Date: Sun, 19 Nov 2017 22:14:16 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-net@freebsd.org Subject: Re: OpenVPN vs IPSec Message-ID: <20171119151416.GI82727@admin.sibptus.transneft.ru> In-Reply-To: <5A119BD2.7070703@grosbein.net> References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <5A1073E9.5050503@grosbein.net> <20171119142015.GB82727@admin.sibptus.transneft.ru> <5A119BD2.7070703@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein wrote: > > > IPSec per se does not use or require interfaces, unless you first > > configure gif/gre tunnels and then encrypt traffic between tunnel > > endpoints in IPSec transport mode. > > There is also if_ipsec(4), too. Oh, I forgot about this recent addition. It was a really good design idea, thank you for reminding me. I now even remember discussing it with Andrey in his LJ and suggesting a small cosmetic feature which he implemented by my request. Have you tried in in production? What does it do to the MTU? > > > I wonder if the same approach will not work with OpenVPN's tap/tun interfaces > > (I have not tried, so maybe not). > > I tried and it won't work within single OpenVPN instance and that's unusually hard > and meaningless with multiple OpenVPN instances just because OpenVPN was not designed > to interact with other system parts. Thanks, I will now know and avoid such configurations. > > >> to process with SNMP agent/routing daemon/packet filters etc. because > >> distinct OpenVPN instances cannot share routing correctly in beetween. > > > > IPSec is oblivious to routing too. It just encrypts/decrypts packets > > according to the SPD. > > Yes, IPSec does not try to be the single combine for encryption, and to interface manipulation, > and to routing propagation. But it combines with additional subsystems just fine. > > >> In short, OpenVPN just is not designed to play nice and standard-compiliant way > >> with other parts of the system and sometimes that's unacceptable. > >> And sometimes that's irrelevant. > > > > When I had to setup a VPN with a Macintosh user (road warrior), I > > found out that an IPSec VPN would be beyond my mental abilities as I > > could not wrap my head around the correct racoon and mpd5 > > authentication setup between FreeBSD and Mac. That's for all the talk > > about being standard-compliant. OpenVPN saved me. > > Hmm, I got no problems to make such setup. I use single IPSec shared secret > for whole group of roaming users to encrypt their initial fraffic > and distinct login/password pairs in the mpd.secret file for CHAP-based > authentication within L2TP tunnels before assignment of internal IP addresses. And what does it look like (both shared secret and login/password) from the point of view of a Windows/Mac client? > > You can find my letter to RU.UNIX.BSD of Juny 20 with subject "Re: STABLE+IPSEC" > describing this setup. May I ask you kindly to publish a howto in your LJ? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171119151416.GI82727>