FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 01-04-2010, 04:23 PM
Mathias Gug
 
Default RFC: Ipsec support in main

Hi,

I'd like to request your feedback on whether tools to setup an Ipsec stack
should be available in main.

If not the following packages could be demoted to universe:
* ipsec-tools (and racoon) given its vulnerability history

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 01-04-2010, 05:33 PM
Martin Pitt
 
Default RFC: Ipsec support in main

Hello Mathias,

Mathias Gug [2010-01-04 12:23 -0500]:
> If not the following packages could be demoted to universe:
> * ipsec-tools (and racoon) given its vulnerability history

Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
in our university, but nowadays I'm using openvpn; it's simpler to set
up, and is supported with more devices (mobile phones, routers, etc.)

Martin

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 01-04-2010, 09:01 PM
Mathias Gug
 
Default RFC: Ipsec support in main

On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt <martin.pitt@ubuntu.com> wrote:
> Hello Mathias,
>
> Mathias Gug [2010-01-04 12:23 -0500]:
>> If not the following packages could be demoted to universe:
>> ** ipsec-tools (and racoon) given its vulnerability history
>
> Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
> in our university, but nowadays I'm using openvpn; it's simpler to set
> up, and is supported with more devices (mobile phones, routers, etc.)

Agreed. It seems that there are at least two solutions to implement a
VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
VPNs nowadays?

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 01-04-2010, 09:45 PM
Marc Deslauriers
 
Default RFC: Ipsec support in main

Hi,

On Mon, 2010-01-04 at 17:01 -0500, Mathias Gug wrote:
> On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt <martin.pitt@ubuntu.com> wrote:
> > Hello Mathias,
> >
> > Mathias Gug [2010-01-04 12:23 -0500]:
> >> If not the following packages could be demoted to universe:
> >> * ipsec-tools (and racoon) given its vulnerability history
> >
> > Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
> > in our university, but nowadays I'm using openvpn; it's simpler to set
> > up, and is supported with more devices (mobile phones, routers, etc.)
>
> Agreed. It seems that there are at least two solutions to implement a
> VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
> VPNs nowadays?

IPSEC-based VPNs are used in all enterprise scenarios.

Marc.



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 01-04-2010, 10:15 PM
Neil Broadley
 
Default RFC: Ipsec support in main

2010/1/4 Mathias Gug <mathiaz@ubuntu.com>

On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt <martin.pitt@ubuntu.com> wrote:

> Hello Mathias,

>

> Mathias Gug [2010-01-04 12:23 -0500]:

>> If not the following packages could be demoted to universe:

>> ** ipsec-tools (and racoon) given its vulnerability history

>

> Some years ago I actually used ipsec-tools (not racoon) to setup a VPN

> in our university, but nowadays I'm using openvpn; it's simpler to set

> up, and is supported with more devices (mobile phones, routers, etc.)



Agreed. It seems that there are at least two solutions to implement a

VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based

VPNs nowadays?

Any decent sized corporate will still almost certainly be based on IPSEC.* I haven't
encountered a single corporate environment deploying OpenVPN or SSL
solutions when you're talking site to site - everything is IPSEC gateway to gateway.





My experience is entirely based within the financial sector however, so may be biased.



Your question "how popular are IPSEC VPNs these days" is probably more
"how popular are they with Ubuntu or Linux users?" and is probably
answered, "not very".* I can't think of many instances where you would
use IPSEC to connect a peer to a gateway.* Checkpoint tried that with
their SecureClient product and there's a good reason ti's largely
discontinued now (although, strangely, still supported).* It's a
horror, and you're better off with SSL solutions, such as OpenVPN or
Cisco's ASA devices (also SSL based, I believe) or even Citrix access
gateway or whatever Xen-based name it's called now (although last I
looked a couple of years back, there was no Linux client for that).



But in my experience, if you want to connect site to site, IPSEC is
still the only way to go, because you don't need a client.* At all.*
Which means, yes, it's slightly more difficult to set up, but it means
that any equipment can use that VPN, since it's based on the gateway,
not on the client.



Neil.

*
--

Mathias Gug

Ubuntu Developer *http://www.ubuntu.com



--

ubuntu-devel mailing list

ubuntu-devel@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 01-05-2010, 07:15 AM
Ruben Laban
 
Default RFC: Ipsec support in main

On Monday 04 January 2010 at 23:01 (CET), Mathias Gug wrote:
> I wonder how popular are IPSEC-based
> VPNs nowadays?

Very. It's one of the very few VPN protocols that's has a lot of
interoperability going for it. Linux, Cisco, Juniper, Windows, etc, all can
speak IPsec. Also, IPsec implementation is mandatory for any IPv6 stack
implementation. We currently use OpenVPN's SSL based VPNs for roadwarriors
due to the ease of installation and the ability to run it over any TCP or UDP
port. For our site-to-site VPNs (both within our own infrastructure and to
customers) we use Openswan's IPsec based VPNs. These are more robust and the
interoperability is rather important here. IPsec is IPsec, whereas SSL based
implementations are all non-interoperable.
That being said, I don't care much about ipsec-tools or racoon. I wouldn't
mind Openswan getting some more Debian/Ubuntu love.

--
Regards,

Ruben Laban
Systems and Network Administrator
ISM eCompany

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 01-11-2010, 06:39 PM
Jorge Armando Medina
 
Default RFC: Ipsec support in main

Neil Broadley wrote:
> 2010/1/4 Mathias Gug <mathiaz@ubuntu.com <mailto:mathiaz@ubuntu.com>>
>
> On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt
> <martin.pitt@ubuntu.com <mailto:martin.pitt@ubuntu.com>> wrote:
> > Hello Mathias,
> >
> > Mathias Gug [2010-01-04 12:23 -0500]:
> >> If not the following packages could be demoted to universe:
> >> * ipsec-tools (and racoon) given its vulnerability history
> >
> > Some years ago I actually used ipsec-tools (not racoon) to setup
> a VPN
> > in our university, but nowadays I'm using openvpn; it's simpler
> to set
> > up, and is supported with more devices (mobile phones, routers,
> etc.)
>
> Agreed. It seems that there are at least two solutions to implement a
> VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
> VPNs nowadays?
>
>
> Any decent sized corporate will still almost certainly be based on
> IPSEC. I haven't encountered a single corporate environment deploying
> OpenVPN or SSL solutions when you're talking site to site - everything
> is IPSEC gateway to gateway.
I agree, most corporate enviroments use ipsec for site-to-site using
some kind of appliance, or even for roadwarriors, I still have som
dapper boxes using openswan on to connect a remote site to sonicwalls
appliances, cisco, even linksys and others.

I have read most appliance manufacturs test their boxes agains openswan
because is more standard in regard to ipsec suite protocols, another
point for ipsec is that it complaint with most security requiermentos
for remote access.

I use and promote openvpn for small business for site-to-site and
roadwarriors but, I can't connect my nokia phone to the vpn so I use
ipsec

Best regards
>
> My experience is entirely based within the financial sector however,
> so may be biased.
>
> Your question "how popular are IPSEC VPNs these days" is probably more
> "how popular are they with Ubuntu or Linux users?" and is probably
> answered, "not very". I can't think of many instances where you would
> use IPSEC to connect a peer to a gateway. Checkpoint tried that with
> their SecureClient product and there's a good reason ti's largely
> discontinued now (although, strangely, still supported). It's a
> horror, and you're better off with SSL solutions, such as OpenVPN or
> Cisco's ASA devices (also SSL based, I believe) or even Citrix access
> gateway or whatever Xen-based name it's called now (although last I
> looked a couple of years back, there was no Linux client for that).
>
> But in my experience, if you want to connect site to site, IPSEC is
> still the only way to go, because you don't need a client. At all.
> Which means, yes, it's slightly more difficult to set up, but it means
> that any equipment can use that VPN, since it's based on the gateway,
> not on the client.
>
> Neil.
>
>
>
> --
> Mathias Gug
> Ubuntu Developer http://www.ubuntu.com
>
> --
> ubuntu-devel mailing list
> ubuntu-devel@lists.ubuntu.com <mailto:ubuntu-devel@lists.ubuntu.com>
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>
>


--
Jorge Armando Medina
Computación Gráfica de México
Web: http://www.e-compugraf.com
Tel: 55 51 40 72, Ext: 124
Email: jmedina@e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 04:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org