Site-to-site VPN: IPsec vs SSL?

I'm not sure if I want to go with IPsec or SSL. Can someone give me a side-by-side comparison of the pros and cons of each?

Topics

VPN

Answer This Question

Ralph Campbell

asked on Dec. 17, 2009

Karl Fox

Posted on Dec. 21, 2009

Both IPsec and SSL/TLS can be used to provide good performing, secure VPNs. The real difference depends not on the underlying protocol, but on the implementation.

I participated in the development of the IPsec protocols, shipped the first commercial implementation back in '95 or so, have used it many times, and nearly always use SSL or TLS for site-to-site VPNs today.

Purely from a technology point of view, IPsec does not hold any advantage over SSL/TLS VPNs. SSL and TLS VPNs tend to be easier to set up, do not have NAT traversal issues that used to plague IPsec users (and occasionally still do), and do not have the denial of service vulnerabilities IPsec does (that are seldom discussed). When we designed IPsec back in the 1990's, these defects were brought out but were swept under the rug by the very political players who were in control of the IPsec working group of the IETF.

The biggest differences will not be with the base technology, though, but with the implementation. Try before you buy!

One warning: Never run any kind of packet tunnel over TCP unless you absolutely have to; you'll end up with retry timers in different layers fighting with each other. Use a datagram-based substrate like UDP or IP.

Karl Fox

IT GURU (another one)

Posted on Dec. 17, 2009

Recommended by:
Pavel Suk

For a site-to-site VPN, this should not be considered two options. I would recommend that you utilize an IPSec VPN in this capacity for the following reasons:
IPSEC is considered a framework that operates at the Network Layer of the OSI model. By Framework, the idea is that IPSEC is extendable and can be expanded to encompass new encryption standards such as is the case W/ AES or with other additions to the process such as with DH (handshake). Thus, 20 years from now, while the encryption standards of today will likely be obsolete, IPSEC will likely be the framework which encompasses those new standards of tomorrow to deliver end-to-end secure WAN solutions.
As mentioned, IPSEC operates at the Network layer which is where a WAN solution should be implemented. It will provide you with not only the configuration flexibility that is needed, but will also provide flexibility in the capacity of network administration.

SSL VPN’s operate at the Transport layer of the OSI model. They are considered newer and thus are still being adopted by equipment vendors into products and software. They utilize SSL to encrypt and transport traffic over port 143/443. SSL VPN’s are / should be considered a REMOTE Access VPN and should NOT be used in the capacity of WAN solution. (SITE-to-SITE)
Additional Details on SSL VPN’s
The SSL VPN comes in two forms:

. Clientless: The purely clientless SSL VPN connection allows you to create a web
page listing the resources that the user can access after he or she has successfully
authenticated to the VPN. For example, the user would connect, enter his or her username
and password, and be redirected to a web page with links to all the common
resources the user could access. The clientless VPN does not allow users to use applications
on their own PC over the VPN.

. Thin client: The thin-client form of the SSL VPN asks to install an ActiveX- or Javabased
plug-in after the user has successfully authenticated to the VPN. This plug-in
allows other applications (only TCP-based applications at this time) to run from the
user’s PC across the VPN. An example of this connection type in action goes something
like this: The user opens the SSL VPN web page in her browser and is prompted
for a username and password. After she enters the correct authentication credentials,
the web page asks the user if she wants to install the thin client. If she accepts this
request, a small program downloads and runs. Depending on how you (as the network
administrator) structure the SSL VPN, the web page can then redirect to a “quick
link” page with access to many of the common resources inside the network. You could
also just have the web page redirect to a “Connection Successful” message. The user
can now open TCP-based applications (such as email or web browsing, to name a couple)
and access servers located at the corporate office through the VPN.

Hope this information helps. I could go on and on!
Dee Franklin

Anand Chawla

Posted on Dec. 18, 2009

Personally I feel IPSEC is much better compared to SSL. Though SSL VPN is clientless and you can use a browser to connect but you need to have a good internet connection as it is slightly unstable.

Whereas IPSec is client based the disadvantage is that you have to install client on each and every PC. Advantage is its more reliable and speed is better compared to SSL. When I did a study on IPSEC the speed was much better than SSL. Both provide security.

Please make sure that you have enough bandwidth for users to connect and use it.

I would suggest you to evaluate Citrix and other competetive products too which would enable your application delivery better. Franklin has already said above a lot of things so that should help you along with this.

What is the purpose of your VPN is and important factor for going for the type of product.

K T

Posted on June 3, 2010

It depends to your infrastructure
If branch office/partner has xDSL or another one broadband connection without static IP you should use Dynamic IPSec
For static site-to-site my choice is IPSec over GRE
SSL is good idea to securing clients access via http (https) or RDP over SSL

Mark Julius Bacordo Replied on Feb. 10, 2012

Hello there, can you post a sample configuration of a Dynamic IPSec? Thanks. :)