Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 Nov 2017 19:39:22 +0100
From:      "Muenz, Michael" <m.muenz@spam-fetish.org>
To:        freebsd-net@freebsd.org
Subject:   Re: OpenVPN vs IPSec
Message-ID:  <17c380fa-cdc8-38b5-f5bf-713f309afc94@spam-fetish.org>
In-Reply-To: <20171119143054.GC82727@admin.sibptus.transneft.ru>
References:  <20171118165842.GA73810@admin.sibptus.transneft.ru> <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org> <20171119120832.GA82727@admin.sibptus.transneft.ru> <d92dff62-3baf-a22d-bfac-5a668b276259@spam-fetish.org> <20171119143054.GC82727@admin.sibptus.transneft.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Am 19.11.2017 um 15:30 schrieb Victor Sudakov:
> Muenz, Michael wrote:
>> Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
>>> Muenz, Michael wrote:
>>>>> Is there any reason to prefer IPSec over OpenVPN for building VPNs
>>>>> between FreeBSD hosts and routers (and others compatible with OpenV=
PN
>>>>> like pfSense, OpenWRT etc)?
>>>>>
>>>>> I can see only advantages of OpenVPN (a single UDP port, a single
>>>>> userland daemon, no kernel rebuild required, a standard PKI, an eas=
y
>>>>> way to push settings and routes to remote clients, nice monitoring
>>>>> feature etc). But maybe there is some huge advantage of IPSec I've
>>>>> skipped?
>>>>>
>>>> Hi,
>>>>
>>>> partners/customers with Cisco IOS or ASA wont be able to partner up
>>>> without IPSEC.
>>> Sure, that's why I wrote "and others compatible with OpenVPN
>>> like pfSense, OpenWRT etc" in the first paragraph.
>>>
>> Are you just searching for arguments against IPSec or real life cases?
> Actually, I' searching for arguments *for* IPSec.
>
>> IMHO when you have both ends under control OpenVPN is just fine.
>> If you are planning to interconnect with many customers/vendors IPSec
>> fits best.
> I have a personal success story of establishing transport mode IPSec
> between Windows and FreeBSD/racoon. But when other OSes are involved,
> I have the impression that there is no pure IPSec, it's usually
> IPSec+L2TP, and that's where the FreeBSD part becomes complicated
> (interaction between ipsec, mpd5 and racoon is required).

 =C2=A0Victor, perhaps I misunderstood you. I was talking about Site2Site=
,=20
and only this.
I'm fully at your side that IPSec for Remote Access is horrible and I=20
also don't use it.

For RA we generally use OpenVPN or AnyConnect (*duck*).

Michael

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17c380fa-cdc8-38b5-f5bf-713f309afc94>