[CentOS] regarding vpn server for 1500 clients

Les Mikesell lesmikesell at gmail.com
Tue Dec 23 19:33:18 UTC 2008


Robert Moskowitz wrote:
> 
>>> I have never liked the SSLvpn architecture.  Never really liked the SSL 
>>> handshake; just too chatty.  I wear my biases quite plainly on my arm 
>>> sleeve (I chaired the IPsec workgroup during the time the RFCs came 
>>> out).  You want security, go with IPsec.  Even ESP NULL gives you per 
>>> packet authentication and thus proof of server and client.  Just pay the 
>>> price for IKE, which I never liked.  Part of the reason I invented HIP....
>>>     
>> But ssl vpns work though just about any firewall/proxy/nat that already 
>> permit https.  Traversing those can be painful or impossible for ipsec.
> 
> The problem is NATs (so speaks a co-author of RFC 1918!). SSL vpns 
> tunnel networking over Transport. Gee I wonder why that works through NATs?

Or, given the near-universal use of NATs, you have to wonder about the 
viability of anything that doesn't traverse them gracefully.

> Part of the NAT traversal mess contributed to my drive for HIP which the 
> actual developers realized needed a different ESP mode: BEET. Of course 
> even HIP needs ICE to find things out there and to be found....

I'm not sure what any of those acronyms means, but the other problem 
with IPsec is that the usual tools don't provide an interface for 
routing and they need some other mechanism to decide what goes through 
them.  On Ciscos I've always set up GRE tunnels to get something the 
routing protocols can see, then crypto-mapped the GRE packets.  Is there 
a common computer implementation that would mesh with this?

-- 
   Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list