and the session keys can be
determined from the PKI authentication keys (in other words, if you
compromise the key from either end, you can decrypt the traffic, which
is not the case with IPSec w/ PFS and Diffie-Hellman).
> _Raju
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list