While I agree that IPSec should be favoured over PPTP, I have to make a few comments about this last post.
The simpler it is the better I like it (both from a maintenance as well as a security point of view).
That is an important point I think! But IPSec is straight-forward, but of course you need to read half a page about IPSec to understand it. Well, there are multiple "modes" for IPSec operation and so on, at least here is potential for misconfigurations or such.
I don't think that's specific to IPSec, but to all VPN solutions. There isn't a lot to get wrong configuration-wise that's IPSec-specific and that'll get the connection sort of running. It's more of it either works or doesn't at all. However, IPSec isn't that straightforward... CIPE is definitely a lot simpler by pure design. Hmm, thinking about that, it probably would be possible to use IPSec pretty much the same way and keep it almost as simple (still using ESP instead of UDP, though). FreeS/WAN is also not as clean a package as many would like. It's good enough, though, to prefer it to PPTP, IMHO.
Complex -> much code -> many bugs.
This rule is definitly wrong. The number (and kind) of bugs depend on the quality which itselfs depend on the software creation processes. And many small "hacked-in" things are horrible :)
I disagree, the general rule is quite right. Of course there are ways to reduce the number of bugs even in complex projects, but it is the rule that more lines of code mean more bugs. Theoretically, of course, the number of lines per bug can be extended to infinity, which means that there'll be no bug at all in the associated code, but I think we all agree that this is a truly entirely theoretical and unrealistic proposition.
Also have a look at cipe. [snip] - It runs on most Microsoft platforms.
Well, for Win it may be ok, and insecure VPN for insecure systems :) SCNR.
He's talking about CIPE, not PPTP.
- It uses UDP for transport (never use TCP for serious tunnelling).
Hum, why UDP? IPSec uses protocol 50,51 IIRC.
Why not use UDP? What is the advantage of dedicated IP protocols in this context? Note that I'm not against either one, which you choose to use depends on design considerations. It is definitely easier and less hassle to make use of an existing protocol that's in widespread use, such as UDP, instead of applying for another IP protocol..
Well, tunneling UDP Packets in a TCP tunnel would dramaticall increase the reliance :)
Not that much, really. If UDP packets get lost between two nodes, TCP packets will almost certainly share their fate. The difference between TCP and UDP is that TCP will notice that packets have been lost and keep trying to retransmit them, while UDP alone won't. If the connection really is bad, though, TCP doesn't have any higher chances of success than UDP. And quite frequently, the application using UDP will take care of TCP's job. This is true for most, if not all of the applications that use UDP in a connection-oriented manner. Having said all that, I don't know if I'd agree that you shouldn't use TCP to build tunnels. No reasons are given, unfortunately.
- It's got one small config file (and even that causes enough problems to those who don't know - their networking basics).
Without knowledge noone should start :)
Amen! Cheers Tobias