[strongSwan] Security Comparison

Christian Salway christian.salway at naimuri.com
Thu Jul 19 09:33:31 CEST 2018

Hi Robert,

Thank you for coming back to me.  I have a client who is pushing for VDI (HTTPS) instead of VPN (IPSEC) and I’m wondering whether there is a security standpoint I can argue or if its just as secure.  I am also limited to the native OSX/Windows VPN clients which currently support a maximum of aes256-sha256-prfsha256-ecp256-modp2048 (Windows does not support ecp)

Apart from IPSEC being Layer 3 and HTTP being Layer 6, meaning that should a VPN client be infected with a worm, it is easier for that worm to infect the network, I’m struggling to see another security argument.

Data encrypted over RSA 4096 SHA-2 on paper seems a secure connection.  Whereas IKE also uses a certificate to do the KeyExchange before logging in and then encrypting the data with ESP, so the ciphers used on ESP I feel is the comparison that needs to be made.

I will have a read of that Cipher suites page, but if I remember correctly, it is not a comparison but a standpoint.


> On 19 Jul 2018, at 05:51, Robert Leonard <rjlcontracting at gmail.com> wrote:
> I don't really know where to start with this article.  It appears to be sponsored by OpenVPN, and is written from the perspective of a home user, not a security standpoint.  I
> I would suggest taking a look at the documentation for the Cipher suites rather than taking this article at face value.
> https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites <https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites>
> Most importantly, what is your use case?  
> On Wed, Jul 18, 2018 at 6:23 PM Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>> wrote:
> I was just doing some research focusing on the security of the data over a VPN connection - and the chap in the following link has marked OpenVPN, which uses RSA, as being more secure than IKEv2 IPSEC
> https://thebestvpn.com/pptp-l2tp-openvpn-sstp-ikev2-protocols/ <https://thebestvpn.com/pptp-l2tp-openvpn-sstp-ikev2-protocols/>
> So my question is, in your opinion, do you rate IKEv2 IPSEC more secure than an RSA encrypted VPN like OpenVPN
> -- 
> Rob Leonard
> RJL Contracting
> Cell:  (248)  403 4817
> E-Mail:  rjlcontracting at gmail.com <mailto:rjlcontracting at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180719/f0bfc2bf/attachment.html>

More information about the Users mailing list