From owner-freebsd-net@freebsd.org  Sun Nov 19 14:24:40 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32B3DDF68E5
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 19 Nov 2017 14:24:40 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BDB5C79EA2
 for <freebsd-net@freebsd.org>; Sun, 19 Nov 2017 14:24:39 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be
 forged))
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vAJEOYAO082085
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Sun, 19 Nov 2017 15:24:35 +0100 (CET)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: 000.fbsd@quip.cz
Received: from [10.58.0.4] ([10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vAJEOUCu041588
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Sun, 19 Nov 2017 21:24:30 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: OpenVPN vs IPSec
To: Miroslav Lachman <000.fbsd@quip.cz>,
 "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org
References: <20171118165842.GA73810@admin.sibptus.transneft.ru>
 <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org>
 <20171119120832.GA82727@admin.sibptus.transneft.ru>
 <d92dff62-3baf-a22d-bfac-5a668b276259@spam-fetish.org>
 <5A11882D.1050700@quip.cz>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <5A11941A.6040400@grosbein.net>
Date: Sun, 19 Nov 2017 21:24:26 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <5A11882D.1050700@quip.cz>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE
 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000] *  2.6 LOCAL_FROM From my domains
 *  1.9 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Nov 2017 14:24:40 -0000

19.11.2017 20:33, Miroslav Lachman wrote:

> I have opposite experience. One customer needs IPSec and setting
> and debugging was a pain because we don't have access to the other end.
> On the other hand customers with OpenVPN works in a minute.
> Just send or receive openvpn.conf, set some variables in rc.conf and VPN is up and running.

You was pretty lucky, too. Because OpenVPN may be incompatible with its own previous version.

Debugging IPSec connection may be pain because one has not been taught
to understand IKE daemon logs, or does not know how IKE works at all,
but access to the other end's config is not needed generally
to see why it does not pass through.