From owner-freebsd-net@freebsd.org Sun Nov 19 13:33:42 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EDEC4DF5C1D for ; Sun, 19 Nov 2017 13:33:42 +0000 (UTC) (envelope-from SRS0=ABSt=CR=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B36EE7895E for ; Sun, 19 Nov 2017 13:33:42 +0000 (UTC) (envelope-from SRS0=ABSt=CR=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5B8EF28459; Sun, 19 Nov 2017 14:33:34 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 8998928455; Sun, 19 Nov 2017 14:33:33 +0100 (CET) Subject: Re: OpenVPN vs IPSec To: "Muenz, Michael" , freebsd-net@freebsd.org References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <20171119120832.GA82727@admin.sibptus.transneft.ru> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <5A11882D.1050700@quip.cz> Date: Sun, 19 Nov 2017 14:33:33 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Nov 2017 13:33:43 -0000 Muenz, Michael wrote on 2017/11/19 13:32: > Am 19.11.2017 um 13:08 schrieb Victor Sudakov: >> Muenz, Michael wrote: >>>> Is there any reason to prefer IPSec over OpenVPN for building VPNs >>>> between FreeBSD hosts and routers (and others compatible with OpenVPN >>>> like pfSense, OpenWRT etc)? >>>> >>>> I can see only advantages of OpenVPN (a single UDP port, a single >>>> userland daemon, no kernel rebuild required, a standard PKI, an easy >>>> way to push settings and routes to remote clients, nice monitoring >>>> feature etc). But maybe there is some huge advantage of IPSec I've >>>> skipped? >>>> >>> Hi, >>> >>> partners/customers with Cisco IOS or ASA wont be able to partner up >>> without IPSEC. >> Sure, that's why I wrote "and others compatible with OpenVPN >> like pfSense, OpenWRT etc" in the first paragraph. >> > > Are you just searching for arguments against IPSec or real life cases? > IMHO when you have both ends under control OpenVPN is just fine. > If you are planning to interconnect with many customers/vendors IPSec > fits best. > > In the last 15 years I was never asked about a Site2Site VPN with OpenVPN > from any customer or partner of the firewalls I managed. I have opposite experience. One customer needs IPSec and setting and debugging was a pain because we don't have access to the other end. On the other hand customers with OpenVPN works in a minute. Just send or receive openvpn.conf, set some variables in rc.conf and VPN is up and running. So I prefer OpenVPN whenever possible. Miroslav Lachman