Site Navigation

Date:      Sun, 19 Nov 2017 08:15:36 -0600
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-net@freebsd.org
Subject:   Re: OpenVPN vs IPSec
Message-ID:  <ae7baceb-0aa9-3c76-d3d0-8cad09b6dc42@denninger.net>
In-Reply-To: <5A11882D.1050700@quip.cz>
References:  <20171118165842.GA73810@admin.sibptus.transneft.ru> <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org> <20171119120832.GA82727@admin.sibptus.transneft.ru> <d92dff62-3baf-a22d-bfac-5a668b276259@spam-fetish.org> <5A11882D.1050700@quip.cz>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On 11/19/2017 07:33, Miroslav Lachman wrote:
> Muenz, Michael wrote on 2017/11/19 13:32:
>> Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
>>> Muenz, Michael wrote:
>>>>> Is there any reason to prefer IPSec over OpenVPN for building VPNs
>>>>> between FreeBSD hosts and routers (and others compatible with OpenVPN
>>>>> like pfSense, OpenWRT etc)?
>>>>>
>>>>> I can see only advantages of OpenVPN (a single UDP port, a single
>>>>> userland daemon, no kernel rebuild required, a standard PKI, an easy
>>>>> way to push settings and routes to remote clients, nice monitoring
>>>>> feature etc). But maybe there is some huge advantage of IPSec I've
>>>>> skipped?
>>>>>
>>>> Hi,
>>>>
>>>> partners/customers with Cisco IOS or ASA wont be able to partner up
>>>> without IPSEC.
>>> Sure, that's why I wrote "and others compatible with OpenVPN
>>> like pfSense, OpenWRT etc" in the first paragraph.
>>>
>>
>> Are you just searching for arguments against IPSec or real life cases?
>> IMHO when you have both ends under control OpenVPN is just fine.
>> If you are planning to interconnect with many customers/vendors IPSec
>> fits best.
>>
>> In the last 15 years I was never asked about a Site2Site VPN with
>> OpenVPN
>> from any customer or partner of the firewalls I managed.
>
> I have opposite experience. One customer needs IPSec and setting and
> debugging was a pain because we don't have access to the other end.
> On the other hand customers with OpenVPN works in a minute. Just send
> or receive openvpn.conf, set some variables in rc.conf and VPN is up
> and running. So I prefer OpenVPN whenever possible.
>
> Miroslav Lachman

I run both here and at some client sites, but not really by choice.

The reason is Windows.  Microslug hasn't updated their client since at
least Windows 7 release (we're talking about over a decade now) and
their IKEv2 implementation doesn't support IKE fragmentation.  In
today's world this usually means IPSEC/IKEv2 won't connect at all
because someone in the middle drops UDP fragments on purpose.

I'd like to ram that up someone's chute out at Microslug, never mind
that their default proposals are intentionally insecure (gee, I wonder
if someone in the government "asked nicely" for that?)  That's fixable
with a bit of registry editing, but the lack of IKEv2 frag support is a
killer and has basically forced me to support OpenVPN when there are
windows clients around and you have no control (at all) over the
networks in the middle between the client and server.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e0�	*�H��


��
�0��0���
�H���^��Ōc!5�
�H0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA0
170817164217Z
270815164217Z0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0�"0
	*�H��



�0�
�
�h�-5B>[���;��o���l�Ӵ��0~͎O9}�9�Y��e������*�������$��g��!uk�vʶ�LzN�`jL�>��MD'7
U4����5C�B�+�kY`bd����~b*�c3�N��y-�78j�u�]9H�e��uέ�sӬD��ؽ�m��gw�ER�?�&U�UR�j����'�}�9n�WD i�`XcbG��z�\g������G=��u�%���\�O�i1���3���ߝ4�
�K4�4p�YQr]�Ie�/r�0+��eEޝݖ0��C15�M��ݚ@J�SZ(zȏ�N�Ta�(2��5�D�D5���.l�<g[[Za��r�Q�Q%�Bu�ȴ
����~~`���I�oh�R�b����ʳ��ڟ���u�2���M�S��8E�dF��UC���l�CM�aѳ����!����}ș�+�2��k
��/�bų�E,��n�当ꖛ\�(8�WV�8	d]�b�	�������y�X��w	܊�:I�39

��

0�
0U]�^§������Q�\ӎ�0��U#��0�����T0�3���9�N0b������0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA�	�@�U��i0U

�0

�
0U

�
�0
	*�H��


�
��:P U!>v�����J�ni��o�-����#�ן�]Wyu�j���ǑR̀��Q�
�nƇ�!GѦF��g\�yLx�g�w=�O�P��yceh�f[���}�ܷ�['4�ڝ�\[p6\o.
��B&�JF���"�ZC{;�*o�*�mc��Cc�LY߾�`
�t�*�S!����񫶭�(���`�]D�HP�5���A~/�N���Pp�����6�=�m��h�k�밣'd���oA$�86hm����5���Ӛ��S@�j���ެE���gl��
�)�0JG���`%�k�3�5��P��a��C?���σ
׳HE�t
}!�P���㏏%*���B�xb��Q�waKG����$6h�¦��M�v��e;��[o��-�Iی��&
���I,��T��c�ߎ#t �wPA�@��l0�P�+�KXB��պT	z���G�v;N��c��I3��&��JĬ���UP�N��a��?�/�%�W��6G۟N�0�00��
��k���#X��d��\�=0
	*�H��


0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W10	UUS10UFlorida10U
Cuda Systems LLC10Ukarl@denninger.net0�"0
	*�H��



�0�
�
�T��[I�-ΆϏdn;�Å�@שy���.u�s�~_�Z�G%<��M��Y��d�\g��v�f��n�s�a��1'6����E�gyjs�"C� [�{��~��_���K���Pn+<�*�pv���#Q�����+��H���/���7[-v��qD��V^U>�f��%�GX�)��H.��|l`�M(C�r�>е͇6����#�o��dc"Y�ljҦ�ln8�@�5S�A�0���&ۖ"���OGj?��U��DWZ5	��dDB7k-)�9�����I�zs��-�JA���v
��J��6L���$�Ն����1Sm�Y.��Lqw*��SH;E��F'�D�Ħ��H��]��M��O��������g���Q���Q�|M�ٙ��ג2Z��9y��@���y�]}6ٽe��Y9��Y2�xˆ�$T�=�e�CǺ��ǵb�n֛�{��j��|��@�LL�t�1�[D�k5:$=�	`�	�M

��
�0�
�0<+


00.0,+
0
� http://ocsp.cudasystems.net:88880	U00	`�H
��B

�0U

��0U%0+
+
03	`�H
��B

&$OpenSSL Generated Client Certificate0U�%�՞V
=���؁�;�bzQ0��U#��0���]�^§������Q�\ӎϡ�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA��H���^��Ōc!5�
�H0U0�karl@denninger.net0
	*�H��


�
�۠�A0�-j%-�-$%���g2#ޡ��1�^��>���{K+�u��GE���v1���ş7Af&b�&O�;.��;A5���*U��)N��D2bF��|\=�]<�sˋL!��wrw���٧>��Y���M���Ä���3\mW�R�� h�Sv���!�_�zv�����l�?� ��3_�� �xU%�\�^����#���O*���Gk̍�YI_�&�Fꊛ�����@&�1�n������”�}� ͬ:��{�hT�P3��B.�;���bU�8:Z��=^���Gw�8���!k-��@���x�E��@�i�,+'�Iᐚ:f��hz�tX7/�(h�Y`��� O�.������1}a`�%�RW��^�a�k������ǂp�C�Au�fgDix�UT��Щ/�7��}�%=j��nVZvcF����<�M=
�2^G�KH5魉
�_���O�4ެ�Byʈ�
��y��S��k�w=5�@h�.0�z�>�
W�1�0�

0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	`�H
e��E0	*�H��

	1	*�H��


0	*�H��

	1
171119141536Z0O	*�H��

	1B@ <9g�Mz��C|[I�� ���&pa��Q��f7'�*俕j�ڳh"t����9��L3��0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0��*�H��

	1�����0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	*�H��



�&��Z�H�.J+
�/��#[~r-��b��C!͛4�^V�T'�}ߝo3�3LU�+l��5�\�[�t�7�6��4��2qJ�#�\�G��j�	�M�1#����F��j��f��*m�J&����#�z���I�/�4S<}��GK����1��`�/���RU�7�4����o(�n��ĕ�&u��>�y� ��t�up��d�v��<Ŭ��H�w/d����P�=�.Ή�u�tޤ,蝃J0��@�-�%��W�scAz��vu��J�īё��ذ�Z�aM�sAq&���E��Sk����^ӂI�%�3Z�S	:��.��L~�Y0>�����o�C4e_���D�,���ឌ��u����Y��� ��_�,�VT �r��b	osn{�N7퉊�w.���/�VDR܈U��i�cND�=�˱�@���Š�y�
��A�7�Z�s>2�/:?:���u}T�q3t��A`T�uN���To�z�o�������O�e�

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ae7baceb-0aa9-3c76-d3d0-8cad09b6dc42>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact