Ask / Submit

Revision history [back]

click to hide/show revision 1
initial version

posted 2015-03-14 22:11:00 +0300

PPTP is not the best option since nowdays many mobile providers (and some fixed ones) do block protocols other than the well-known three (TCP, UDP, ICMP). PPTP utilises GRE and thus does not work in this case. I had many complaints from my customers about this, and the only solution was switching to TCP- or UDP-based tunneling.

OpenVPN is great but definitely it needs a GUI client for regular users, which are not networking experts.

IPsec + X.509 + NAT Traversal (that is, AH/ESP-over-UDP) is also highly desirable, but there is a caveat: there are 2 popular implementations for Linux, StrongSWAN and OpenSWAN. They are _said_ to be compatible to standards and to each other, yet never I have seen a working examle of communication between them. Thus, none is perfect, and none will provide 100% compatibility with the other systems. Thus, a perfect system should have an option to select either of the *SWANs to be de/re/installed.

What is even more discouraging is that Jolla shipbuilders cannot even say definitely if IPsec support is complied into the kernel or not. Not to say which of the two...

PPTP is not the best option since nowdays many mobile providers (and some fixed ones) do block protocols other than the well-known three (TCP, UDP, ICMP). PPTP utilises GRE and thus does not work in this case. I had many complaints from my customers about this, and the only solution was switching to TCP- or UDP-based tunneling.

OpenVPN is great but definitely it needs a GUI client for regular users, which are not networking experts.

IPsec + X.509 + NAT Traversal (that is, AH/ESP-over-UDP) is also highly desirable, but there is a caveat: there are 2 popular implementations for Linux, StrongSWAN and OpenSWAN. They are _said_ to be compatible to standards and to each other, yet never I have seen a working examle of communication between them. Nor could I couple them myself. Thus, none is perfect, and none will provide 100% compatibility with the other systems. Thus, a perfect system should have an option to select either of the *SWANs to be de/re/installed.de/re/installed on user's choice.

What is even more discouraging is that Jolla shipbuilders cannot even say definitely if IPsec support is complied into the kernel or not. Not to say which of the two...