DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Most Secure VPN method
- ukcolin002
- Topic Author
- Offline
- New Member
Less
More
- Posts: 5
- Thank you received: 0
03 Apr 2010 18:58 #61522
by ukcolin002
Most Secure VPN method was created by ukcolin002
What is the most secure way of setting up a VPN connection?
Ipsec/Des, SSL, one time password.
I require total security, encription, login etc.
Any advice, thanks.
Ipsec/Des, SSL, one time password.
I require total security, encription, login etc.
Any advice, thanks.
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
03 Apr 2010 19:46 #61527
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic Most Secure VPN method
There is no such thing as total security.
Go for IPSec with Perfect Forward Secrecy (PFS), ESP Security Method with AES and Authentication. If your router supports it (e.g. the 2950) use certificates rather than a pre-shared key (PSK). If you use a PSK use a strong one (long, random, mixed case with numbers and special characters).
Keep a mile clear of DES (apparently it can be cracked within a couple of days). 3DES is OK, AES is probably better.
I don't know much about SSL, but I would expect it to be fine with certificates.
Ultimately even stronger non-Draytek solutions are available. You can build your own Linux box and use Openswan for stronger encryption algorithms and there are a number of proprietary boxes which can also do the trick. TBH, you should be OK with the settings I gave you above on a Draytek.
Go for IPSec with Perfect Forward Secrecy (PFS), ESP Security Method with AES and Authentication. If your router supports it (e.g. the 2950) use certificates rather than a pre-shared key (PSK). If you use a PSK use a strong one (long, random, mixed case with numbers and special characters).
Keep a mile clear of DES (apparently it can be cracked within a couple of days). 3DES is OK, AES is probably better.
I don't know much about SSL, but I would expect it to be fine with certificates.
Ultimately even stronger non-Draytek solutions are available. You can build your own Linux box and use Openswan for stronger encryption algorithms and there are a number of proprietary boxes which can also do the trick. TBH, you should be OK with the settings I gave you above on a Draytek.
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- ukcolin002
- Topic Author
- Offline
- New Member
Less
More
- Posts: 5
- Thank you received: 0
04 Apr 2010 17:06 #61530
by ukcolin002
Replied by ukcolin002 on topic VPN Security
Thanks.
Looked at SSL but the password side seemed thin compared to ipsec/aes, and you can not see the file structure unless you use Sambra.
The one time password works, but removes the ipsec during set up? Going to contact Draytek as to why?
Looked at certs but could not the 2955 to work with imported cert. Draytek are unsure why?
Looked at SSL but the password side seemed thin compared to ipsec/aes, and you can not see the file structure unless you use Sambra.
The one time password works, but removes the ipsec during set up? Going to contact Draytek as to why?
Looked at certs but could not the 2955 to work with imported cert. Draytek are unsure why?
Please Log in or Create an account to join the conversation.
- mars mug
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
05 Apr 2010 22:12 #61550
by mars mug
Wouldn’t the repeated failed attempts be noticed?
Replied by mars mug on topic Most Secure VPN method
Keep a mile clear of DES (apparently it can be cracked within a couple of days).NJH wrote:
Wouldn’t the repeated failed attempts be noticed?
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
05 Apr 2010 22:28 #61551
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic Most Secure VPN method
Noticed by what? Unless you are specifically monitoring for it in syslog? The Draytek will not raise the alarm in any other way. Also I don't know the crack mechanism. If it is sniffing passing traffic and then analysing it off line to work out the PSK, the first connection attempt it makes will be with the correct PSK.
Also keep clear of aggressive mode. This can be cracked, but again I've no idea how.
Also keep clear of aggressive mode. This can be cracked, but again I've no idea how.
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- peter-h
- Offline
- Junior Member
Less
More
- Posts: 60
- Thank you received: 0
06 Apr 2010 09:41 #61556
by peter-h
Replied by peter-h on topic Most Secure VPN method
The best published attacks on DES still involve of the order of 2 ^ 40 keys to be tested.
This makes sense only with a known-plaintext attack, and even then only purpose built hardware will do it on any kind of meaningful timescale. With a PC - no way.
Also, most DES implementations use a session key, so the key is different anyway next time around...
This makes sense only with a known-plaintext attack, and even then only purpose built hardware will do it on any kind of meaningful timescale. With a PC - no way.
Also, most DES implementations use a session key, so the key is different anyway next time around...
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek