On Thu, Dec 13, 2012 at 1:45 PM, Brian Wood <woodbrian77 at gmail.com> wrote: > From reading more about this I agree that using SSH tunneling has > some weaknesses in this context. But IPSec looks difficult to learn > and administer. I'm not sure why Github uses SSH tunneling rather > than an alternative. Maybe using SSH tunneling doesn't hurt them > that much yet. IPSec is certainly more complex, but not ridiculously so. There are guides and howtos aplenty on how to get IPSec configured in any of its various modes. IPSec in transport mode is quite easy to set up, and doesn't require any routing changes on either end of the connection. As I see it, Github uses SSH tunneling for a couple reasons: - git over ssh is the de-facto method of granting write access to a repository. There are other means, but using ssh (along with the well-understood key authentication) was, even before github was founded, the most prevalent. - ssh is significantly more simple to get going, especially when (as I mentioned before) multiple operating systems are involved and you don't have control over both ends of the tunnel. So, to reiterate - SSH tunneling is perfect for short-lived, one-off use cases, but for anything more long term, it's usually worth it to bring up an IPSec tunnel. -Erik