Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH or IPSec?

Posted by Cliff on from the choosing-the-right-encryption-technology dept.

shawngiese asks: "I'm looking for some feedback on which is the better way to make VPN connections - using SSHv2 or IPSec. My company apliware.com makes embedded linux firewalls here in Switzerland. Our next firmware will be coming out with SSH added to IPSec but during my tests I have noticed that the throughput of SSH is much faster when using the same ciphers. Is there any opinions on which has the better key exchange and also if the performance is better for SSH everywhere or just on our port/CPU? I assume since they both use the same ciphers that the data is as secure in one or the other. Of course IPSec offers full tunneling and encapsulation of more than just TCP but I can SSH through almost any NAT box and with the gain in throughput and many free clients for road warriors (even my Palm Pilot for terminal access) I wonder if SSH might not be the easier VPN than IPSec."

2 of 43 comments (clear)

  1. SSH is my preference by Korgan · · Score: 5, Informative

    Given the proliferation of NAT on many fronts now, I personally have used, installed and maintained SSH VPNs on many of my clients networks because I find it a lot more reliable than IPSec.

    Here in NZ, ADSL is running via PPPoATM and all network terminators must be running NAT (this is a requiremet of the Telco, not of the technology). Because of the much lower costs of DSL vs Frame, this is becoming the default setup for most companies now. IPSec in this kind of environment where NAT is at both ends, or even just one, becomes a real PITA to get running and keep running. SSH just works.

    Once the keys are set at both ends, the tunnels just do their thing. Establishing ports is not difficult. For my setup I create Virtual IPs at both ends of the network and then essentially do port forwarding across the tunnel to those ports. Essentially a combination of SSH and (in my case) IPTABLES. Works very well, very sweetly and NAT doesn't cause me any problems.

  2. Re:Almost as silly as asking by erth64net · · Score: 5, Informative

    FreeS/WAN may not be _The Best_, but it's darn good enough:
    I have a system where 12 sizable offices come into a FreeS/WAN router via a 1.5Mbit link, and the VPN moves on average 1Mbit/sec between these offices (sometimes peaks to 1.5Mbit). The VPN router that all 12 networks point to is a Pentium 166 w/ 64MB of ram, the router's been up for over 6 months (an office move required a shutdown 6 months ago), and the VPN only adds around 5 to 10 ms of latency to the connection. Heck, I get better network performance out of this setup, than my old Cisco's did running point-to-point frame-relay.

    The FreeS/WAN product can also offload the crypto tasks to hardware devices when really necessary.