[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1426
  • Last Modified:

IPSec VPN vs. SSL VPN

Dear Experts,

Need insights quick.

Payload wise, Bandwidth wise, Speed wise, for IPSec VPN vs. SSL VPN, which one is a better choice? Pros and Cons, Please.

Thanks for the advise in advance.

W
0
williamwlk
Asked:
williamwlk
  • 5
  • 4
  • 2
4 Solutions
 
davorinCommented:
Please take a look at this document:
www.cadincweb.com/wordpress/wp-content/uploads/2010/11/Juniper-IPSec-vs-SSL-VPN.pdf

The selection mostly depends on usage needs.
0
 
skullnobrainsCommented:
IPSEC is much harder to setup and more likely to yield incompatibilities between vendors.

SSL does not handle natively the VPN part, so actully, an SSL VPN is unually a point-to-point connection over SSL.

---

IPSEC is more expensive in terms of bandwidth. it is also more expensive in terms of CPU unless you remove most of it's security features.

----

if you need to join two LANs in a more or less permanent way, IPSEC is likely to be the better solution. if you just need to give access to remote resources, SSL (and no VPN at all) is likely to be the way to go. if you need to make a LAN accessible from various remote locations, SSL + a tunnel is probably something to be considered.

---

what exactly is your goal ?
what OS/soft/hardware is running on either side ?
what kind of skills are available ?
0
 
williamwlkAuthor Commented:
Thanks Buds!

skull,

Thanks for the insights.

In short, we just would like to link an HQ and a branch office over the tunnel just for minimal truck VOIP Traffic.

Over the tunnel, a branch office Asterisk VOIP Gateway [on CentOS6] will dial out to HQ ASA5505-50-BUN-K9 VPN and connect to the Internet of HQ to the 3rd Party SIP Provider.

HQ will have an extension as well to connect to the branch office Asterisk VOIP Gateway.

The Branch Office is behind an NAT with slow Internet Connection.

That's about it.

However, I have tried POC on IPSec and it works flawlessly.

And so, I don't bother testing SSL Tunnels based on OpenVPN, which might or might not work.

But, I am very much tempted to know the SSL VPN [based on OpenVPN] will work or SSL is a better option for the scenario in question.

My main concern is the payload  to be reduced to minimal for both Voice Traffic and the underlying tunnel.

We can play around with any technology. Just would like opinions around it.

Due to a firewalled state in the branch office, UDP is the plausible transport against TCP.

Thanks so much for your time.

Regards,
W
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
davorinCommented:
Running SSL over slow/bad connections can make Voip calls worse because of retransmissions, while if you have good and fast connections the retransmissions could help to get better sound.
IPsec is using UDP datagrams as VoIP does, no retransmissions, so I guess it should work better on slow lines.
Plus SSL does not support data compression but I don't think this really matters because VoIP consists of big number of small packets. It doesn't really matter high bandwidth but low delay.
0
 
skullnobrainsCommented:
i do not think my knowlege of SIP is good enough to give a definitive advice.

basically given your situation, i believe setting up a true VPN with communication in both directions would be simpler

...but i'm concerned about what you really are trying to achieve, since SIP should work pretty well over the internet and secure RTP can be used for the data connection. it is likely that no VPN at all would do the trick pretty neatly, and you probably can use the firewall if you want to forbit data connections from third parties. why do you need a VPN ? security policy ?
0
 
williamwlkAuthor Commented:
Sorry for my late reply.

davorin,

Thanks for your advise. It is insightful.

Skull,

secure RTP is an option. But I need to check if the ISP allows the secure RTP Port. i need to check it out. Sounds like a good idea to me if it is allowed.

Why I want a VPN is to allow the branch offices to give the facilities or security policy for that matter that we have at HQ.

Having said that, the bottom line is I want my VoIP infrastructure to work, working around on the slow network/Internet at branch office.

Thank you. Any further advise you would like to give?

:)

W
0
 
skullnobrainsCommented:
i'm definitely not a SIP expert, by far, but still a few more hints

it does not seem likely your ISP would block the RTP Port or secure port or any port at all except perhaps for 25

anything that adds processing and toying with packet sizes and encapsulations will add latencies, and anything that adds encryption will make the payload higher for an equivalent service.

btw secure RTP is more or less what you may call SSL applicative tunnels
0
 
williamwlkAuthor Commented:
skull,

I take note of your comments and I agree.

Simply, I could have also gotten the same effect over ssh tunnels.

Anyway, I will get back to you soon how the project goes.

Thanks again for your time, energy, and insights.

Lovely.

W
0
 
williamwlkAuthor Commented:
Great insights. Thanks Guys!
0
 
skullnobrainsCommented:
hope the project goes on fine. feel free to post if needed.

but just for the record, tunneling over SSH is MUCH slower than an SSL connection. SSH makes use of SSL but adds extra encryption which is pretty lightweight and adds a userland processing and NATing of the TCP packets which is nothing next to lightweight. i would not recommend doing VOIP over SSH on a slow network, or on slow machines
0
 
williamwlkAuthor Commented:
Ack'ed. Thanks again. I will keep you all posted.

Have a lovely weekend.

W
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now