From owner-freebsd-net@FreeBSD.ORG  Mon Jun 30 01:21:17 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B4AD91065673
	for <freebsd-net@freebsd.org>; Mon, 30 Jun 2008 01:21:17 +0000 (UTC)
	(envelope-from andrew@modulus.org)
Received: from email.octopus.com.au (host-122-100-2-232.octopus.com.au
	[122.100.2.232])
	by mx1.freebsd.org (Postfix) with ESMTP id 76FC78FC1A
	for <freebsd-net@freebsd.org>; Mon, 30 Jun 2008 01:21:16 +0000 (UTC)
	(envelope-from andrew@modulus.org)
Received: by email.octopus.com.au (Postfix, from userid 1002)
	id 4AF2A173B5; Mon, 30 Jun 2008 11:21:14 +1000 (EST)
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on email.octopus.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=10.0 tests=ALL_TRUSTED autolearn=failed
	version=3.2.3
Received: from [10.20.30.101] (60.218.233.220.exetel.com.au [220.233.218.60])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: admin@email.octopus.com.au)
	by email.octopus.com.au (Postfix) with ESMTP id AEFD1173AD
	for <freebsd-net@freebsd.org>; Mon, 30 Jun 2008 11:21:09 +1000 (EST)
Message-ID: <486834F5.8080307@modulus.org>
Date: Mon, 30 Jun 2008 11:20:53 +1000
From: Andrew Snow <andrew@modulus.org>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: freebsd-net@freebsd.org
References: <4867B2B3.3090208@shrew.net> <48680DB8.708@shrew.net>
In-Reply-To: <48680DB8.708@shrew.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: FreeBSD NAT-T patch integration
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jun 2008 01:21:17 -0000


I've just started moving a medium IPSEC+gif VPN to one based on OpenVPN.

OpenVPN solved all my problems with IPSEC:
* does not require kernel modules or recompiles
* works over UDP by default (and optionally TCP)
   + only requires a single IP port at each end
* supports compression out of the box
* supports bridging as well as tunneling

Despite that, I didn't have to give up features or performance:
* fast and secure enough (authentication, replay prevention)
* very easy to configure & manage via either CLI/config files
* supports both preshared keys or standard TLS+certs
* also works on linux and windows.
* supports hardware acceleration via openssl engines


FWIW, I will probably never go back to IPSEC after this.


- Andrew