[VPN] Universal VPN client
Jean-Francois Dive
jef at linuxbe.org
Thu Jul 22 07:58:30 EDT 2004
Well..
what is the problem with 'legacy' ipsec implementation ? no vendor could
agree on the way to deal with vpn client. result ? all the
modeconfig/xauth implementation started when the drafts were quite new,
plus the fact that each vendor does not really want to be interop on
those so .. each vendor has his own vpn client, none of them interop
with each other and, most of the time, effectively works on ms windows only.
So here come ssl vpn, the 'no client' configuration. But aside
from the classical web application where it off course fit nicely, all
the other protocols that must go trough the ssl pipe in fact use a client.
The fact that the client is a
java application in your browser does not make me feel that i will have
less problems than with another vpn client. And at the end of the day,
i bet those great client will only work on ms windows / internet
explorer.
Another thing, let's take an application called X wich uses TCP,
port Y and goes trough the SSL/VPN connection. You cant expect good
troughput there (tcp in tcp timer problems).
So, if you position your product as an ssl acelerator engine to put in
front of web services, i say bravo because it solves a problem (load on
http servers simply due to crypto processing) but getting classical applications
trough those, is just a repeat of the same mistakes that have been done
with ipsec.
I believe the track that should be followed is IKEv2 which is a standard
and does include the vpn client capabilities.
Off course, all of the above are only my opinions, not the one from my
past actual (and potentially future :) ) employers.
please answer this if i am totally missing the picture, but looking
at multiple vendor ssl/vpn solution, this is what i can get out of it.
J.
On Fri, Jul 16, 2004 at 01:32:07AM -0700, Doug Dooley wrote:
> Just curious - why would you want to deal with the headaches of full client software configuration + management, all the various NAT traversal problems, and Proxy conflict issues associated with legacy Layer 3 tunneling clients (L2TP, PPTP, IPSec)?
>
>
>
> SSL VPN devices provide "anytime anywhere" access in three forms:
>
> - Pure clientless (web-based) - Internet caf?, kiosk, PDA, cell phone, anything with a first-class SSL enabled browser
>
> - Semi clientless (client/server app support) via Java Applet or ActiveX/Win32
>
> - Full Layer 3 access (windows network adapter over SSL)
>
>
>
> No client software installation/configuration/management, No NAT traversal problems, No proxy conflicts.
>
> Sorry for the pitch but just thinking - right tool for the right job?
>
>
>
> Maybe I'm missing something?
>
>
>
> If cap-ex cost of the appliance is the issue, there are cost-effective choices out there.
>
> Just wait a couple of weeks when Juniper announces an extremely cost effective SSL VPN appliance that will resonant with those price-sensitive folks.
>
>
>
> Your thoughts...
>
>
>
> Doug Dooley
> Security Products Group
> Technical Marketing, Manager
>
>
> ________________________________
>
> From: vpn-bounces+ddooley=juniper.net at lists.shmoo.com [mailto:vpn-bounces+ddooley=juniper.net at lists.shmoo.com] On Behalf Of Jas Chase
> Sent: Thursday, July 08, 2004 10:16 AM
> To: vpn at lists.shmoo.com
> Subject: [VPN] Universal VPN client
>
>
>
> Hi All,
>
> Just wanted to know whether there is a universal VPN client for Windows that supports IPSEC, PPTP, L2TP. My reason for asking this is because I do not want to install proprietary Netscreen Client software on my laptop but instead a universal client. Any help would be greatly appreciated. Thanks.
>
> Sincerely,
> Jas Chase
> K-Swiss MIS
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
--
--
-> Jean-Francois Dive
--> jef at linuxbe.org
I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde
More information about the VPN
mailing list