<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<title></title>
<meta http-equiv="content-type" content="text/html;charset=utf-8"/>
<meta http-equiv="Content-Style-Type" content="text/css"/>
</head>
<body>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Hi,</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">We want something that is off the shelf (in the router/access concentrator), that works.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">My initial recommendation was and still is pptp.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">While it's security is somewhat broken it is VERY widely supported,</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">and given we intend running it without encryption...</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">My main objection with l2tp, is that in windows, to disable ipsec for l2tp, you have</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">to do it in the registry, and it applies to all l2tp connections.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">You can disable pptp encryption on a per connection basis.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">The routerboard will do both pptp and l2tp, so you could(should) enable both...</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Regards</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Roger</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">From:                         <b>Tyson Clugg <tyson@clugg.net></b></span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Date sent:                  <b>Thu, 18 Mar 2010 00:27:52 +1100</b></span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Subject:                     <b>Re: [MLB-WIRELESS] Server Virtualisation - (was RE: possible vpn</b></span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">To:                            <b>"Tony Langdon, VK3JED" <vk3jed@vkradio.com></b></span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Copies to:                  <b>Roger Plant <rplant@melbpc.org.au>,</b></span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">                                  <b>Melbourne Wireless <melbwireless@melbournewireless.org.au></b></span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Keywords:  </span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><b><br />
</b></span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
<br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">On 17 March 2010 19:08, Tony Langdon, VK3JED <</span></font><a href="mailto:vk3jed@vkradio.com"><font face="Arial" color="#0000ff" size="2"><span style=" font-size:10pt"><u>vk3jed@vkradio.com</u></span></font></a><font face="Arial" size="2"><span style=" font-size:10pt">>
wrote:</span></font></div>
<div align="left" style="margin-left:9mm; margin-right:0mm; text-indent:0mm; margin-top:4.75mm; margin-bottom:4.75mm;"><font face="Arial" size="2"><span style=" font-size:10pt">At 05:16 PM 3/17/2010, Roger Plant wrote:<br />
>A couple of minor issues with the openvpn option.<br />
>(Feel free to correct me if I'm wrong)<br />
><br />
>1. The routerboard will only use a TCP openvpn connection, (I have<br />
>read in the past that tcp<br />
>inside tcp  can have reliability issues)<br />
<br />
</span></font></div>
<div align="left" style="margin-left:9mm; margin-right:0mm; text-indent:0mm; margin-top:4.75mm; margin-bottom:4.75mm;"><font face="Arial" size="2"><span style=" font-size:10pt">That's a pain, UDP is by far the preferred transport for OpenVPN. :-/</span></font></div>
<div align="left" style="margin-left:0mm; margin-right:0mm; text-indent:0mm; margin-top:4.75mm; margin-bottom:4.75mm;"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
I'm against people selecting products over protocols (eg: Microsoft Office vs Open Document
Format).  With that in mind, please forget about OpenVPN for the moment and concentrate
on which protocol we should be using.<br />
<br />
What we need from a VPN solution:<br />
 * Wide support across a range of platforms<br />
 * Not reliant on TCP - UDP is far better.<br />
 * Authentication?  Stops every man and his dog from using our Internet feed as an "open
proxy" of sorts...<br />
 * Low overheads - the majority of hardware on our network would struggle with crypto, and
we're running an open network anyway.<br />
<br />
So far, the only protocol that I've found that meets the above requirements is L2TP, which is
PPP over UDP port 1701.  Encryption is optional (ie: we can disable it), as is authentication
using a variety of methods (including using PKI infrastructure if so desired).<br />
<br />
I'd prefer something more akin to GRE which does away with wrapping IP in PPP, but GRE
authentication is supposedly near worthless.<br />
<br />
Anyone know of another protocol that would fit the bill?<br />
<br />
Regards,<br />
Tyson.</span></font></div>
<div align="left" style="margin-left:0mm; margin-right:0mm; text-indent:0mm; margin-top:4.75mm; margin-bottom:4.75mm;"><font face="Arial" size="2"><span style=" font-size:10pt">----------------------------</span></font></div>
<div align="left" style="margin-left:0mm; margin-right:0mm; text-indent:0mm; margin-top:4.75mm; margin-bottom:4.75mm;"><font face="Arial" size="2"><span style=" font-size:10pt">Roger Plant</span></font></div>
<div align="left" style="margin-left:0mm; margin-right:0mm; text-indent:0mm; margin-top:4.75mm; margin-bottom:4.75mm;"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left" style="margin-left:0mm; margin-right:0mm; text-indent:0mm; margin-top:4.75mm; margin-bottom:4.75mm;"> </div>
</body>
</html>