Menu
▾
▴
Re: [Openvpn-users] Interaction with Windows VPN Server/Client
|
From: James Y. <ji...@nt...> - 2002-03-31 21:53:55
|
> > Actually, that wasn'y my question - weither OpenVPN will be ported to > > Windows or not. The question was, is OpenVPN able to communicate and > > establish a VPN connection with other VPN products (such as Windows VPN > > clients, Cisco routers, etc.) or ONLY other OpenVPN's. Well the compatibility question is an interesting one. OpenVPN uses TLS (the latest generation of SSL) for session authentication and key exchange. It's the same protocol used by all the secure web browsers out there in the world. That means that you have full access to the public key infrastructure that currently exists with respect to the secure web. You can use SSL certificates, certificate authorities, use the openssl tool to create your own certificates, keys, etc. The problem is that to my knowledge, OpenVPN is the first open source VPN to actually use the TLS protocol. Up until now, TLS has mostly been used by secure web browsers such as Apache/ModSSL. Why TLS hasn't been more widely used in VPNs is a mystery to me. It is solid, it is secure, it has withstood the test of time. Perhaps the reason is IPSec. A great deal of effort has been expended over the last few years in making IPSec the standard security solution for IP in the same way that SSL has been the security solution for the web. The IPSec effort looks promising, but some of the results have been mixed. To use IPSec under linux for example, you must patch your kernel. IPSec is also very complex and is just starting to see more widespread usage, but it is hampered by its complexity. Because of this, it will probably be some time before IPSec is as mature or stable as SSL/TLS. For some criticisms of IPSec security, see: http://alternic.net/drafts/drafts-s-t/draft-simpson-danger-isakmp-01.html http://www.off.net/~jme/ietf/ So to answer your question, right now OpenVPN is the only VPN to use the TLS protocol (OpenVPN uses the TLS protocol for session authentication and key exchange, but it uses the OpenSSL EVP cipher library to actually encrypt the tunnel data packets using the key it negotiated over TLS.) and therefore if you want to use OpenVPN, you must run it on both peers. If you want a VPN that is more standardized, check out IPSec. But I will maintain that OpenVPN accomplishes a lot of what IPSec sets out to do, but with a dramatically lighter footprint. Now of course, once you set up an OpenVPN link between two peers, you can route any IP over it, regardless of where that IP orginates (Windows, Unix, Cisco, etc.). For example, I use Windows NT extensively for my work, and my NT laptop routes packets over the OpenVPN link without even knowing it's there. Hope that helps. James Yonan |
