IPsec Pre Shared Key for enterprise wireless is worse than PPTP according to <a href="https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/">https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/</a> . <br>
Make sure IPsec is used with certificates instead. <br><br>tinc is an educational project sponsored by a university aiming to grow awareness of encryption over the public internet. It does not have a marketing department. Criticism is welcome. Think of Schneier <i>"Secrecy and security aren't the same, even though it may seem that
way. Only bad security relies on secrecy; good security works even if
all the details of it are public."</i><a href="https://en.wikipedia.org/wiki/Bruce_Schneier#cite_note-20"><span></span></a> tinc like much security software can have 'Encryption = 'none', a setup with no security at all to have a gaming extranet or just plain EOIP. For mainstream use, security software needs to be secure even when Grandma installs it. Hamachi does that but is not as flexible as tinc. <br>
<br>Peter Gutman tore apart many different VPNs in his assessment, but still ranked tinc the best of those in his comparison. The only real criticism he had was that it still used Defense Encryption Standard DES keys just like a Win2003 based ActiveDirectory would use and MSCHAPv2 for WPA2 uses till this day. We are not talking triple DES, just plain DES. However tinc didn't use MSCHAP, it uses RSA to establish the session keys. tinc also used one of the other AES contenders BlowFish since 2000. BlowFish has not been broken. It was not till Win2003R2 that MS upgraded to a little better arc4 keys. The fact is there are many MS ActiveDirectory domains out there that still use DES to this day. Why? Not only because of MSCHAPv2 for WPA2 but much more worrisome because even if all your ADS servers are Win2008R2, they can still run in Win2000 ADS compatibility mode which would mean DES keys. DES was broken in the 90's and now the CloudCracker can break open DES traffic in 24hours. <br>
<br>i have learned much more by using this open source project than other VPNs - open source or not. <br><br><br><br><div class="gmail_quote">On Tue, Nov 13, 2012 at 6:04 PM, Christopher Cashell <span dir="ltr"><<a href="mailto:topher-olug@zyp.org" target="_blank">topher-olug@zyp.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Tue, Nov 13, 2012 at 5:04 PM, Sam Flint <<a href="mailto:harmonicnm7h@gmail.com">harmonicnm7h@gmail.com</a>> wrote:<br>
> Does anyone have experience with tinc vpn?<br>
<br>
</div>It was not looked on particularly favorably in a comparison some years<br>
ago by well known cryptographer Peter Gutmann:<br>
<a href="http://www.cs.auckland.ac.nz/%7Epgut001/pubs/linux_vpn.txt" target="_blank">http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt</a><br>
<br>
Admittedly, that review was from 2003. However, one of the things<br>
that post discusses in length, and does a great job of illustrating,<br>
is that security software like VPNs are difficult to get right, and<br>
very easy to get wrong.<br>
<br>
OpenVPN seems to have emerged as the closest thing to a de facto<br>
standard for non-IPsec. Personally, I would stick with either IPsec<br>
or OpenVPN for any VPN needs unless I had a *really* good reason to<br>
use something else.<br>
<br>
Personal experience with IPsec and OpenVPN would leave me leaning<br>
towards OpenVPN for everything that didn't require compatibility with<br>
non-OpenVPN connections (appliances, routers/firewalls, other<br>
third-party situations), in which case I'd use IPsec.<br>
<br>
> --<br>
> Sam Flint<br>
<br>
--<br>
Christopher<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
OLUG mailing list<br>
<a href="mailto:OLUG@olug.org">OLUG@olug.org</a><br>
<a href="https://lists.olug.org/mailman/listinfo/olug" target="_blank">https://lists.olug.org/mailman/listinfo/olug</a><br>
</div></div></blockquote></div><br>