DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Most Secure VPN method

  • ukcolin002
  • Topic Author
  • Offline
  • New Member
  • New Member
More
03 Apr 2010 18:58 #61522 by ukcolin002
Most Secure VPN method was created by ukcolin002
What is the most secure way of setting up a VPN connection?
Ipsec/Des, SSL, one time password.

I require total security, encription, login etc.

Any advice, thanks.

Please Log in or Create an account to join the conversation.

More
03 Apr 2010 19:46 #61527 by njh
Replied by njh on topic Most Secure VPN method
There is no such thing as total security.

Go for IPSec with Perfect Forward Secrecy (PFS), ESP Security Method with AES and Authentication. If your router supports it (e.g. the 2950) use certificates rather than a pre-shared key (PSK). If you use a PSK use a strong one (long, random, mixed case with numbers and special characters).

Keep a mile clear of DES (apparently it can be cracked within a couple of days). 3DES is OK, AES is probably better.

I don't know much about SSL, but I would expect it to be fine with certificates.

Ultimately even stronger non-Draytek solutions are available. You can build your own Linux box and use Openswan for stronger encryption algorithms and there are a number of proprietary boxes which can also do the trick. TBH, you should be OK with the settings I gave you above on a Draytek.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • ukcolin002
  • Topic Author
  • Offline
  • New Member
  • New Member
More
04 Apr 2010 17:06 #61530 by ukcolin002
Replied by ukcolin002 on topic VPN Security
Thanks.
Looked at SSL but the password side seemed thin compared to ipsec/aes, and you can not see the file structure unless you use Sambra.

The one time password works, but removes the ipsec during set up? Going to contact Draytek as to why?

Looked at certs but could not the 2955 to work with imported cert. Draytek are unsure why?

Please Log in or Create an account to join the conversation.

More
05 Apr 2010 22:12 #61550 by mars mug
Replied by mars mug on topic Most Secure VPN method

NJH wrote: Keep a mile clear of DES (apparently it can be cracked within a couple of days).



Wouldn’t the repeated failed attempts be noticed?

Please Log in or Create an account to join the conversation.

More
05 Apr 2010 22:28 #61551 by njh
Replied by njh on topic Most Secure VPN method
Noticed by what? Unless you are specifically monitoring for it in syslog? The Draytek will not raise the alarm in any other way. Also I don't know the crack mechanism. If it is sniffing passing traffic and then analysing it off line to work out the PSK, the first connection attempt it makes will be with the correct PSK.

Also keep clear of aggressive mode. This can be cracked, but again I've no idea how.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

More
06 Apr 2010 09:41 #61556 by peter-h
Replied by peter-h on topic Most Secure VPN method
The best published attacks on DES still involve of the order of 2 ^ 40 keys to be tested.

This makes sense only with a known-plaintext attack, and even then only purpose built hardware will do it on any kind of meaningful timescale. With a PC - no way.

Also, most DES implementations use a session key, so the key is different anyway next time around...

Please Log in or Create an account to join the conversation.

Moderators: Sami