From owner-freebsd-net@freebsd.org  Sun Nov 19 15:14:25 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67CB0D941EF
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 19 Nov 2017 15:14:25 +0000 (UTC)
 (envelope-from vas@mpeks.tomsk.su)
Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5])
 by mx1.freebsd.org (Postfix) with ESMTP id 981F87BE79
 for <freebsd-net@freebsd.org>; Sun, 19 Nov 2017 15:14:23 +0000 (UTC)
 (envelope-from vas@mpeks.tomsk.su)
X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru
Received: from [212.73.125.240] (HELO admin.sibptus.transneft.ru)
 by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16)
 with ESMTPS id 39869850; Sun, 19 Nov 2017 21:09:36 +0600
Received: from admin.sibptus.transneft.ru (sudakov@localhost [127.0.0.1])
 by admin.sibptus.transneft.ru (8.15.2/8.15.2) with ESMTP id vAJFEKXZ084286;
 Sun, 19 Nov 2017 22:14:22 +0700 (+07)
 (envelope-from vas@mpeks.tomsk.su)
Received: (from sudakov@localhost)
 by admin.sibptus.transneft.ru (8.15.2/8.15.2/Submit) id vAJFEGVX084283;
 Sun, 19 Nov 2017 22:14:16 +0700 (+07)
 (envelope-from vas@mpeks.tomsk.su)
X-Authentication-Warning: admin.sibptus.transneft.ru: sudakov set sender to
 vas@mpeks.tomsk.su using -f
Date: Sun, 19 Nov 2017 22:14:16 +0700
From: Victor Sudakov <vas@mpeks.tomsk.su>
To: Eugene Grosbein <eugen@grosbein.net>
Cc: freebsd-net@freebsd.org
Subject: Re: OpenVPN vs IPSec
Message-ID: <20171119151416.GI82727@admin.sibptus.transneft.ru>
References: <20171118165842.GA73810@admin.sibptus.transneft.ru>
 <5A1073E9.5050503@grosbein.net>
 <20171119142015.GB82727@admin.sibptus.transneft.ru>
 <5A119BD2.7070703@grosbein.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5A119BD2.7070703@grosbein.net>
Organization: AO "Svyaztransneft", SibPTUS
X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov
X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9  3532 0DA4 F259 9B5E C634
User-Agent: Mutt/1.9.1 (2017-09-22)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Nov 2017 15:14:25 -0000

Eugene Grosbein wrote:
> 
> > IPSec per se does not use or require interfaces, unless you first
> > configure gif/gre tunnels and then encrypt traffic between tunnel
> > endpoints in IPSec transport mode.
> 
> There is also if_ipsec(4), too.

Oh, I forgot about this recent addition. It was a really good design
idea, thank you for reminding me. 

I now even remember discussing it with Andrey in his LJ and suggesting
a small cosmetic feature which he implemented by my request.

Have you tried in in production? What does it do to the MTU?

> 
> > I wonder if the same approach will not work with OpenVPN's tap/tun interfaces
> > (I have not tried, so maybe not).
> 
> I tried and it won't work within single OpenVPN instance and that's unusually hard
> and meaningless with multiple OpenVPN instances just because OpenVPN was not designed
> to interact with other system parts.

Thanks, I will now know and avoid such configurations.

> 
> >> to process with SNMP agent/routing daemon/packet filters etc. because
> >> distinct OpenVPN instances cannot share routing correctly in beetween.
> > 
> > IPSec is oblivious to routing too. It just encrypts/decrypts packets
> > according to the SPD.
> 
> Yes, IPSec does not try to be the single combine for encryption, and to interface manipulation,
> and to routing propagation. But it combines with additional subsystems just fine.
> 
> >> In short, OpenVPN just is not designed to play nice and standard-compiliant way
> >> with other parts of the system and sometimes that's unacceptable.
> >> And sometimes that's irrelevant.
> > 
> > When I had to setup a VPN with a Macintosh user (road warrior), I
> > found out that an IPSec VPN would be beyond my mental abilities as I
> > could not wrap my head around the correct racoon and mpd5
> > authentication setup between FreeBSD and Mac.  That's for all the talk
> > about being standard-compliant. OpenVPN saved me.
> 
> Hmm, I got no problems to make such setup. I use single IPSec shared secret
> for whole group of roaming users to encrypt their initial fraffic
> and distinct login/password pairs in the mpd.secret file for CHAP-based
> authentication within L2TP tunnels before assignment of internal IP addresses.

And what does it look like (both shared secret and login/password)
from the point of view of a Windows/Mac client?

> 
> You can find my letter to RU.UNIX.BSD of Juny 20 with subject "Re: STABLE+IPSEC"
> describing this setup.

May I ask you kindly to publish a howto in your LJ?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859