Date: Sun, 19 Nov 2017 21:51:16 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: Eric Masson <emss@free.fr> Cc: freebsd-net@freebsd.org, Jim Thompson <jim@netgate.com>, "Muenz, Michael" <m.muenz@spam-fetish.org> Subject: Re: OpenVPN vs IPSec Message-ID: <20171119145116.GE82727@admin.sibptus.transneft.ru> In-Reply-To: <86o9nytmma.fsf@newsrv.interne.associated-bears.org> References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org> <20171119120832.GA82727@admin.sibptus.transneft.ru> <86o9nytmma.fsf@newsrv.interne.associated-bears.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric Masson wrote: > > > Because it's in the kernel? But many use (and recommend) StrongSwan > > which is a userland implementation. > > Key exchange (ike) is managed by a userland process, but, in FreeBSD, > ipsec transform is kernel domain. That is, if you use kernel IPsec. But StrongSwan is completely userland AFAIK. And the kernel IPsec implementation has had problems with NAT traveral. Does it stil have problems and requre extra patches for NAT traveral? So, if I go for IPsec, I would probably use StrongSwan. > > > IPsec in itself maybe a standard, but IKE does not seem to be much of > > a standard, I get the impression that there's much incompatibility > > between vendors (Cisco, racoon etc). > > In early 2000's there were some glitches (mostly about non standard auth > extensions added by cisco for example), nowadays most of the issues are > PEBKAC class and nothing that can't be solved. Maybe I'm indeed the faulty layer between keyboard and chair, but FreeBSD+IPsec+L2TP is still beyond me. Pure IPsec is fine more or less with me. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171119145116.GE82727>