From owner-freebsd-net@freebsd.org  Sun Nov 19 14:51:24 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A3E73D9374C
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 19 Nov 2017 14:51:24 +0000 (UTC)
 (envelope-from vas@mpeks.tomsk.su)
Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5])
 by mx1.freebsd.org (Postfix) with ESMTP id 1856A7AFC3
 for <freebsd-net@freebsd.org>; Sun, 19 Nov 2017 14:51:23 +0000 (UTC)
 (envelope-from vas@mpeks.tomsk.su)
X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru
Received: from [212.73.125.240] (HELO admin.sibptus.transneft.ru)
 by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16)
 with ESMTPS id 39869818; Sun, 19 Nov 2017 20:46:36 +0600
Received: from admin.sibptus.transneft.ru (sudakov@localhost [127.0.0.1])
 by admin.sibptus.transneft.ru (8.15.2/8.15.2) with ESMTP id vAJEpJM2084057;
 Sun, 19 Nov 2017 21:51:19 +0700 (+07)
 (envelope-from vas@mpeks.tomsk.su)
Received: (from sudakov@localhost)
 by admin.sibptus.transneft.ru (8.15.2/8.15.2/Submit) id vAJEpG2l084054;
 Sun, 19 Nov 2017 21:51:16 +0700 (+07)
 (envelope-from vas@mpeks.tomsk.su)
X-Authentication-Warning: admin.sibptus.transneft.ru: sudakov set sender to
 vas@mpeks.tomsk.su using -f
Date: Sun, 19 Nov 2017 21:51:16 +0700
From: Victor Sudakov <vas@mpeks.tomsk.su>
To: Eric Masson <emss@free.fr>
Cc: freebsd-net@freebsd.org, Jim Thompson <jim@netgate.com>,
 "Muenz, Michael" <m.muenz@spam-fetish.org>
Subject: Re: OpenVPN vs IPSec
Message-ID: <20171119145116.GE82727@admin.sibptus.transneft.ru>
References: <20171118165842.GA73810@admin.sibptus.transneft.ru>
 <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org>
 <20171119120832.GA82727@admin.sibptus.transneft.ru>
 <86o9nytmma.fsf@newsrv.interne.associated-bears.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <86o9nytmma.fsf@newsrv.interne.associated-bears.org>
Organization: AO "Svyaztransneft", SibPTUS
X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov
X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9  3532 0DA4 F259 9B5E C634
User-Agent: Mutt/1.9.1 (2017-09-22)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Nov 2017 14:51:24 -0000

Eric Masson wrote:
> 
> > Because it's in the kernel? But many use (and recommend) StrongSwan
> > which is a userland implementation.
> 
> Key exchange (ike) is managed by a userland process, but, in FreeBSD,
> ipsec transform is kernel domain.

That is, if you use kernel IPsec. But StrongSwan is completely
userland AFAIK.

And the kernel IPsec implementation has had problems with NAT
traveral. Does it stil have problems and requre extra patches for NAT
traveral?

So, if I go for IPsec, I would probably use StrongSwan.

> 
> > IPsec in itself maybe a standard, but IKE does not seem to be much of
> > a standard, I get the impression that there's much incompatibility
> > between vendors (Cisco, racoon etc). 
> 
> In early 2000's there were some glitches (mostly about non standard auth
> extensions added by cisco for example), nowadays most of the issues are
> PEBKAC class and nothing that can't be solved.

Maybe I'm indeed the faulty layer between keyboard and chair, but
FreeBSD+IPsec+L2TP is still beyond me. Pure IPsec is fine more or
less with me.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859