RFC: Ipsec support in main

Jorge Armando Medina jmedina at e-compugraf.com
Mon Jan 11 19:39:03 UTC 2010 

Neil Broadley wrote:
> 2010/1/4 Mathias Gug <mathiaz at ubuntu.com <mailto:mathiaz at ubuntu.com>>
>
>     On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt
>     <martin.pitt at ubuntu.com <mailto:martin.pitt at ubuntu.com>> wrote:
>     > Hello Mathias,
>     >
>     > Mathias Gug [2010-01-04 12:23 -0500]:
>     >> If not the following packages could be demoted to universe:
>     >>  * ipsec-tools (and racoon) given its vulnerability history
>     >
>     > Some years ago I actually used ipsec-tools (not racoon) to setup
>     a VPN
>     > in our university, but nowadays I'm using openvpn; it's simpler
>     to set
>     > up, and is supported with more devices (mobile phones, routers,
>     etc.)
>
>     Agreed. It seems that there are at least two solutions to implement a
>     VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
>     VPNs nowadays?
>
>
> Any decent sized corporate will still almost certainly be based on 
> IPSEC.  I haven't encountered a single corporate environment deploying 
> OpenVPN or SSL solutions when you're talking site to site - everything 
> is IPSEC gateway to gateway.
I agree, most corporate enviroments use ipsec for site-to-site using 
some kind of appliance, or even for roadwarriors, I still have som 
dapper boxes using openswan on to connect a remote site  to sonicwalls 
appliances, cisco, even linksys and others.

I have read most appliance manufacturs test their boxes agains openswan 
because is more standard in regard to ipsec suite protocols, another 
point for ipsec is that it complaint with most security requiermentos 
for remote access.

I use and promote openvpn for small business for site-to-site and 
roadwarriors but, I can't connect my nokia phone to the vpn so I use 
ipsec :)

Best regards
>
> My experience is entirely based within the financial sector however, 
> so may be biased.
>
> Your question "how popular are IPSEC VPNs these days" is probably more 
> "how popular are they with Ubuntu or Linux users?" and is probably 
> answered, "not very".  I can't think of many instances where you would 
> use IPSEC to connect a peer to a gateway.  Checkpoint tried that with 
> their SecureClient product and there's a good reason ti's largely 
> discontinued now (although, strangely, still supported).  It's a 
> horror, and you're better off with SSL solutions, such as OpenVPN or 
> Cisco's ASA devices (also SSL based, I believe) or even Citrix access 
> gateway or whatever Xen-based name it's called now (although last I 
> looked a couple of years back, there was no Linux client for that).
>
> But in my experience, if you want to connect site to site, IPSEC is 
> still the only way to go, because you don't need a client.  At all.  
> Which means, yes, it's slightly more difficult to set up, but it means 
> that any equipment can use that VPN, since it's based on the gateway, 
> not on the client.
>
> Neil.
>
>  
>
>     --
>     Mathias Gug
>     Ubuntu Developer  http://www.ubuntu.com
>
>     --
>     ubuntu-devel mailing list
>     ubuntu-devel at lists.ubuntu.com <mailto:ubuntu-devel at lists.ubuntu.com>
>     Modify settings or unsubscribe at:
>     https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>
>


-- 
Jorge Armando Medina
Computación Gráfica de México
Web: http://www.e-compugraf.com
Tel: 55 51 40 72, Ext: 124
Email: jmedina at e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6  D3AF C574 8422 28E4 0632

More information about the ubuntu-server mailing list