[CentOS] regarding vpn server for 1500 clients
Robert Moskowitz
rgm at htt-consult.com
Tue Dec 23 19:11:50 UTC 2008
Les Mikesell wrote:
> Robert Moskowitz wrote:
>
>> I have never liked the SSLvpn architecture. Never really liked the SSL
>> handshake; just too chatty. I wear my biases quite plainly on my arm
>> sleeve (I chaired the IPsec workgroup during the time the RFCs came
>> out). You want security, go with IPsec. Even ESP NULL gives you per
>> packet authentication and thus proof of server and client. Just pay the
>> price for IKE, which I never liked. Part of the reason I invented HIP....
>>
>
> But ssl vpns work though just about any firewall/proxy/nat that already
> permit https. Traversing those can be painful or impossible for ipsec.
The problem is NATs (so speaks a co-author of RFC 1918!). SSL vpns
tunnel networking over Transport. Gee I wonder why that works through NATs?
Part of the NAT traversal mess contributed to my drive for HIP which the
actual developers realized needed a different ESP mode: BEET. Of course
even HIP needs ICE to find things out there and to be found....
More information about the CentOS
mailing list