RFC: Ipsec support in main

Neil Broadley scaine at scaine.net
Mon Jan 4 23:15:00 GMT 2010 

2010/1/4 Mathias Gug <mathiaz at ubuntu.com>

> On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt <martin.pitt at ubuntu.com>
> wrote:
> > Hello Mathias,
> >
> > Mathias Gug [2010-01-04 12:23 -0500]:
> >> If not the following packages could be demoted to universe:
> >>  * ipsec-tools (and racoon) given its vulnerability history
> >
> > Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
> > in our university, but nowadays I'm using openvpn; it's simpler to set
> > up, and is supported with more devices (mobile phones, routers, etc.)
>
> Agreed. It seems that there are at least two solutions to implement a
> VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
> VPNs nowadays?
>

Any decent sized corporate will still almost certainly be based on IPSEC.  I
haven't encountered a single corporate environment deploying OpenVPN or SSL
solutions when you're talking site to site - everything is IPSEC gateway to
gateway.

My experience is entirely based within the financial sector however, so may
be biased.

Your question "how popular are IPSEC VPNs these days" is probably more "how
popular are they with Ubuntu or Linux users?" and is probably answered, "not
very".  I can't think of many instances where you would use IPSEC to connect
a peer to a gateway.  Checkpoint tried that with their SecureClient product
and there's a good reason ti's largely discontinued now (although,
strangely, still supported).  It's a horror, and you're better off with SSL
solutions, such as OpenVPN or Cisco's ASA devices (also SSL based, I
believe) or even Citrix access gateway or whatever Xen-based name it's
called now (although last I looked a couple of years back, there was no
Linux client for that).

But in my experience, if you want to connect site to site, IPSEC is still
the only way to go, because you don't need a client.  At all.  Which means,
yes, it's slightly more difficult to set up, but it means that any equipment
can use that VPN, since it's based on the gateway, not on the client.

Neil.



> --
> Mathias Gug
> Ubuntu Developer  http://www.ubuntu.com
>
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20100104/73ef9f1d/attachment.htm

More information about the ubuntu-devel mailing list