Eugene Grosbein wrote: > > > Is there any reason to prefer IPSec over OpenVPN for building VPNs > > between FreeBSD hosts and routers (and others compatible with OpenVPN > > like pfSense, OpenWRT etc)? > > > > I can see only advantages of OpenVPN (a single UDP port, a single > > userland daemon, no kernel rebuild required, a standard PKI, an easy > > way to push settings and routes to remote clients, nice monitoring > > feature etc). But maybe there is some huge advantage of IPSec I've > > skipped? > > OpenVPN may be fine for very simple setups.
I have noticed that it works very fine for me in hub-and-spoke and road warrior configurations. > > It is unusable for demanding cases like parallel site-to-site VPN tunnels > with dynamic routing for same network prefix between such primary/backup > tunnel; > for other setups that need distinct full-blown network interface for each > tunnel IPSec per se does not use or require interfaces, unless you first configure gif/gre tunnels and then encrypt traffic between tunnel endpoints in IPSec transport mode. I wonder if the same approach will not work with OpenVPN's tap/tun interfaces (I have not tried, so maybe not). > to process with SNMP agent/routing daemon/packet filters etc. because > distinct OpenVPN instances cannot share routing correctly in beetween. IPSec is oblivious to routing too. It just encrypts/decrypts packets according to the SPD. > > In short, OpenVPN just is not designed to play nice and standard-compiliant > way > with other parts of the system and sometimes that's unacceptable. > And sometimes that's irrelevant. When I had to setup a VPN with a Macintosh user (road warrior), I found out that an IPSec VPN would be beyond my mental abilities as I could not wrap my head around the correct racoon and mpd5 authentication setup between FreeBSD and Mac. That's for all the talk about being standard-compliant. OpenVPN saved me. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859 _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
