[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Equivalent to "Transport Mode" (AH)

  • Subject: Re: [Openvpn-users] Equivalent to "Transport Mode" (AH)
  • From: "Dick St.Peters" <stpeters@xxxxxxxxxxxxx>
  • Date: Wed, 8 Sep 2004 17:46:42 -0400

One point I haven't seen anyone mention yet in this thread is that
OpenVPN is for creating and encrypting a *virtual* network, meaning a
new network with new IP addresses.  IPSec does not create a new
network with new IP addresses, it encrypts traffic on a network while
using the network's existing IP addresses.

This is a pretty fundamental difference.  In particular, IPSec lets
the network administrator maintain control over (and keep track of)
who can connect to whom while preventing him/her from monitoring
what's being said.  An OpenVPN-style VPN, once established, hides not
only what is being said but to whom it's being sent.

In a corporate environment, especially within a large corporation,
there may be policies the network administration is supposed to
enforce about who can talk to whom.  IPSec lets the network
administration enforce them while not being privy to the communication
itself - that is, network admins can enforce company policy without
having access to company secrets, personnel records, bank and credit
card records, etc.

OpenVPN is designed to hide everything, which is of course what even a
large corporation wants for communication across a public network.  On
a private LAN, this can become a way for circumventing policy, giving
people a way to access things they should not have accces to without
their access being detected.

Dick St.Peters, stpeters@xxxxxxxxxxxxx 

Openvpn-users mailing list