[CentOS] regarding vpn server for 1500 clients

Robert Moskowitz rgm at htt-consult.com
Tue Dec 23 19:11:50 UTC 2008


Les Mikesell wrote:
> Robert Moskowitz wrote:
>   
>> I have never liked the SSLvpn architecture.  Never really liked the SSL 
>> handshake; just too chatty.  I wear my biases quite plainly on my arm 
>> sleeve (I chaired the IPsec workgroup during the time the RFCs came 
>> out).  You want security, go with IPsec.  Even ESP NULL gives you per 
>> packet authentication and thus proof of server and client.  Just pay the 
>> price for IKE, which I never liked.  Part of the reason I invented HIP....
>>     
>
> But ssl vpns work though just about any firewall/proxy/nat that already 
> permit https.  Traversing those can be painful or impossible for ipsec.

The problem is NATs (so speaks a co-author of RFC 1918!). SSL vpns 
tunnel networking over Transport. Gee I wonder why that works through NATs?

Part of the NAT traversal mess contributed to my drive for HIP which the 
actual developers realized needed a different ESP mode: BEET. Of course 
even HIP needs ICE to find things out there and to be found....




More information about the CentOS mailing list