Ok, vendor Marketing Aside... is SSL VPN worth it over IP-Sec for client VPN ?

Posted by Cooleb09@reddit | sysadmin | View on Reddit | 11 comments

Just Saying, I know the 'normal' reason why SSL VPN is touted as 'superior' - i.e its on port 443 and can 'punch through' a lot of basic filtering so may work more reliable for traveling users. But for orgs who run only IP-sec (i.e MS AoVPN or similar), how often is that an issue in practice. Lots of SSL VPN Vulns, and while SASE is an option, its also a very expensive one vs rolling basic to good ole Ip-sec - curious what the experince is like these days and if its as bad as the vendor FUD would let you believe.

Reply to Post

11 Comments

[-]

ZAFJB@reddit

I think the real question to ask is why you need a VPN at all.

[-]

RCTID1975@reddit

I'm with you. I think in 2023, the first question shouldn't be "what type of VPN", but rather "is VPN the right solution"

[-]

Ssakaa@reddit

Only time I ever saw a meaningful difference in use has been a couple hotels. Since they tend to *like* businesses coming in for events, they've seemingly cleaned up their side of things a little and I haven't had the issue in years. Even back then, a cell hotspot (this *was* back before I was carrying data on my phone) for the quick jump on to grab an email or someone's presentation took care of it.

[-]

HDClown@reddit

I'm only dealing with users in the US, but the amount of times there's been an issue with someone being able to make an IPSec VPN connection over the past 10+ years can be counted on one hand. I'm actually having a hard time remembering the last instance of it coming up. Most users have no problem tethering to their mobile phone (even if it's personal device) if they have issues with whatever internet is available to them when traveling as hotel WiFi can be awful, and I've never seen issues with IPSec VPN on mobile data.

[-]

OldManandMime@reddit

Yes. Sites that bother to restrict traffic that way tend to also do some inspection to break VPN connections anyway Also IPsec over UDP has gotten incredibly reliable.

[-]

slykens1@reddit

That’s the key - NAT-T with UDP fixes nearly all the problems.

[-]

Cooleb09@reddit (OP)

Thats good to hear, TY. Yeah - I wish there was some real data on how oftne IP-sec being blocked was a 'real' issue.

[-]

TroxX@reddit

Well i think a bit of clarification is needed ... a few vendors exisit that call SSL VPN a Browser Based Portal. Than others who do a client 2 Site Connection on SSL instead of IPsec. Then other venders just call it client 2 Site and use IPsec as default and fallback to SSL when IPsec is blocked ... SASE or SSE would be a always on Client 2 Site connection maybe with local breakout for video or so ... What I personally see most is IPsec and SSL as fallback for Client 2 Site VPN ... I never went personally really to deep into this ... but in general you should be able to edit the ciphers and everything and go for as strong as possible...

[-]

incog473@reddit

Not too well verse in the in depth workings of a vpn but what I've notice for client vpn, ipsec had lower performance compared to Ssl. That's what I observed so far with sonicwall and fortinet client vpn

[-]

user3872465@reddit

I feel like you answered your own question. Its more versatile and punches through a lot of filtering. But like you say its not always needed. For the vulnerabilities, theres always the option to encapsulate on inside the other tho that comes at the expense of compatibility and extra effort.

[-]

AutoModerator@reddit

Much of reddit is currently restricted or otherwise unavailable as part of a large-scale protest to changes being made by reddit regarding API access. /r/sysadmin has made the decision to not close the sub in order to continue to service our members, but you should be aware of what's going on as these changes will have an impact on how you use reddit in the near future. More information can be found [here](https://www.reddit.com/r/Save3rdPartyApps/comments/1476ioa/reddit_blackout_2023_save_3rd_party_apps/). If you're interested in alternative r/sysadmin communities during the protests, you can join our [Discord](https://discord.gg/sysadmin) or IRC (#reddit-sysadmin on libera.chat). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/sysadmin) if you have any questions or concerns.*