Home page logo

basics logo Security Basics mailing list archives

Re: Deploying SSL-based VPNs
From: Miguel Dilaj <miguel.dilaj () oissg org>
Date: Thu, 30 Mar 2006 16:30:33 +0100

Hi there!

We didn't had any issues other than the need to install it on all laptops (that surely can be scripted somehow...). After the mandatory Windows reboot, the user simply got the CA cert, the user cert, the user private key, and the config files (as mentioned before, we have 2, one that puts the default route through the VPN, and other that simply adds routes to our servers). Starting the VPN is right clicking on the icon and selecting which config you want to use, then enter your private key's password, and start sailing ;-)

In theory you can go completely clientless by using an IPSec VPN, and the IKE/IPSec functionality of Windows XP. In practice I attempted that, and didn't like it for several reasons, one of which being that we want to be able from many places, including customers, sometimes over proxies, etc., and all this is impossible with IPSec.

For the records, before moving to OpenVPN we used FreeSWAN. It worked, with the limitations mentioned in the paragraph above.



Joe wrote:
Hello Miguel

Thanks for sharing your experience. I'm not wondering that OpenVPN works fine. You pointetd out that the deployment of the certificates was a pain. How about deploying the software? Here I see the advantage of clientless remote access solutions. They usually just download a java or active-x client which uses the web-browser as the VPN-endpoint. The advantages of clientless VPN's are of course the deployment. However cost and application support of a solution like OpenVPN are much better.


The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]