publicIP of the client is likely to be non-unique; thus the tunnel's IP has to come from the VPN software, not be chosen by the client.
|Protocol||IPSec (ESP, AH)||Its own||Its own||TLS + its own||PPTP (GRE)|
|Encryption||Excellent||Weak (3)||Weak (3)||Excellent||See (7)|
|Authorization||X.509 (4)||SSH kludge||Static keys||X.509||Windows|
|  (Pre-arranged keys also work for most programs)|
|Ad-hoc users||Yes||Kludge (1)||No||Yes (8)||Yes|
|Resists IP collisions||No||Kludge (1)||No||Yes (8)||Yes|
|Clients for:||L,W,M (2)||L,S||L,W||L,S,W,M-x||L,S,W (6)|
|  (L=Linux, S=Solaris, W=Windows, M=Mac)|
|Works through NAT||Patch (4)||Yes||Yes||Yes||Yes|
|We used how long?||1 year||0.5 year||None||0.1 year||None|
|Blocked by BOL||Works||Works (ssh)||Prob. blocked||Asked for unblock||Probably works|
|Included with SuSE||Yes||Yes||Yes||Yes (8)||No|
|Good features||Has been reliable||Reliable (with 1 user)||Net buzz||Rock solid, easy setup||Microsoft uses it|
|Bad features||Hard to set up. Diarrhea of the log files.||Requires kludge script. TCP meltdown (5). Shell accounts on bastion host.||No ad-hoc mode||None (8)||Microsoft uses it|
TCP meltdown. Special care is needed to resist this, which ssh is not designed for. Presumably kernel-level IP-in-IP tunnels can do better. See this link for more.
finishedmode, and response to the security criticism mentioned above has not been swift. For us, the biggest problem with vtun is the likelihood of remote IP collisions, which it cannot handle natively. It was intended for use with prearranged connections.
betteror more suited to
realsysadmins. It is generally described in the context of prearranged connections.
you really ought to take a look at OpenVPN. They're right, we should, and will. It uses OpenSSL for TLS crypto on the control channel, a block-encrypted main channel via UDP, and TUN/TAP for tunnelling (mainstream in the kernel, originally written for vtun). No other kernel support is required. Performance quote: Pentium-2 266 MHz, TLS/Blowfish/SHA1, large precompressed files, data rate was 1.455 Mby/sec. It can do chroot, and/or not run as root, and can lock key info in memory. Version 1.x is intended for static point-to-point tunnels, and hence is designed so it has to be individually configured for each user. Version 2.0 includes the
road warriormulti-user configuration that we need.