[ previous ] [ next ] [ threads ]
 
 From:  Sven Brill <madde at gmx dot net>
 To:  "Donovan R. Palmer" <donovan at dmpnet dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP versus IPsec
 Date:  Sun, 07 Jan 2007 16:43:20 -0500
Sounds like from the m0n0wall standpoint, you could go either way, since 
you have a whole /28 network to play with, that leaves security, ease of 
use, and feasibility.  Security could be strong enough with PPTP, 
depends on your  own risk assessment.  For a fun read,  try this:

http://www.schneier.com/paper-pptp.html

again, it's a personal risk assessment. If somebody actually takes the 
time to get into your LAN this way, do they deserve what they find? :) 
Are you trying to protect the iner workings of the New York 
Clearinghouse or a machine with pictures from grandma's last birthday 
bash? meaning, would anybody go through that much trouble at all, rather 
than poking at less secured targets? Your decision. I had some other 
troubles with PPTP a long time ago, can't even remember what, and 
scratched it off my list, just personal preference.

For ease of use, imho, openVPN beats an ipsec implementation, especially 
if you are just starting out. the Examples and HOWTOs on openvpn.org are 
extensive, and the community is quite active. ipsec is probably the 
better choice for point-to-point connections between two networks where 
you have control over both ISP connections.

As for feasibility, again depends on your road warriors. A lot of places 
give you "free wireless", and as you know, you are NATed and possibly 
firewalled. ipsec relies not only on certain tcp/udp ports, but on a 
specific IP protocol (beyond tcp and udp), which many places might 
filter (don't know about coffee shops, but I know that I work at a lot 
of clients where nothing besides ports 80 and 443 is open, so my 
employer's corporate VPN runs on a proprietary system through a single 
tcp connection). With openVPN, you can, since you have more than one 
static IP, make it listen on tcp port 80 on a static IP, as this will 
get you through 99% of all firewalls your road warriors will encounter.

> I'll google around on this... sounds interesting.  Are there some 
> instructions on OpenVPN with m0n0wall posted somewhere?  What is the 
> client that I would use from the laptop running XP?
Someone wrote a really nice GUI for windows, check openvpn.org if you 
want to go that route. the site also features some basics, worth a read. 
Once you read the docs, the m0n0wall setup is self-explanatory, but I am 
sure someone besides Peter can answer specific questions.

I am finding myself an advocate of openVPN now, and am not even sure 
why, never contributed to the project, I just started using it one day 
after the PPTP oddness (which I cannot recall) and the Win2k<-> freeSWAN 
nightmare. :)

Peter already posted the download link to his images, remember that they 
are not really supported due to some weirdness with the virtual NICs or 
something, but it definitely works, and I am hoping he will bring out an 
image once 1.3 is final (*nudge* *nudge*, *wink* *wink*).

Sven