From owner-freebsd-net@freebsd.org Sun Nov 19 14:20:25 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80C14DF668F for ; Sun, 19 Nov 2017 14:20:25 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id EC98979B67 for ; Sun, 19 Nov 2017 14:20:24 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru Received: from [212.73.125.240] (HELO admin.sibptus.transneft.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPS id 39869783; Sun, 19 Nov 2017 20:15:36 +0600 Received: from admin.sibptus.transneft.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.transneft.ru (8.15.2/8.15.2) with ESMTP id vAJEKK4u083808; Sun, 19 Nov 2017 21:20:22 +0700 (+07) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.transneft.ru (8.15.2/8.15.2/Submit) id vAJEKGN7083805; Sun, 19 Nov 2017 21:20:16 +0700 (+07) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.transneft.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Sun, 19 Nov 2017 21:20:16 +0700 From: Victor Sudakov To: Eugene Grosbein Cc: freebsd-net@freebsd.org Subject: Re: OpenVPN vs IPSec Message-ID: <20171119142015.GB82727@admin.sibptus.transneft.ru> References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <5A1073E9.5050503@grosbein.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5A1073E9.5050503@grosbein.net> Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Nov 2017 14:20:25 -0000 Eugene Grosbein wrote: > > > Is there any reason to prefer IPSec over OpenVPN for building VPNs > > between FreeBSD hosts and routers (and others compatible with OpenVPN > > like pfSense, OpenWRT etc)? > > > > I can see only advantages of OpenVPN (a single UDP port, a single > > userland daemon, no kernel rebuild required, a standard PKI, an easy > > way to push settings and routes to remote clients, nice monitoring > > feature etc). But maybe there is some huge advantage of IPSec I've > > skipped? > > OpenVPN may be fine for very simple setups. I have noticed that it works very fine for me in hub-and-spoke and road warrior configurations. > > It is unusable for demanding cases like parallel site-to-site VPN tunnels > with dynamic routing for same network prefix between such primary/backup tunnel; > for other setups that need distinct full-blown network interface for each tunnel IPSec per se does not use or require interfaces, unless you first configure gif/gre tunnels and then encrypt traffic between tunnel endpoints in IPSec transport mode. I wonder if the same approach will not work with OpenVPN's tap/tun interfaces (I have not tried, so maybe not). > to process with SNMP agent/routing daemon/packet filters etc. because > distinct OpenVPN instances cannot share routing correctly in beetween. IPSec is oblivious to routing too. It just encrypts/decrypts packets according to the SPD. > > In short, OpenVPN just is not designed to play nice and standard-compiliant way > with other parts of the system and sometimes that's unacceptable. > And sometimes that's irrelevant. When I had to setup a VPN with a Macintosh user (road warrior), I found out that an IPSec VPN would be beyond my mental abilities as I could not wrap my head around the correct racoon and mpd5 authentication setup between FreeBSD and Mac. That's for all the talk about being standard-compliant. OpenVPN saved me. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859