|
Most of my co-workers hate AnyConnect. I love setting it up, it's so easy... It's always something hurf durf ipsec blah blah old ways. The thing that stinks about it, which I think may be changing, is the licensing. Especially if you want mobile phones to work on Anyconnect you need the 'for mobile' licence.
|
# ¿ Apr 17, 2015 22:15 |
|
|
# ¿ Apr 25, 2024 10:54 |
|
MrMoo posted:IKEv1 only permits tunneling of a single VLAN unless you are using a proprietary Cisco extension. IKEv2 permits multiple networks in leftsubnet= and rightsubnet= parameters. The typical workaround for this is to use multiple connections or to add L2TP above IPsec, i.e. a level 2 tunneling protocol above a single IPsec connection. On Linux this adds two additional processes I believe - xl2tpd and pppd. You could use GRE or any other IP-in-IP encapsulation protocol but IPsec + L2TP is the standard combination. I think you're just used to awful linux IPSec implementations. Why the hell does strongswan use 'leftsubnet' / 'rightsubnet'? What is the frame of reference? That is confusing as gently caress.
|
# ¿ May 2, 2015 07:51 |
|
MrMoo posted:Per RFC 4306 it appears the enhancement in IKEv2 is multiple traffic selectors (and narrowing) within a single child SA. Ya but you can have multiple SAs to the same peer as long as you aren't using a terrible IPSec implementation device.
|
# ¿ May 3, 2015 05:55 |
|
Tyren posted:Side note - MS (and others) plan to deprecate SHA1 very soon (circa 2016). While we don't see SHA2 often, I'm guessing we'll see more alternatives to SHA1 in the near future. SHA1 has pretty much been deprecated by the popular browsers. Most certs have been re-keyed with SHA256. Edit: I'm legitimately excited to see software solutions starting to utilize the AES/AES-NI extensions Prescription Combs fucked around with this message at 01:22 on May 5, 2015 |
# ¿ May 5, 2015 01:18 |
|
Are those numbers packets per second? If so that's fast as hell. Edit: Oh I see, openSSL 'speed' benchmarks. On my i5-2500K code:
Prescription Combs fucked around with this message at 04:27 on May 12, 2015 |
# ¿ May 12, 2015 03:57 |