[ale] VPN Protocol Question

Michael H. Warfield mhw at WittsEnd.com
Thu Apr 16 12:17:18 EDT 2009 

I hate it when I spot an error just after hitting send...

On Thu, 2009-04-16 at 12:12 -0400, Michael H. Warfield wrote:
> On Wed, 2009-04-15 at 17:49 -0600, Michael Hirsch wrote:
> > On Wed, Apr 15, 2009 at 3:18 PM, Andrew Grieser <agrieser at gmail.com> wrote:
> > > By "...probably have to set up OpenVpn on that system" do you mean
> > > that this is my only option, or that I would have to install OpenVPN
> > > on the system?
> > >
> > > What I'm looking for is the easiest solution that gets the job done.
> > > The three options I listed (IPsec, OpenVPN, PPTP) were the three
> > > options under the VPN menu of the pfSense web interface, so I assume
> > > it is already set up to do any of those.
> > >
> > > I see that network manager has the ability to configure OpenVPN
> > > (client side), so that would be a plus. However, after reading some
> > > OpenVPN docs I can't tell for sure if it is easy/possible to forward
> > > everything through the vpn connection.
> 
> > OpenVPN has been the easiest setup of any VPN I'd had to use.  It is
> > quite simple and straightforward.  IPsec was horrible the last time I
> > tried it.
> 
> 	They've converged.
> 
> 	OpenVPN has become more and more complicated with an overburden of
> options and features and the latest 2.1 version in the distros has been
> in "beta" for like forever (years).  It's also a user space VPN and

	Been in "release candidate" for years.  Not beta.

> performance does not scale well.  The Join project (a now closed OpenVPN
> based IPv6 tunnelbroker in Germany) had to disable encryption in their
> deployment because the performance didn't scale and was so horrible with
> a large number of clients.  I have it deployed for the same purpose and
> routinely run into UDP buffer problems which, looking through the
> forums, is a common problem with OpenVPN.  None of the suggested fixes
> for the UDP buffer problems has eliminated that problem for me.
> 
> 	OTOH...  IPSec used with X.509 certificates is really no more
> complicated to configure than OpenVPN if you are working with either
> OpenSWAN or StrongSWAN (both being FreeSWAN 2.0 derivatives).  IPSec is
> also THE gold standard for interoperability.
> 
> 	OTGH...  The Racoon based IPSec tools (BSD / Kame based) is still not
> for the faint of heart.  It might be more versatile than the SWAN based
> IKE daemons but it's a bugger to figure out and get to fly right.
> 
> 	I've deployed all of the above (including Racoon, which I have since
> seen the error of my ways and replaced with OpenSWAN).  I have OpenVPN,
> and OpenSWAN (ESP and NAT-T) in production.  I use OpenVPN for my IPv6
> tunneling in some cases only because the current IPSec / IKEv1 doesn't
> directly tunnel IPv6 over IPv4 (I had to layer it with an additional SIT
> layer).  It's my understanding that IKEv2 does support this but it's not
> fully supported in pluto (OpenSWAN IKE daemon) yet.  Once I've got IPv6
> tunneled directly on IPv4 in IPSec, I'll probably dump all my OpenVPN
> installations other than as a backup VPN.
> 
> > Michael

	Regards,
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20090416/16fa4f13/attachment.bin

More information about the Ale mailing list