Muenz, Michael wrote: > Am 19.11.2017 um 13:08 schrieb Victor Sudakov: > > Muenz, Michael wrote: > >>> Is there any reason to prefer IPSec over OpenVPN for building VPNs > >>> between FreeBSD hosts and routers (and others compatible with OpenVPN > >>> like pfSense, OpenWRT etc)? > >>> > >>> I can see only advantages of OpenVPN (a single UDP port, a single > >>> userland daemon, no kernel rebuild required, a standard PKI, an easy > >>> way to push settings and routes to remote clients, nice monitoring > >>> feature etc). But maybe there is some huge advantage of IPSec I've > >>> skipped? > >>> > >> Hi, > >> > >> partners/customers with Cisco IOS or ASA wont be able to partner up > >> without IPSEC. > > Sure, that's why I wrote "and others compatible with OpenVPN > > like pfSense, OpenWRT etc" in the first paragraph. > > > > Are you just searching for arguments against IPSec or real life cases?
Actually, I' searching for arguments *for* IPSec. > IMHO when you have both ends under control OpenVPN is just fine. > If you are planning to interconnect with many customers/vendors IPSec > fits best. I have a personal success story of establishing transport mode IPSec between Windows and FreeBSD/racoon. But when other OSes are involved, I have the impression that there is no pure IPSec, it's usually IPSec+L2TP, and that's where the FreeBSD part becomes complicated (interaction between ipsec, mpd5 and racoon is required). > > In the last 15 years I was never asked about a Site2Site VPN with OpenVPN > from any customer or partner of the firewalls I managed. OK, thank you, I have now one argument: IPSec is multi-vendor. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859 _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
