[Openswan Users] SSL VPN in Linux....

John A. Sullivan III jsullivan at opensourcedevel.com
Fri May 13 13:39:48 CEST 2005 

On Fri, 2005-05-13 at 14:51 +0200, Markus Feilner wrote:
> Am Freitag, 13. Mai 2005 13:46 schrieb Deepak Naidu:
> > Hi,
> >
> >      Does any one have an idea regardiing SSL VPN and the differnece
> > or advantage over Ipsec. Is it available for Linux Implementation or
> > does it have a Server-Client model for operating.
> >
> 
> try openvpn, it works like a charm and is easy to configure, and 
> supports SNAT, DNAT and Masquerading.
> Unfortunately all the VPN hardware out there only knows ipsec.
<snip>
> 
This is a pretty big subject.  I'll try to summarize a little in the
time I have.

OpenVPN is a great product.  My greatest reservation is that it is, in a
sense, a "proprietary" open source solution! That's not to insult the
great open source contribution the openvpn folks have made.  What I mean
is that, as far as I know, no one has implemented to the same widespread
degree as IPSec and SSL based VPNs.  If you do not need to interact with
others, it offers a great deal.

IPSec VPNs have the great advantage of basically creating an extension
of the network.  Any applications can be run across them.  They are
still my first choice for site-to-site VPNs.

IPSec VPNs stumbled a bit for remote access users (although I still
primarily use IPSec for RAS).  It requires some kind of client on the
user's computer and presents some interoperability, configuration,
maintenance and management issues.  SSL VPNs started with the idea that
they could be clientless VPNs which only required a browser.

The initial products worked well in this regard but only with a very
limited set of applications.  Newer implementations have come very close
to the IPSec ideal of allowing any traffic and they can do so with all
sorts of important end user security checks.  However, they sacrifice
the clientless feature in the process.  Even though the client may be
delivered via Java it still has some complexity of needing to hook into
the end user's workstation -- at least as far as I understand the
current state of affairs.

I might also add that the SSL VPN gateways have historically been rather
pricey.

There is an open source SSL VPN project but I do not recall the name or
URL off the top of my head.

Thus, the basic summary subject to your own particular needs is

IPSec for site-to-site
SSL for RAS if you can afford it

Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

More information about the Users mailing list