{"id":20100,"date":"2022-03-29T11:27:00","date_gmt":"2022-03-29T09:27:00","guid":{"rendered":"http:\/\/www.firewallhardware.it\/pfsense-e-vpn-differenze-e-approfondimenti-sulla-sicurezza-di-ipsec-e-openvpn\/"},"modified":"2022-03-29T13:02:48","modified_gmt":"2022-03-29T11:02:48","slug":"openvpn-vs-ipsec","status":"publish","type":"post","link":"https:\/\/blog.miniserver.it\/en\/pfsense\/openvpn-vs-ipsec\/","title":{"rendered":"pfSense: OpenVPN vs IPsec (Security and functionality)"},"content":{"rendered":"\n<p>More and more in recent years and never as in these days we speak of <strong>Remote Working<\/strong>.<\/p>\n\n\n\n<p>One of the technologies necessary to allow this type of activity is undoubtedly the VPN which together with <strong><a href=\"https:\/\/blog.miniserver.it\/en\/pfsense\/\" target=\"_blank\" rel=\"noreferrer noopener\">pfSense <\/a><\/strong>constitute an effective solution to the problem.<\/p>\n\n\n\n<p>This guide aims to describe and investigate the differences between<strong> <strong>OpenVPN<\/strong><\/strong> vs <strong>IPSec<\/strong> implemented through pfSense.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">OpenVPN vs IPsec (Security and functionality)<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"#intro\">Introduction<\/a><\/li><li><a href=\"#tunnel-ipsec\">Secure tunnel with IPSec<\/a><\/li><li><a href=\"#tunnel-vpn\">Secure tunnel with SSL VPN<\/a><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Used Hardware:<\/h3>\n\n\n\n<p>This guide can be applied to all hardware certified by us of the firewall line that you can find here: <a title=\"Firewall\" href=\"https:\/\/www.miniserver.it\/firewall\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.miniserver.it\/firewall<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Software environment:<\/h3>\n\n\n\n<p><strong>pfSense\u00ae 2.4.x<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"intro\">First some theory<\/h3>\n\n\n\n<p>A VPN (Virtual Priate Network) is a &#8220;virtual connection&#8221; that allows you to create a private network between two or more workstations, which are not located on the same LAN.<\/p>\n\n\n\n<p>This virtual <strong>link is called &nbsp;tunnel.<\/strong><\/p>\n\n\n\n<p>But what exactly is meant by security in a smart working environment?<\/p>\n\n\n\n<p>It means the security of the communication channel, or of the tunnel.<\/p>\n\n\n\n<p>The tunnel is in fact created through the public network (Internet) and therefore potential attackers could &#8220;sniff&#8221; our traffic, see our IP addresses of the internal networks, modify our data traffic, etc &#8230;<\/p>\n\n\n\n<p>It is clear therefore that we cannot allow all this.<\/p>\n\n\n\n<p>The solution is therefore to use secure VPNs, which allow you to create tunnels that guarantee:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong> Client authentication (remote user)<\/strong><\/li><li><strong> Confidentiality of communication<\/strong><\/li><li><strong> Integrity of the transmitted data: <\/strong>an attacker cannot modify the data without my being<strong> aware of it.<\/strong><\/li><li><strong> Replay and Filtering protection:<\/strong> the data must be received exactly in the order in which<strong> it is sent.<\/strong><\/li><\/ul>\n\n\n\n<p>Let&#8217;s now see the most used techniques for &#8220;Tunneling&#8221;  OpenVPN vs IPsec.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Tunnel safe with IPSec<\/li><li>Tunnel safe with SSL<\/li><\/ul>\n\n\n\n<p><strong>pfSense and OPNSense <\/strong>implement both solutions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"tunnel-ipsec\">Secure tunnel with IPSec<\/h3>\n\n\n\n<p>IPSec is an architecture that contains multiple protocols to ensure the security of <strong>IP OS transmission of the OSI model.<\/strong><br>It allows in particular to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>create secure VPNs on untrusted networks (public networks)<\/li><li>make <strong>end-to-end security<\/strong><\/li><\/ul>\n\n\n\n<p>IPSec we can define it as a tool with a more complex configuration than other tools to create secure VPNs.<br>This complexity derives from the fact that IPSec must be configured so that it manages two fundamental parts of communication:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>I protocols which implement the exchange of symmetric keys in order to encrypt \/ decrypt the transmitted \/ received data.<\/li><li>The <strong>algorithms and modes <\/strong>which allow the actual <strong>encryption <\/strong>of the data.<\/li><\/ul>\n\n\n\n<p><u>Exchange of keys<\/u><br>Before defining how keys are exchanged, it is important to define the Security Association (SA) concept that underlies the functioning of IPsec.<br>We can define an SA as a &#8220;contract&#8221; between the two interlocutors, in which the mechanisms and keys to be used for communication with IPsec are established. The protocol for establishing SAs is called <strong>IKE (Internet Key Exchange)<\/strong>.<br>IKE is made up of two phases:<\/p>\n\n\n\n<p><em>First phase<\/em><\/p>\n\n\n\n<p>creation of a first bidirectional SA <strong>(SA ISAKMP)<\/strong>, which serves to protect subsequent SAs dedicated to actual IPsec communication.<br>This first phase can be done in two different ways :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>main mode<\/strong>: heavier processing, but safer.<\/li><li><strong>aggressive mode: <\/strong>less heavy, but less secure.<\/li><\/ul>\n\n\n\n<p>The image below (fig. 1) shows a part of the pfSense interface for configuring the first phase of IPSec. In fact, we note that it is possible to specify the field in which the mode in which this phase will be carried out (Negotiation mode) is described<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"255\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN1.jpg\" alt=\" OpenVPN vs IPsec\" class=\"wp-image-20028\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN1-300x96.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN1-768x245.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN1.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>In this first phase, the two interlocutors are authenticated.<br><strong>The authentication<\/strong> can be done in two ways:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Pre shared Key (PSK)<\/strong>: a symmetric key shared between the two parties is used. This modality could be rather insecure, as it is not possible to distinguish &#8220;who did what&#8221;, that is, I cannot distinguish the two counterparts. Furthermore, the fact of having a &#8220;shared secret&#8221; between the two counterparts could lead to security problems<\/li><li><strong>Digital signature (RSA)<\/strong>: The digital signature is based on asymmetric encryption, therefore without the use of a shared key, eliminating all the disadvantages of the &#8220;shared secret&#8221; as in the case of the PSK.<\/li><li>With the digital signature we can also perfectly distinguish the two counterparts<\/li><\/ul>\n\n\n\n<p>Also in the previous image we note the <em>Authentication Method<\/em> field of the <strong>pfSense<\/strong> interface, which specifies how authentication will be performed.<\/p>\n\n\n\n<p><strong>Symmetric data encryption<\/strong> within this first phase can be done with different algorithms; try to prefer &#8220;strong&#8221; algorithms, such as those of the AES family. Avoid DES or 3DES in a production environment as they are now obsolete and therefore vulnerable.<br>By defining encryption, you also need to define:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>di <strong>Hash Algorithm<\/strong> for calculating data digest: MD5 not recommended<\/li><li><strong>Diffie-Hellman (DH) <\/strong>group: DH is the protocol that allows the exchange of symmetric keys. The group is the number that identifies the &#8220;strength&#8221; of the key used in the key exchange process. They can be from 1 to 30, going from a minimum (1) to a maximum (30) safety level. The more we use a secure key, the more onerous the calculation that generates it and therefore computationally expensive. A good compromise between security and channel creation speed could be 14.<\/li><\/ul>\n\n\n\n<p>In the following image (fig. 2) we see how it is possible to specify these encryption characteristics in this first phase for <strong>pfSense<\/strong>.<br>The symmetric <strong>encryption algorithm<\/strong> is specified with the Encryption Algorithm field. In our case, AES256-GCM was chosen, where GCM defines the block algorithm and the Key length field is the length of the block of data that will be encrypted at each cycle. The Hash algorithm is specified with the Hash field, while the Diffie-Hellman group is specified by the <em>DH Group field<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"131\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN2.jpg\" alt=\"pfSense: OpenVPN vs IPsec (Security and functionality)\" class=\"wp-image-20032\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN2-300x49.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN2-768x126.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN2.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p><em>Second phase:<\/em><\/p>\n\n\n\n<p>In this phase the real <strong>IPsec SAs<\/strong> are negotiated.<br>These SAs are much faster than the previous ISAKMP SA, as they no longer have to worry about all the preliminary negotiation already carried out by the ISAKMP SA.<\/p>\n\n\n\n<p><u>Algorithms and modalities<\/u><br>Let&#8217;s move on to defining how data is encrypted in transmission and how it is &#8220;wrapped&#8221; in the IP packet.<br>IPsec provides two protocols, namely <strong>AH<\/strong> and <strong>ESP<\/strong>, each of which guarantees different levels of security, particularly:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>AH<\/strong> (Autentication Header), guarantees\n<ul>\n<li><strong>Data integrity<\/strong><\/li>\n<li><strong>Sender autentication<\/strong><\/li>\n<li><strong>no Replay<\/strong><\/li>\n<\/ul>\n<\/li><li><strong>ESP<\/strong> (Encapsulating Security Payload), guarantees\n<ul>\n<li><strong>Data integrity<\/strong><\/li>\n<li><strong>autentication<\/strong><\/li>\n<li><strong>no Replay<\/strong><\/li>\n<li><strong>Data confidentiality<\/strong><\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p>Without going into too much detail, we see that <strong>AH does not guarantee data confidentiality<\/strong>.<br>This means that the data will not be encrypted and therefore a potential attacker could perform a &#8220;<strong>sniffing<\/strong>&#8221; of the data inside the tunnel.<br>There are two different ways to implement security in IPsec:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Transport Mode<\/li><li>Tunnel Mode<\/li><\/ul>\n\n\n\n<p><strong>Transport Mode<\/strong><br>This mode requires that IPsec is certified on the final hosts of the communication, that is <strong>end-to-end<\/strong> security.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>benefits\n<ul>\n<li>computationally light<\/li>\n<\/ul>\n<\/li><li>disadvantages\n<ul>\n<li>IP headers that specify source and destination are always <strong>in the clear<\/strong><\/li>\n<li>does not protect variable fields in packages<\/li>\n<li>does not protect variable fields in packages<\/li>\n<li>configuration of IPsec directly on the final hosts (PC, tablet etc &#8230;)<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p><strong>Tunnel Mode<\/strong><br>Unlike Transport Mode, in this IPsec mode it attests to the gateways of the network.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>benefits\n<ul>\n<li>protection also of variable fields in packages<\/li>\n<li>a tunnel is established<\/li>\n<\/ul>\n<\/li><li>disadvantages\n<ul>\n<li>computationally heavy<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p>However, it makes little sense to talk about Tunnel Mode or Transport Mode without the <strong>AH<\/strong> or <strong>ESP<\/strong> protocol being associated.<\/p>\n\n\n\n<p><strong>To configure these pfSense settings<\/strong>, add the second phase of the Ipsec protocol by clicking <strong><em>on + Add P2<\/em><\/strong>.<\/p>\n\n\n\n<p>In the following figure (fig. 3) we see that through the <em>Mode<\/em> field we can define the Ipsec mode, choosing between Transport Mode and Tunnel Mode.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"333\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN3.jpg\" alt=\"IPsec e OpenVPN\" class=\"wp-image-20037\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN3-300x125.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN3-768x320.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN3.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>Continuing in the configuration (fig. 4), we come to the choice between AH and ESP.<br>We note that the graphical interface changes based on the choice between AH and ESP: if you choose AH, you only have to define the Hash algorithm, through the <em>Hash Algorithms<\/em> entry.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"233\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN4.jpg\" alt=\"pfSense: OpenVPN vs IPsec (Security and functionality)\" class=\"wp-image-20039\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN4-300x87.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN4-768x224.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN4.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>If ESP is chosen, in addition to the hash algorithm, some encryption algorithm must be indicated to be used to guarantee the confidentiality of the data transmitted (fig. 5)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"465\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN5.jpg\" alt=\"OpenVPN vs IPsec \" class=\"wp-image-20041\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN5-300x174.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN5-768x446.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN5.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s now look at two example scenarios.<br>The first scenario will show an implementation of IPsec in Transport Mode highlighting what an attacker can or cannot see on the public network, based on the protocol used for security (AH or ESP).<\/p>\n\n\n\n<p>The second scenario will be similar, but for an implementation of <strong>IPsec in Tunnel Mode<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"367\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN6.jpg\" alt=\"IPsec e OpenVPN\" class=\"wp-image-20043\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN6-300x138.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN6-768x352.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/firewallhardwareIPsecOpenVPN6.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>We see in the image (fig. 6) that if the <strong>AH<\/strong> protocol is used, the traffic is not encrypted mail and therefore an attacker can snort the traffic at any point of the communication. Instead, integrity, <strong>authentication of the parts and no replays are guaranteed<\/strong>.<\/p>\n\n\n\n<p>With <strong>ESP<\/strong>, on the other hand, only the IPs of the final hosts (PC1 and PC2) are shown in clear while all the rest of the sensitive data is encrypted. <strong>Like AH<\/strong>, <strong>integrity<\/strong>, parts authentication and <strong>no replay<\/strong> are guaranteed.<\/p>\n\n\n\n<p><strong>IPsec Tunnel Mode<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"347\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality.jpg\" alt=\"Psec Tunnel Mode\" class=\"wp-image-24571\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-200x87.jpg 200w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-300x130.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-400x174.jpg 400w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-600x260.jpg 600w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-768x333.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>In this scenario we see (fig. 7) that the <strong>complete encryption of the initial packet<\/strong> takes place within the TUNNEL IPsec, using the ESP protocol. In fact, using ESP, not only tunnel IPs are encrypted, while the IPs of the respective hosts (PC1 and PC2) are protected by encryption, together with sensitive data. An attacker who sniffinig on the TUNNEL would only see the Tunnel IPs in the clear.<\/p>\n\n\n\n<p>If we use AH, the traffic would be all clear, as in the case of Transport Mode.<\/p>\n\n\n\n<p>Note that the Tunnel Mode concentrates all the computational encryption load on the gataways and not on the final hosts.<br>This is a consideration that should not be underestimated in the business environment, as end hosts do not always have enough computing power to implement IPsec safely.<\/p>\n\n\n\n<p>In <strong>smart working<\/strong>, the mode used is certainly Tunnel Mode, in which the tunnel is between the remote PC and the corporate gateway. The most common name for this type of VPN is <strong>road-warrior<\/strong>, but in academic terms it is called the <strong>Secure Gateway<\/strong>.<br>We see a representation in the image below (fig. 8).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"369\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-1.jpg\" alt=\"IPsec Secure Gateway.\" class=\"wp-image-24573\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-1-200x92.jpg 200w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-1-300x138.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-1-400x185.jpg 400w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-1-600x277.jpg 600w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-1-768x354.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-1.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>In recent years, the concept of <strong>BYOD<\/strong>, or &#8220;<em>Bring your own device<\/em>&#8220;, has spread widely within companies.<br>In fact, more and more companies allow their collaborators to access the corporate network remotely, through their personal devices (Laptop, Smartphone etc &#8230;).<br>The cost to pay is a non-trivial configuration of IPsec and the need to have sufficient computing power on the remote host and gateway.<\/p>\n\n\n\n<p>However, it is possible to implement a <strong>VPN concentrator<\/strong> as a gateway. In fact, this device implements IPsec with hardware dedicated to encryption, thus avoiding slowing down communication.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"tunnel-vpn\">Secure tunnel with SSL VPN<\/h3>\n\n\n\n<p>In the smart working area, it is essential that a remote user be able to access his company network in a short time and therefore be productive.<br>Without a doubt, the use of an <strong>SSL VPN<\/strong> that is easy to configure is right for us, allowing access to the office network even in a few minutes.<\/p>\n\n\n\n<p>An SSL VPN does nothing but take advantage of a <strong>secure SSL<\/strong> connection by creating a real tunnel between the parties.<\/p>\n\n\n\n<p>More specifically, what is done is a TUNNEL at the TCP \/ UDP level (Layer 4), unlike IPsec which creates a TUNNEL (in Tunnel Mode) at the IP level (Layer 3).<\/p>\n\n\n\n<p>An SSL VPN guarantees:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Initial authentication of the parties<\/strong>\n<ul>\n<li>Server authentication<\/li>\n<li>Client authentication (remote user)<\/li>\n<\/ul>\n<\/li><li><strong>Confidentiality of messages<\/strong><\/li><li><strong>Authentication and integrity of messages<\/strong><\/li><li><strong>Raplay protection<\/strong><\/li><\/ul>\n\n\n\n<p>There are 4 different approaches for SSL VPN.<\/p>\n\n\n\n<p>1. <strong>Clientless:<\/strong> the remote user authenticates for the VPN directly from a browser web page. Once the connection is established, the VPN is created on the SSL secure channel. Note that authentication of the remote user is a simple login, which could be potentially dangerous. The advantage is that it is totally independent of the remote user&#8217;s Operating System (fig. 9).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"311\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-2.jpg\" alt=\"Clientless VPN\" class=\"wp-image-24575\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-2-200x78.jpg 200w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-2-300x117.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-2-400x156.jpg 400w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-2-600x233.jpg 600w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-2-768x299.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-2.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>2. <strong>Browser plug-in<\/strong>: the VPN vendor provides a plug-in to be loaded on the browser. Authentication will no longer be performed on a web page but managed by the plugin. Also in this case it is totally independent of the Operating System (fig. 10).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"311\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-3.jpg\" alt=\"SSL VPN Plugin\" class=\"wp-image-24577\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-3-200x78.jpg 200w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-3-300x117.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-3-400x156.jpg 400w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-3-600x233.jpg 600w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-3-768x299.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-3.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>3. <strong>Stand alone executable:<\/strong> with this approach it is essential to install a tool made available by the vendor of the VPN service (<strong>for example OpenVPN<\/strong>). In this case, the application installed on the user&#8217;s workstation will authenticate.<br>However, this mode requires that you use a certificate (<strong>personal for each remote user<\/strong>) issued by the VPN manager. The certificate will then be used by the application to authenticate the user, all &#8220;strengthened&#8221; by the user login.<br>It is therefore clear that in this mode, a certificate must be provided by the company that makes the VPN available. This greatly improves the security levels for remote user authentication, to the detriment of the management and distribution of certificates for each user (fig. 11).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"307\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-4.jpg\" alt=\"OpenVPN Standalone\" class=\"wp-image-24579\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-4-200x77.jpg 200w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-4-300x115.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-4-400x154.jpg 400w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-4-600x230.jpg 600w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-4-768x295.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-4.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>4. <strong>Mobile app<\/strong>: there are smartphone apps that perform the same function as an SSL VPN application installed on the PC. <strong>OpenVPN provides this technology<\/strong>. in this article we show how to install it: <a title=\"pfSense OpenVPN configuration\" href=\"https:\/\/blog.miniserver.it\/en\/pfsense-configurazione-openvpn-su-apple-iphone-tablet-e-ios\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/blog.miniserver.it\/en\/pfsense-configurazione-openvpn-su-apple-iphone-tablet-e-ios\/<\/a><\/p>\n\n\n\n<p>This also allows a smartphone to connect via SSL VPN. Again, a <strong>certificate<\/strong> is required for each remote user (fig. 12).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"313\" src=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-5.jpg\" alt=\"OpenVPN Certificate\" class=\"wp-image-24581\" srcset=\"https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-5-200x78.jpg 200w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-5-300x117.jpg 300w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-5-400x157.jpg 400w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-5-600x235.jpg 600w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-5-768x300.jpg 768w, https:\/\/blog.miniserver.it\/wp-content\/uploads\/OpenVPN-vs-IPsec-Security-and-functionality-5.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s compare these four modes by providing useful ideas for configuration.<\/p>\n\n\n\n<p>In particular, the first two methods (Clientless and Plug-in Browser) do not require authentication of the remote user through a certificate. It is therefore only necessary to decide which encryption algorithms to set on the gateway that implements SSL VPN.<br>We avoid using weak encryption algorithms such as DES or 3DES and all associated block algorithms (CBC, CFB etc &#8230;).<br>To go into more detail of the encryption algorithms I leave you at the following article: <a title=\"pfSense OPNsense encryption optimization\" href=\"https:\/\/blog.miniserver.it\/en\/openvpn-and-pfsense-opnsense-optimization-of-encryption-and-traffic-compression-to-optimize-hardware-and-improve-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/blog.miniserver.it\/en\/openvpn-and-pfsense-opnsense-optimization-of-encryption-and-traffic-compression-to-optimize-hardware-and-improve-security\/<\/a> which analyzes the connection speed based on the chosen algorithm.<br>A commonly used algorithm for encryption is BF-CBC or AES CBC which offer a good compromise between security and speed.<\/p>\n\n\n\n<p>The last two types (Stand alone executable and Mobile app) may <strong>require the installation<\/strong> of a certificate on the device used by the remote user in addition to the usual login with username and password. This greatly increases VPN security.<br>Note that that certificate can be re-used on multiple devices by the same user; this is a big benefit for the scalability of the service (I don&#8217;t have to worry about creating a certificate for each device), at the expense of security (I could pass the certificate and access credentials to an unknown user, or a malicious user could take possession).<\/p>\n\n\n\n<p><strong>OpenVPN<\/strong> is one of the most used SSL VPN technologies, as it offers high performance and security, accompanied by ease of implementation (both for the remote user and for the network administrator).<\/p>\n\n\n\n<p><strong>Which one to choose?<\/strong><br>One difference that could be determined on the choice of one VPN over another is the granularity with which I can manage access to the network.<br>Since the IPsec protocol operates at the <strong>IP<\/strong> level (Layer 3 OSI), an IPsec VPN would give full access to the corporate network regardless of the application that the remote user uses.<br>While with the use of SSL VPN that operates at the <strong>TCP\/UPD<\/strong> level (Layer 4 OSI), it is possible to introduce limitations.<\/p>\n\n\n\n<p>This article explains how to limit access: <a title=\"timed on for OpenVPN\" href=\"https:\/\/blog.miniserver.it\/en\/pfsense-and-openvpn-timed-access-for-openvpn-and-limitations-on-the-lan\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/blog.miniserver.it\/en\/pfsense-and-openvpn-timed-access-for-openvpn-and-limitations-on-the-lan\/<\/a><br>In general, there is a tendency to prefer IPsec for site-to-site VPN, while for the access VPN (road warrior), SSL VPN is preferred for greater ease of implementation compared to IPsec.<\/p>\n\n\n\n<p>In conclusion therefore, both SSL VPN solutions that IPsec only perform very well from the point of view of the transmission speed for the same hardware used.<br>It is up to the network administrator to decide which is the best compromise that the two technologies can offer based on the information and needs of their network infrastructure.<\/p>\n\n\n\n<p>In the <strong>smart working<\/strong> scenario it is essential to have a VPN system that allows easy access to the corporate network, without wasting time in complicated user configurations, always guaranteeing security.<br>Statistically, <a href=\"https:\/\/openvpn.net\" target=\"_blank\" rel=\"noreferrer noopener\">OpenVPN <\/a>is the solution that represents the best compromise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide aims to describe and investigate the differences between IPSec and OpenVPN implemented through pfSense<\/p>\n","protected":false},"author":11,"featured_media":24566,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[124],"tags":[270,138],"class_list":["post-20100","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pfsense","tag-openvpn-e-pfsense-en","tag-pfsense-en"],"_links":{"self":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/20100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/comments?post=20100"}],"version-history":[{"count":9,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/20100\/revisions"}],"predecessor-version":[{"id":24585,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/20100\/revisions\/24585"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media\/24566"}],"wp:attachment":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media?parent=20100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/categories?post=20100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/tags?post=20100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}