Date: Sun, 19 Nov 2017 00:54:49 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-net@freebsd.org Subject: Re: OpenVPN vs IPSec Message-ID: <5A1073E9.5050503@grosbein.net> In-Reply-To: <20171118165842.GA73810@admin.sibptus.transneft.ru> References: <20171118165842.GA73810@admin.sibptus.transneft.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
18.11.2017 23:58, Victor Sudakov wrote: > Is there any reason to prefer IPSec over OpenVPN for building VPNs > between FreeBSD hosts and routers (and others compatible with OpenVPN > like pfSense, OpenWRT etc)? > > I can see only advantages of OpenVPN (a single UDP port, a single > userland daemon, no kernel rebuild required, a standard PKI, an easy > way to push settings and routes to remote clients, nice monitoring > feature etc). But maybe there is some huge advantage of IPSec I've > skipped? OpenVPN may be fine for very simple setups. It is unusable for demanding cases like parallel site-to-site VPN tunnels with dynamic routing for same network prefix between such primary/backup tunnel; for other setups that need distinct full-blown network interface for each tunnel to process with SNMP agent/routing daemon/packet filters etc. because distinct OpenVPN instances cannot share routing correctly in beetween. In short, OpenVPN just is not designed to play nice and standard-compiliant way with other parts of the system and sometimes that's unacceptable. And sometimes that's irrelevant.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A1073E9.5050503>