From owner-freebsd-net@freebsd.org Sun Nov 19 18:39:31 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA054DBAEB8 for ; Sun, 19 Nov 2017 18:39:31 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8AA6280EF3 for ; Sun, 19 Nov 2017 18:39:31 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 7ABDA72 for ; Sun, 19 Nov 2017 19:39:23 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 6E5AE28B83A for ; Sun, 19 Nov 2017 19:39:23 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ll5V7QoCqeYX for ; Sun, 19 Nov 2017 19:39:23 +0100 (CET) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 35B9028A017 for ; Sun, 19 Nov 2017 19:39:23 +0100 (CET) Subject: Re: OpenVPN vs IPSec To: freebsd-net@freebsd.org References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <20171119120832.GA82727@admin.sibptus.transneft.ru> <20171119143054.GC82727@admin.sibptus.transneft.ru> From: "Muenz, Michael" Message-ID: <17c380fa-cdc8-38b5-f5bf-713f309afc94@spam-fetish.org> Date: Sun, 19 Nov 2017 19:39:22 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171119143054.GC82727@admin.sibptus.transneft.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Nov 2017 18:39:31 -0000 Am 19.11.2017 um 15:30 schrieb Victor Sudakov: > Muenz, Michael wrote: >> Am 19.11.2017 um 13:08 schrieb Victor Sudakov: >>> Muenz, Michael wrote: >>>>> Is there any reason to prefer IPSec over OpenVPN for building VPNs >>>>> between FreeBSD hosts and routers (and others compatible with OpenV= PN >>>>> like pfSense, OpenWRT etc)? >>>>> >>>>> I can see only advantages of OpenVPN (a single UDP port, a single >>>>> userland daemon, no kernel rebuild required, a standard PKI, an eas= y >>>>> way to push settings and routes to remote clients, nice monitoring >>>>> feature etc). But maybe there is some huge advantage of IPSec I've >>>>> skipped? >>>>> >>>> Hi, >>>> >>>> partners/customers with Cisco IOS or ASA wont be able to partner up >>>> without IPSEC. >>> Sure, that's why I wrote "and others compatible with OpenVPN >>> like pfSense, OpenWRT etc" in the first paragraph. >>> >> Are you just searching for arguments against IPSec or real life cases? > Actually, I' searching for arguments *for* IPSec. > >> IMHO when you have both ends under control OpenVPN is just fine. >> If you are planning to interconnect with many customers/vendors IPSec >> fits best. > I have a personal success story of establishing transport mode IPSec > between Windows and FreeBSD/racoon. But when other OSes are involved, > I have the impression that there is no pure IPSec, it's usually > IPSec+L2TP, and that's where the FreeBSD part becomes complicated > (interaction between ipsec, mpd5 and racoon is required). =C2=A0Victor, perhaps I misunderstood you. I was talking about Site2Site= ,=20 and only this. I'm fully at your side that IPSec for Remote Access is horrible and I=20 also don't use it. For RA we generally use OpenVPN or AnyConnect (*duck*). Michael