williamwlk
asked on
IPSec VPN vs. SSL VPN
Dear Experts,
Need insights quick.
Payload wise, Bandwidth wise, Speed wise, for IPSec VPN vs. SSL VPN, which one is a better choice? Pros and Cons, Please.
Thanks for the advise in advance.
W
Need insights quick.
Payload wise, Bandwidth wise, Speed wise, for IPSec VPN vs. SSL VPN, which one is a better choice? Pros and Cons, Please.
Thanks for the advise in advance.
W
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Buds!
skull,
Thanks for the insights.
In short, we just would like to link an HQ and a branch office over the tunnel just for minimal truck VOIP Traffic.
Over the tunnel, a branch office Asterisk VOIP Gateway [on CentOS6] will dial out to HQ ASA5505-50-BUN-K9 VPN and connect to the Internet of HQ to the 3rd Party SIP Provider.
HQ will have an extension as well to connect to the branch office Asterisk VOIP Gateway.
The Branch Office is behind an NAT with slow Internet Connection.
That's about it.
However, I have tried POC on IPSec and it works flawlessly.
And so, I don't bother testing SSL Tunnels based on OpenVPN, which might or might not work.
But, I am very much tempted to know the SSL VPN [based on OpenVPN] will work or SSL is a better option for the scenario in question.
My main concern is the payload to be reduced to minimal for both Voice Traffic and the underlying tunnel.
We can play around with any technology. Just would like opinions around it.
Due to a firewalled state in the branch office, UDP is the plausible transport against TCP.
Thanks so much for your time.
Regards,
W
skull,
Thanks for the insights.
In short, we just would like to link an HQ and a branch office over the tunnel just for minimal truck VOIP Traffic.
Over the tunnel, a branch office Asterisk VOIP Gateway [on CentOS6] will dial out to HQ ASA5505-50-BUN-K9 VPN and connect to the Internet of HQ to the 3rd Party SIP Provider.
HQ will have an extension as well to connect to the branch office Asterisk VOIP Gateway.
The Branch Office is behind an NAT with slow Internet Connection.
That's about it.
However, I have tried POC on IPSec and it works flawlessly.
And so, I don't bother testing SSL Tunnels based on OpenVPN, which might or might not work.
But, I am very much tempted to know the SSL VPN [based on OpenVPN] will work or SSL is a better option for the scenario in question.
My main concern is the payload to be reduced to minimal for both Voice Traffic and the underlying tunnel.
We can play around with any technology. Just would like opinions around it.
Due to a firewalled state in the branch office, UDP is the plausible transport against TCP.
Thanks so much for your time.
Regards,
W
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for my late reply.
davorin,
Thanks for your advise. It is insightful.
Skull,
secure RTP is an option. But I need to check if the ISP allows the secure RTP Port. i need to check it out. Sounds like a good idea to me if it is allowed.
Why I want a VPN is to allow the branch offices to give the facilities or security policy for that matter that we have at HQ.
Having said that, the bottom line is I want my VoIP infrastructure to work, working around on the slow network/Internet at branch office.
Thank you. Any further advise you would like to give?
:)
W
davorin,
Thanks for your advise. It is insightful.
Skull,
secure RTP is an option. But I need to check if the ISP allows the secure RTP Port. i need to check it out. Sounds like a good idea to me if it is allowed.
Why I want a VPN is to allow the branch offices to give the facilities or security policy for that matter that we have at HQ.
Having said that, the bottom line is I want my VoIP infrastructure to work, working around on the slow network/Internet at branch office.
Thank you. Any further advise you would like to give?
:)
W
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
skull,
I take note of your comments and I agree.
Simply, I could have also gotten the same effect over ssh tunnels.
Anyway, I will get back to you soon how the project goes.
Thanks again for your time, energy, and insights.
Lovely.
W
I take note of your comments and I agree.
Simply, I could have also gotten the same effect over ssh tunnels.
Anyway, I will get back to you soon how the project goes.
Thanks again for your time, energy, and insights.
Lovely.
W
ASKER
Great insights. Thanks Guys!
hope the project goes on fine. feel free to post if needed.
but just for the record, tunneling over SSH is MUCH slower than an SSL connection. SSH makes use of SSL but adds extra encryption which is pretty lightweight and adds a userland processing and NATing of the TCP packets which is nothing next to lightweight. i would not recommend doing VOIP over SSH on a slow network, or on slow machines
but just for the record, tunneling over SSH is MUCH slower than an SSL connection. SSH makes use of SSL but adds extra encryption which is pretty lightweight and adds a userland processing and NATing of the TCP packets which is nothing next to lightweight. i would not recommend doing VOIP over SSH on a slow network, or on slow machines
ASKER
Ack'ed. Thanks again. I will keep you all posted.
Have a lovely weekend.
W
Have a lovely weekend.
W
SSL does not handle natively the VPN part, so actully, an SSL VPN is unually a point-to-point connection over SSL.
---
IPSEC is more expensive in terms of bandwidth. it is also more expensive in terms of CPU unless you remove most of it's security features.
----
if you need to join two LANs in a more or less permanent way, IPSEC is likely to be the better solution. if you just need to give access to remote resources, SSL (and no VPN at all) is likely to be the way to go. if you need to make a LAN accessible from various remote locations, SSL + a tunnel is probably something to be considered.
---
what exactly is your goal ?
what OS/soft/hardware is running on either side ?
what kind of skills are available ?