{SPAM?} [Asterisk-Users] Asterisk VIA SSH Tunnels
Tom Ivar Helbekkmo
tih at eunetnorge.no
Thu Oct 14 22:35:25 MST 2004
Benjamin on Asterisk Mailing Lists <benjk.on.asterisk.ml at gmail.com> writes:
> And how many routers and firewalls out there do support OpenVPN? Do
> Cisco routers support it?
Neither I, nor anyone else here, seems to be saying that OpenVPN is a
replacement for IPsec. There's overlap, but there are applications
that are more suited to one than to the other. As implementations of
IPsec mature, its share should increase. (Today, you can still not
take for granted that two IPsec VPN products will work seamlessly
together.)
I believe (but am more than ready to be proven wrong) that
implementing the type of VPN that I'm using would be a real bitch with
IPsec. I've got a portable computer that sends and receives quite a
bit of sensitive data over insecure protocols, such as remote file
system access -- and SIP, of course. :-) I carry this computer with
me, and want to be able to use it wherever I can get hold of some sort
of Internet connection. This might be by borrowing a real IP address
somewhere, getting a DHCP-allocated RFC-1918 address behind some NAT
gateway, or whatever. I have to expect there to be a firewall as well.
An important requirement is that all sessions should survive when I
suspend the computer, and then resume it somewhere else, where it gets
a completely new access method to the Internet. For instance, while
I'm directly connected by UTP cable at work, I open ssh sessions to
various computers, I start a SIP-based soft phone, and, of course, I
am connected to my remote file system server. I suspend the computer
without logging out of anything, and later resume it in a place where
there's a wireless hot spot that I'm allowed to access. I expect to
be able to continue typing commands in those ssh sessions, receive
telephone calls, and use the file system, immediately upon resuming.
I need this to work completely NAT proof, and with no requirements for
holes in firewalls other than being able to send a UDP packet out, and
getting a responding packet back to the same port. It must also work
without the suspend/resume: I need to be able to unplug my laptop's
UTP cable to carry it into a meeting, and expect everything to keep
working through a completely seamless transition to wireless mode. Of
course, my laptop needs to have a fixed DNS name and IP address that
never change, so it can be reached from the outside when needed.
With OpenVPN running on my laptop, and on a VPN gateway system back
home, this Just Works. OpenVPN handles the whole thing, it's well
secured, all traffic is encrypted, and it automatically ensures that
no traffic is sent or received by my laptop outside the VPN tunnel.
I actually started looking into how to get comparable functionality
based on IPsec, but my mind boggled, and now I do it the easy way.
-tih
--
Tom Ivar Helbekkmo, Senior System Administrator, EUnet Norway Hosting
www.eunet.no T +47-22092958 M +47-93013940 F +47-22092901 FWD 484145
More information about the asterisk-users
mailing list