RFC: Ipsec support in main

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC: Ipsec support in main

Mathias Gug-2
Hi,

I'd like to request your feedback on whether tools to setup an Ipsec stack
should be available in main.

If not the following packages could be demoted to universe:
 * ipsec-tools (and racoon) given its vulnerability history

--
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Ipsec support in main

Martin Pitt-4
Hello Mathias,

Mathias Gug [2010-01-04 12:23 -0500]:
> If not the following packages could be demoted to universe:
>  * ipsec-tools (and racoon) given its vulnerability history

Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
in our university, but nowadays I'm using openvpn; it's simpler to set
up, and is supported with more devices (mobile phones, routers, etc.)

Martin

--
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Ipsec support in main

Mathias Gug-2
On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt <[hidden email]> wrote:
> Hello Mathias,
>
> Mathias Gug [2010-01-04 12:23 -0500]:
>> If not the following packages could be demoted to universe:
>>  * ipsec-tools (and racoon) given its vulnerability history
>
> Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
> in our university, but nowadays I'm using openvpn; it's simpler to set
> up, and is supported with more devices (mobile phones, routers, etc.)

Agreed. It seems that there are at least two solutions to implement a
VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
VPNs nowadays?

--
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Ipsec support in main

Marc Deslauriers-3
Hi,

On Mon, 2010-01-04 at 17:01 -0500, Mathias Gug wrote:

> On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt <[hidden email]> wrote:
> > Hello Mathias,
> >
> > Mathias Gug [2010-01-04 12:23 -0500]:
> >> If not the following packages could be demoted to universe:
> >>  * ipsec-tools (and racoon) given its vulnerability history
> >
> > Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
> > in our university, but nowadays I'm using openvpn; it's simpler to set
> > up, and is supported with more devices (mobile phones, routers, etc.)
>
> Agreed. It seems that there are at least two solutions to implement a
> VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
> VPNs nowadays?

IPSEC-based VPNs are used in all enterprise scenarios.

Marc.



--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Ipsec support in main

Neil Broadley
In reply to this post by Mathias Gug-2
2010/1/4 Mathias Gug <[hidden email]>
On Mon, Jan 4, 2010 at 1:33 PM, Martin Pitt <[hidden email]> wrote:
> Hello Mathias,
>
> Mathias Gug [2010-01-04 12:23 -0500]:
>> If not the following packages could be demoted to universe:
>>  * ipsec-tools (and racoon) given its vulnerability history
>
> Some years ago I actually used ipsec-tools (not racoon) to setup a VPN
> in our university, but nowadays I'm using openvpn; it's simpler to set
> up, and is supported with more devices (mobile phones, routers, etc.)

Agreed. It seems that there are at least two solutions to implement a
VPN in main: OpenVPN and IPSEC. I wonder how popular are IPSEC-based
VPNs nowadays?

Any decent sized corporate will still almost certainly be based on IPSEC.  I haven't encountered a single corporate environment deploying OpenVPN or SSL solutions when you're talking site to site - everything is IPSEC gateway to gateway.

My experience is entirely based within the financial sector however, so may be biased.

Your question "how popular are IPSEC VPNs these days" is probably more "how popular are they with Ubuntu or Linux users?" and is probably answered, "not very".  I can't think of many instances where you would use IPSEC to connect a peer to a gateway.  Checkpoint tried that with their SecureClient product and there's a good reason ti's largely discontinued now (although, strangely, still supported).  It's a horror, and you're better off with SSL solutions, such as OpenVPN or Cisco's ASA devices (also SSL based, I believe) or even Citrix access gateway or whatever Xen-based name it's called now (although last I looked a couple of years back, there was no Linux client for that).

But in my experience, if you want to connect site to site, IPSEC is still the only way to go, because you don't need a client.  At all.  Which means, yes, it's slightly more difficult to set up, but it means that any equipment can use that VPN, since it's based on the gateway, not on the client.

Neil.

 
--
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Ipsec support in main

Dennis Kaarsemaker
In reply to this post by Mathias Gug-2
On ma, 2010-01-04 at 17:01 -0500, Mathias Gug wrote:

> I wonder how popular are IPSEC-based VPNs nowadays?

>From popcon:

1959  openvpn                        65320  3781 60003  1513    23 (Alberto Gonzalez Iniesta)      
4218  racoon                          1864   262  1579    22     1 (Ganesan Rajagopal)            

Quite a difference. I use both of them daily, linking 4 sites with IPSEC
and using openvpn for access from 'abroad'. They both have their
strenghts and weaknesses.

--
Dennis K.

The universe tends towards maximum irony. Don't push it.


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Ipsec support in main

Bugzilla from mail@aitorpazos.es
In reply to this post by Mathias Gug-2
My point of view is that IPSec will become much more popular in IPv6
deployments where NAT is not used, as IPSec is mandatory in IPv6
compliant devices. OpenVPN is a good solution for road warriors because
it deals fine in NAT environments and it's independent from
infrastructure's capabilities. But I think IPSec is more convenient if
NAT doesn't play and device's support is guaranteed.



--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel