[geeks] VPN/Tunneling

Jonathan C. Patschke jp at celestrion.net
Mon Jun 26 14:33:15 CDT 2006 

On Mon, 26 Jun 2006, Sridhar Ayengar wrote:

> I'm not really looking for a VPN management application.  I am looking
> to see if someone can compare the upsides/downsides of the various
> *protocols*.  (PPTP, IPIP, GRE, etc.)

Forget about PPTP; It's your typical horribly-designed Microsoft crap.

Neither IPIP nor GRE offer any sort of encryption..

IPsec is a good idea.  On paper, any two implementations can interact
and negotiate some sort of common-denominator connection.  In the real
world, you want the same stuff on both ends.  I think the NetBSD
implementation of this is called "kame" and is fairly decent.  OpenBSD's
IPsec implementation DTRTs with very little hassle.  Linux has[0]
FreeSWaN (or however they capitalize it) which is unequivocably a
flaming ball of shit.  It's really, really, really, REALLY abominably
bad.  It's so amazingly bad that the developers need to be congratulated
in getting just about every possible thing wrong.

OpenVPN is an SSL-based VPN thing.  It's rather hackish, but I know some
folks who've gotten good use out of it.

If the other end -must- terminate at the Cisco, your options are
limited.  GRE is good stuff.  We used it extensively at
$agency.state.tx.us with 20 or so tunnels terminating at a 7503.  IPIP
is largely the same, except that GRE can tunnel protocols other than IP
(and, therefore has a little more overhead for the necessary
encapsulation).  I seem to recall having strange MTU probles with IPIP
tunnels at some jobsite a -long- time ago, but those are likely easy to
fix.

Any IPsec support in IOS is going to be pretty bad, so if you need
encryption, you'll need to terminate one end at a box that can see all
the newtorks you want on the side with the Cisco.


[0] Or had, now that the project has been canned because their political
     motivations of opportunistic encryption everywhere[1] never gained
     traction.
[1] They didn't ever quite understand that encryption is rather
     pointless without authentication if you're trying to protect against
     $govt or $telco (or anyone else with the means to man-in-the-middle
     you) listening to the conversation.
-- 
Jonathan Patschke    )   "A man who never dreams goes slowly mad."
Elgin, TX           (      --Thomas Dolby, "Valley of the Mind's Eye"

More information about the geeks mailing list