From owner-freebsd-net@freebsd.org Sun Nov 19 12:32:32 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3382DF41CE for ; Sun, 19 Nov 2017 12:32:32 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7504176CB7 for ; Sun, 19 Nov 2017 12:32:32 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id C9B3F72 for ; Sun, 19 Nov 2017 13:32:29 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id B6F5028B83A for ; Sun, 19 Nov 2017 13:32:29 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rdI2qBjSy1-k for ; Sun, 19 Nov 2017 13:32:29 +0100 (CET) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 7858928A017 for ; Sun, 19 Nov 2017 13:32:29 +0100 (CET) Subject: Re: OpenVPN vs IPSec To: freebsd-net@freebsd.org References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <20171119120832.GA82727@admin.sibptus.transneft.ru> From: "Muenz, Michael" Message-ID: Date: Sun, 19 Nov 2017 13:32:28 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171119120832.GA82727@admin.sibptus.transneft.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Nov 2017 12:32:32 -0000 Am 19.11.2017 um 13:08 schrieb Victor Sudakov: > Muenz, Michael wrote: >>> Is there any reason to prefer IPSec over OpenVPN for building VPNs >>> between FreeBSD hosts and routers (and others compatible with OpenVPN >>> like pfSense, OpenWRT etc)? >>> >>> I can see only advantages of OpenVPN (a single UDP port, a single >>> userland daemon, no kernel rebuild required, a standard PKI, an easy >>> way to push settings and routes to remote clients, nice monitoring >>> feature etc). But maybe there is some huge advantage of IPSec I've >>> skipped? >>> >> Hi, >> >> partners/customers with Cisco IOS or ASA wont be able to partner up >> without IPSEC. > Sure, that's why I wrote "and others compatible with OpenVPN > like pfSense, OpenWRT etc" in the first paragraph. > Are you just searching for arguments against IPSec or real life cases? IMHO when you have both ends under control OpenVPN is just fine. If you are planning to interconnect with many customers/vendors IPSec fits best. In the last 15 years I was never asked about a Site2Site VPN with OpenVPN from any customer or partner of the firewalls I managed. Michael