On Nov 19, 2017, at 6:08 AM, Victor Sudakov wrote:
> Muenz, Michael wrote:
>>>
>>> Is there any reason to prefer IPSec over OpenVPN for building VPNs
>>> between FreeBSD hosts and routers (and others compatible with OpenVPN
>>> like pfSense, OpenWRT etc)?
>>>
>>> I can see only advantages of O
20.11.2017 1:39, Muenz, Michael wrote:
> Victor, perhaps I misunderstood you. I was talking about Site2Site, and only
> this.
> I'm fully at your side that IPSec for Remote Access is horrible and I also
> don't use it.
In fact, FreeBSD 11.1 + mpd5 + ipsec-tools (racoon) works just fine (out-of
19.11.2017 22:15, Eugene Grosbein пишет:
> 19.11.2017 21:57, Victor Sudakov wrote:
>
>>> I was able to successfully connect Windows 8.1 client to FreeBSD 11.1 server
>>> in the L2TP/IPSEC mode using ipsec-tools (racoon) plus mpd5.
>>
>> Could you please share the setup here or in LiveJournal? I'm
Am 19.11.2017 um 15:30 schrieb Victor Sudakov:
Muenz, Michael wrote:
Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
Muenz, Michael wrote:
Is there any reason to prefer IPSec over OpenVPN for building VPNs
between FreeBSD hosts and routers (and others compatible with OpenVPN
like pfSense, OpenW
Eugene Grosbein writes:
Hi
> That's way too outdated. No additional patches needed today.
Good news
FreeBSD has usually really good docs, but those ipsec related have
always been somewhat out of standard (gif on tunnel mode in handbook for
example).
--
Il n'est pas nécessaire de me faire re
19.11.2017 23:04, Eric Masson wrote:
> ipsec works fine, L2TP/ipsec is somewhat more convoluted. racoon needs 2
> patches from what I've read here :
> https://forums.freebsd.org/threads/26755/
That's way too outdated. No additional patches needed today.
__
Victor Sudakov writes:
Hi,
> That is, if you use kernel IPsec. But StrongSwan is completely
> userland AFAIK.
Nope, StrongSwan provides a userland ipsec stack but clearly states it's
not intended to be used on security gateways. Its typical use case is
when the kernel stack misses a required al
On 11/18/2017 17:58, Victor Sudakov wrote:
Dear Colleagues,
Is there any reason to prefer IPSec over OpenVPN for building VPNs
between FreeBSD hosts and routers (and others compatible with OpenVPN
like pfSense, OpenWRT etc)?
I am personally using OpenVPN for my extremely modest needs, but a
> Am 19.11.2017 um 16:01 schrieb Victor Sudakov :
>
> Hellmuth Michaelis wrote:
>>
>>
>>>
>>> When I had to setup a VPN with a Macintosh user (road warrior), I
>>> found out that an IPSec VPN would be beyond my mental abilities as I
>>> could not wrap my head around the correct racoon and mpd5
19.11.2017 22:14, Victor Sudakov wrote:
>> There is also if_ipsec(4), too.
>
> Oh, I forgot about this recent addition. It was a really good design
> idea, thank you for reminding me.
>
> I now even remember discussing it with Andrey in his LJ and suggesting
> a small cosmetic feature which he
Eugene Grosbein wrote:
>
> > And the kernel IPsec implementation has had problems with NAT
> > traveral. Does it stil have problems and requre extra patches for NAT
> > traveral?
>
> No, it has not after IPSec code overhaul in times of 11.0-STABLE.
> NAT traversal works out-of-box these days not
19.11.2017 21:59, Victor Sudakov wrote:
>> No interaction between mpd5 and racoon is required to make IPSec+L2TP
>> working.
>> In fact, mpd5 starts its part only when IKE/IPSEC part is already completed
>> and runs its unencrypted L2TP protocol over existing IPSec tunnel without
>> knowning it.
19.11.2017 21:57, Victor Sudakov wrote:
>> I was able to successfully connect Windows 8.1 client to FreeBSD 11.1 server
>> in the L2TP/IPSEC mode using ipsec-tools (racoon) plus mpd5.
>
> Could you please share the setup here or in LiveJournal? I'm most
> interested in the L2TP/mpd5 part.
There
Eugene Grosbein wrote:
>
> >> https://tools.ietf.org/html/rfc2409
> >> https://tools.ietf.org/html/rfc7296
> >
> > I don't doubt there being RFCs, but there are also some incompatible
> > vendor extensions. E.g. racoon announces Kerberos authentication
> > support (which is presently broken) etc.
Eugene Grosbein wrote:
>
> > IPSec per se does not use or require interfaces, unless you first
> > configure gif/gre tunnels and then encrypt traffic between tunnel
> > endpoints in IPSec transport mode.
>
> There is also if_ipsec(4), too.
Oh, I forgot about this recent addition. It was a really
19.11.2017 21:51, Victor Sudakov wrote:
> And the kernel IPsec implementation has had problems with NAT
> traveral. Does it stil have problems and requre extra patches for NAT
> traveral?
No, it has not after IPSec code overhaul in times of 11.0-STABLE.
NAT traversal works out-of-box these days n
Hellmuth Michaelis wrote:
>
>
> >
> > When I had to setup a VPN with a Macintosh user (road warrior), I
> > found out that an IPSec VPN would be beyond my mental abilities as I
> > could not wrap my head around the correct racoon and mpd5
> > authentication setup between FreeBSD and Mac. That's
19.11.2017 21:44, Victor Sudakov wrote:
>> https://tools.ietf.org/html/rfc2409
>> https://tools.ietf.org/html/rfc7296
>
> I don't doubt there being RFCs, but there are also some incompatible
> vendor extensions. E.g. racoon announces Kerberos authentication
> support (which is presently broken) e
Eugene Grosbein wrote:
>
> > I have a personal success story of establishing transport mode IPSec
> > between Windows and FreeBSD/racoon. But when other OSes are involved,
> > I have the impression that there is no pure IPSec, it's usually
> > IPSec+L2TP, and that's where the FreeBSD part becomes
19.11.2017 21:20, Victor Sudakov wrote:
> IPSec per se does not use or require interfaces, unless you first
> configure gif/gre tunnels and then encrypt traffic between tunnel
> endpoints in IPSec transport mode.
There is also if_ipsec(4), too.
> I wonder if the same approach will not work with
Eugene Grosbein wrote:
> I was able to successfully connect Windows 8.1 client to FreeBSD 11.1 server
> in the L2TP/IPSEC mode using ipsec-tools (racoon) plus mpd5.
Could you please share the setup here or in LiveJournal? I'm most
interested in the L2TP/mpd5 part.
--
Victor Sudakov, VAS4-RIPE,
Eric Masson wrote:
>
> > Because it's in the kernel? But many use (and recommend) StrongSwan
> > which is a userland implementation.
>
> Key exchange (ike) is managed by a userland process, but, in FreeBSD,
> ipsec transform is kernel domain.
That is, if you use kernel IPsec. But StrongSwan is c
Hellmuth Michaelis wrote:
> >
> > Am 19.11.2017 um 13:08 schrieb Victor Sudakov :
> >
> >> It's a standard, too.
> >
> > IPsec in itself maybe a standard, but IKE does not seem to be much of
> > a standard, I get the impression that there's much incompatibility
> > between vendors (Cisco, racoo
> Am 19.11.2017 um 15:20 schrieb Victor Sudakov :
>
> When I had to setup a VPN with a Macintosh user (road warrior), I
> found out that an IPSec VPN would be beyond my mental abilities as I
> could not wrap my head around the correct racoon and mpd5
> authentication setup between FreeBSD and Ma
19.11.2017 21:30, Victor Sudakov wrote:
> I have a personal success story of establishing transport mode IPSec
> between Windows and FreeBSD/racoon. But when other OSes are involved,
> I have the impression that there is no pure IPSec, it's usually
> IPSec+L2TP, and that's where the FreeBSD part b
19.11.2017 21:15, Karl Denninger wrote:
> The reason is Windows. Microslug hasn't updated their client since at
> least Windows 7 release (we're talking about over a decade now) and
> their IKEv2 implementation doesn't support IKE fragmentation. In
> today's world this usually means IPSEC/IKEv2
Muenz, Michael wrote:
> Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
> > Muenz, Michael wrote:
> >>> Is there any reason to prefer IPSec over OpenVPN for building VPNs
> >>> between FreeBSD hosts and routers (and others compatible with OpenVPN
> >>> like pfSense, OpenWRT etc)?
> >>>
> >>> I can s
19.11.2017 20:33, Miroslav Lachman wrote:
> I have opposite experience. One customer needs IPSec and setting
> and debugging was a pain because we don't have access to the other end.
> On the other hand customers with OpenVPN works in a minute.
> Just send or receive openvpn.conf, set some variabl
Eugene Grosbein wrote:
>
> > Is there any reason to prefer IPSec over OpenVPN for building VPNs
> > between FreeBSD hosts and routers (and others compatible with OpenVPN
> > like pfSense, OpenWRT etc)?
> >
> > I can see only advantages of OpenVPN (a single UDP port, a single
> > userland daemon,
On 11/19/2017 07:33, Miroslav Lachman wrote:
> Muenz, Michael wrote on 2017/11/19 13:32:
>> Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
>>> Muenz, Michael wrote:
> Is there any reason to prefer IPSec over OpenVPN for building VPNs
> between FreeBSD hosts and routers (and others compatibl
Victor Sudakov writes:
Hi,
> Because it's in the kernel? But many use (and recommend) StrongSwan
> which is a userland implementation.
Key exchange (ike) is managed by a userland process, but, in FreeBSD,
ipsec transform is kernel domain.
> IPsec in itself maybe a standard, but IKE does not se
Muenz, Michael wrote on 2017/11/19 13:32:
Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
Muenz, Michael wrote:
Is there any reason to prefer IPSec over OpenVPN for building VPNs
between FreeBSD hosts and routers (and others compatible with OpenVPN
like pfSense, OpenWRT etc)?
I can see only adv
>
> Am 19.11.2017 um 13:08 schrieb Victor Sudakov :
>
>> It's a standard, too.
>
> IPsec in itself maybe a standard, but IKE does not seem to be much of
> a standard, I get the impression that there's much incompatibility
> between vendors (Cisco, racoon etc).
https://tools.ietf.org/html/rfc2
Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
Muenz, Michael wrote:
Is there any reason to prefer IPSec over OpenVPN for building VPNs
between FreeBSD hosts and routers (and others compatible with OpenVPN
like pfSense, OpenWRT etc)?
I can see only advantages of OpenVPN (a single UDP port, a si
Muenz, Michael wrote:
> >
> > Is there any reason to prefer IPSec over OpenVPN for building VPNs
> > between FreeBSD hosts and routers (and others compatible with OpenVPN
> > like pfSense, OpenWRT etc)?
> >
> > I can see only advantages of OpenVPN (a single UDP port, a single
> > userland daemon, n
Performance is better with IPsec. It’s a standard, too.
> On Nov 18, 2017, at 10:58 AM, Victor Sudakov wrote:
>
> Dear Colleagues,
>
> Is there any reason to prefer IPSec over OpenVPN for building VPNs
> between FreeBSD hosts and routers (and others compatible with OpenVPN
> like pfSense, Ope
Am 18.11.2017 um 17:58 schrieb Victor Sudakov:
Dear Colleagues,
Is there any reason to prefer IPSec over OpenVPN for building VPNs
between FreeBSD hosts and routers (and others compatible with OpenVPN
like pfSense, OpenWRT etc)?
I can see only advantages of OpenVPN (a single UDP port, a single
18.11.2017 23:58, Victor Sudakov wrote:
> Is there any reason to prefer IPSec over OpenVPN for building VPNs
> between FreeBSD hosts and routers (and others compatible with OpenVPN
> like pfSense, OpenWRT etc)?
>
> I can see only advantages of OpenVPN (a single UDP port, a single
> userland daemo
Dear Colleagues,
Is there any reason to prefer IPSec over OpenVPN for building VPNs
between FreeBSD hosts and routers (and others compatible with OpenVPN
like pfSense, OpenWRT etc)?
I can see only advantages of OpenVPN (a single UDP port, a single
userland daemon, no kernel rebuild required, a st
39 matches
Mail list logo
