Date: Sun, 19 Nov 2017 21:57:22 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-net@freebsd.org Subject: Re: OpenVPN vs IPSec Message-ID: <5A119BD2.7070703@grosbein.net> In-Reply-To: <20171119142015.GB82727@admin.sibptus.transneft.ru> References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <5A1073E9.5050503@grosbein.net> <20171119142015.GB82727@admin.sibptus.transneft.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
19.11.2017 21:20, Victor Sudakov wrote: > IPSec per se does not use or require interfaces, unless you first > configure gif/gre tunnels and then encrypt traffic between tunnel > endpoints in IPSec transport mode. There is also if_ipsec(4), too. > I wonder if the same approach will not work with OpenVPN's tap/tun interfaces > (I have not tried, so maybe not). I tried and it won't work within single OpenVPN instance and that's unusually hard and meaningless with multiple OpenVPN instances just because OpenVPN was not designed to interact with other system parts. >> to process with SNMP agent/routing daemon/packet filters etc. because >> distinct OpenVPN instances cannot share routing correctly in beetween. > > IPSec is oblivious to routing too. It just encrypts/decrypts packets > according to the SPD. Yes, IPSec does not try to be the single combine for encryption, and to interface manipulation, and to routing propagation. But it combines with additional subsystems just fine. >> In short, OpenVPN just is not designed to play nice and standard-compiliant way >> with other parts of the system and sometimes that's unacceptable. >> And sometimes that's irrelevant. > > When I had to setup a VPN with a Macintosh user (road warrior), I > found out that an IPSec VPN would be beyond my mental abilities as I > could not wrap my head around the correct racoon and mpd5 > authentication setup between FreeBSD and Mac. That's for all the talk > about being standard-compliant. OpenVPN saved me. Hmm, I got no problems to make such setup. I use single IPSec shared secret for whole group of roaming users to encrypt their initial fraffic and distinct login/password pairs in the mpd.secret file for CHAP-based authentication within L2TP tunnels before assignment of internal IP addresses. You can find my letter to RU.UNIX.BSD of Juny 20 with subject "Re: STABLE+IPSEC" describing this setup.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A119BD2.7070703>