IPsec Pre Shared Key for enterprise wireless is worse than PPTP according to https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ . Make sure IPsec is used with certificates instead. tinc is an educational project sponsored by a university aiming to grow awareness of encryption over the public internet. It does not have a marketing department. Criticism is welcome. Think of Schneier *"Secrecy and security aren't the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public."* <https://en.wikipedia.org/wiki/Bruce_Schneier#cite_note-20> tinc like much security software can have 'Encryption = 'none', a setup with no security at all to have a gaming extranet or just plain EOIP. For mainstream use, security software needs to be secure even when Grandma installs it. Hamachi does that but is not as flexible as tinc. Peter Gutman tore apart many different VPNs in his assessment, but still ranked tinc the best of those in his comparison. The only real criticism he had was that it still used Defense Encryption Standard DES keys just like a Win2003 based ActiveDirectory would use and MSCHAPv2 for WPA2 uses till this day. We are not talking triple DES, just plain DES. However tinc didn't use MSCHAP, it uses RSA to establish the session keys. tinc also used one of the other AES contenders BlowFish since 2000. BlowFish has not been broken. It was not till Win2003R2 that MS upgraded to a little better arc4 keys. The fact is there are many MS ActiveDirectory domains out there that still use DES to this day. Why? Not only because of MSCHAPv2 for WPA2 but much more worrisome because even if all your ADS servers are Win2008R2, they can still run in Win2000 ADS compatibility mode which would mean DES keys. DES was broken in the 90's and now the CloudCracker can break open DES traffic in 24hours. i have learned much more by using this open source project than other VPNs - open source or not. On Tue, Nov 13, 2012 at 6:04 PM, Christopher Cashell <topher-olug at zyp.org>wrote:> On Tue, Nov 13, 2012 at 5:04 PM, Sam Flint <harmonicnm7h at gmail.com> wrote: > > Does anyone have experience with tinc vpn? > > It was not looked on particularly favorably in a comparison some years > ago by well known cryptographer Peter Gutmann: > http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt > > Admittedly, that review was from 2003. However, one of the things > that post discusses in length, and does a great job of illustrating, > is that security software like VPNs are difficult to get right, and > very easy to get wrong. > > OpenVPN seems to have emerged as the closest thing to a de facto > standard for non-IPsec. Personally, I would stick with either IPsec > or OpenVPN for any VPN needs unless I had a *really* good reason to > use something else. > > Personal experience with IPsec and OpenVPN would leave me leaning > towards OpenVPN for everything that didn't require compatibility with > non-OpenVPN connections (appliances, routers/firewalls, other > third-party situations), in which case I'd use IPsec. > > > -- > > Sam Flint > > -- > Christopher > _______________________________________________ > OLUG mailing list > OLUG at olug.org > https://lists.olug.org/mailman/listinfo/olug >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20121114/60db171a/attachment.html>
On Wed, Nov 14, 2012 at 02:16:16PM -0600, Rob Townley wrote:> tinc is an educational project sponsored by a university aiming to grow > awareness of encryption over the public internet. It does not have a > marketing department.The tinc website is hosted by Tilburg University, but apart from that there are no sponsors (except for donations from individuals). It's not an educational project, although it would be nice if it indeed increased awareness of internet crypto.> Peter Gutman tore apart many different VPNs in his assessment, but still > ranked tinc the best of those in his comparison. The only real criticism > he had was that it still used Defense Encryption Standard DES keysTinc never used DES by default. Except for some very early versions, Blowfish has always been the default.> > It was not looked on particularly favorably in a comparison some years > > ago by well known cryptographer Peter Gutmann: > > http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt > > > > Admittedly, that review was from 2003. However, one of the things > > that post discusses in length, and does a great job of illustrating, > > is that security software like VPNs are difficult to get right, and > > very easy to get wrong.That is very true. Tinc 1.1 (not officially released yet) implements a new protocol that, I believe, fixes all the issues found by Peter Gutmann.> > OpenVPN seems to have emerged as the closest thing to a de facto > > standard for non-IPsec. Personally, I would stick with either IPsec > > or OpenVPN for any VPN needs unless I had a *really* good reason to > > use something else. > > > > Personal experience with IPsec and OpenVPN would leave me leaning > > towards OpenVPN for everything that didn't require compatibility with > > non-OpenVPN connections (appliances, routers/firewalls, other > > third-party situations), in which case I'd use IPsec.I want to remark that if correctly set up, using TLS authentication with strong certificates, CRL checking, and --tls-auth, OpenVPN is very secure. However, it is also possible to just use a static key, in which case I would say that it is much less secure than many other VPN solutions. So be careful. Tinc's strength is the fact that it automatically creates a full mesh network between an arbitrary number of peers, while only specifying a handful of (initial) connections between peers. This is very difficult to reproduce with OpenVPN or IPsec in tunnel mode. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20121114/4819a63b/attachment.pgp>