IPsec is highly recommended

I have always discussed in this forum why I prefer using IPsec over any other VPN protocols. Although IPsec is not supported in GL web interface it should not be that difficult to configure it from ssh or LuCi.

Here is an article that I want to share issued by Norway’s cyber security center:

1 Like

SSL VPN is totally fine. The problem is called Cisco.
So as long as you don't use Cisco all is fine.

1 Like

It’s not about Cisco, CVEs or SSL libraries!

If you read carefully the article it is about following stringent standards: “Unlike IPsec, which is an open standard that most companies follow, SSLVPN does not have a standard, causing network device manufacturers to create their own implementation of the protocol.

I don't agree.

They call it "SSL VPN" but in 90% of all cases it's simply OpenVPN - which is highly secure and no problem at all. The problem is that FortiGate and Cisco and the other weird American manufacturers always write “SSL VPN” on it and then create some crap.

OpenVPN itself is a de facto standard.

So if your "SSL VPN" utilizes 1194/UDP/TCP - it's already a standard → OpenVPN.

Incorrect ! SSL VPN is not OpenVPN !!

SSL VPN gateways do not use OpenVPN, instead it uses the standard port 443 (SSL libraries like for example OpenSSL) and some other customized (implemented differently by each manufacturer) layers for authentication and routing.

IPsec is not so secure. Here is good document from SANS that describes all problems

Nope, isn't true. I don't know how much firewalls you already saw, but mostly it's just OpenVPN.
SSL is not about 443/TCP - it's about the encryption itself. And therefor it should called by TLS VPN anyway. :laughing:

See:


Sophos Connect client - Sophos Firewall

No it is not OVPN! It is SSL VPN, which you may refer to it as TLS! But in the world of networking when we say SSL VPN, it means TLS.

Since the IETF took over the development of SSL, the terms SSL and TLS are often used interchangeably.

With this quote, I can assure that I have worked with network devices and security for as long you have lived :smile:

Of course I know that it is not about a port ! I can run any protocol over any port I choose to! I was trying to correct your incorrect knowledge when said:

So if your "SSL VPN" utilizes 1194/UDP/TCP - it's already a standard → OpenVPN.

You can choose whatever you like, but try to learn and avoid sharing hasty and incorrect knowledge on the forum!

Back to your sophos, when I started to work on networking this business was not even there ! Even today, professionals don’t consider it as technology giant like checkpoint, Cisco, Juniper…. Etc. Thus you expect many issues with their technical documents!

The following quote about someone was asking on OpenVPN forum if he can connect to an SSL VPN using OpenVPN client.

No, Cisco SSL VPN and OpenVPN are two different VPN protocols. You cannot connect in such a way.

Reference: Connect to Cisco vpn concentrator - OpenVPN Support Forum

I really admon advise you to split your time between the forum and reading RFC to improve your knowledge😉

We are talking about completely different things!

The NCSC is talking about clientless VPN.
Which isn't SSL VPN in the meaning of having a real client.

NCSC har over lengre tid observert og varslet om kritiske sårbarheter i VPN-løsninger som benytter Secure Socket Layer/Transport Layer Security (SSL/TLS), ofte kjent som SSLVPN, WebVPN eller klientløs VPN. (Source)

For a long time, NCSC has observed and reported critical vulnerabilities in VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS), often known as SSLVPN, WebVPN or clientless VPN.

Those VPNs are deprecated mostly.
This does not affect the GL routers in any way.

I remember a creepy VPN solution from the early 2000s. A Java applet was then started, which established a VPN tunnel.

This has absolutely nothing to do with modern VPN.

GL devices are not SSLVPN gateway/concentrator and they don’t support this technology! So for sure I was not talking in this post about GL. I was just trying to make a point that I highly recommend using IPsec over other vpn protocols from a client perspective. That’s it.

@admon my only advice to you is that to be a contributor does not mean you need to comment on every post blindly ! Sometime you need to patiently learn from others!

But that's a totally wrong conclusion.

Thank you for caring - but I will continue to comment on anything I think is worth commenting on. Even if I might be wrong sometimes; perfectly fine for me. This is a forum, not a PhD thesis

And yes, I like to learn from others - but you are drawing fundamentally wrong conclusions here; I can't leave that uncommented.

From inexperienced guy like yourself, yeah it could be​:wink:. But I would rather not to trust your statement as you are still mistaken a SSL VPN concentrator with OpenVPN :smiley:

Well, then good luck ! But many forum users have advised you not to as it may put you in embarrassing :flushed: situations :smiley:

It is indeed, but it requires someone to spread good knoweldge, not just firing spears everywhere to show off!

Again, I would expect that from an inexperienced guy​:wink:. Fine … you will learn as you progress in the field​:slightly_smiling_face:. Read RFCs in your spear time - don’t stay all the time in the forum drawing diagrams :grinning:

You are welcome to link the CVE you are always talking about.

Or Fortinet - that is even worse than Cisco lol.

1 Like