[ale] VPN Protocol Question

Michael H. Warfield mhw at WittsEnd.com
Thu Apr 16 12:12:59 EDT 2009 

On Wed, 2009-04-15 at 17:49 -0600, Michael Hirsch wrote:
> On Wed, Apr 15, 2009 at 3:18 PM, Andrew Grieser <agrieser at gmail.com> wrote:
> > By "...probably have to set up OpenVpn on that system" do you mean
> > that this is my only option, or that I would have to install OpenVPN
> > on the system?
> >
> > What I'm looking for is the easiest solution that gets the job done.
> > The three options I listed (IPsec, OpenVPN, PPTP) were the three
> > options under the VPN menu of the pfSense web interface, so I assume
> > it is already set up to do any of those.
> >
> > I see that network manager has the ability to configure OpenVPN
> > (client side), so that would be a plus. However, after reading some
> > OpenVPN docs I can't tell for sure if it is easy/possible to forward
> > everything through the vpn connection.

> OpenVPN has been the easiest setup of any VPN I'd had to use.  It is
> quite simple and straightforward.  IPsec was horrible the last time I
> tried it.

	They've converged.

	OpenVPN has become more and more complicated with an overburden of
options and features and the latest 2.1 version in the distros has been
in "beta" for like forever (years).  It's also a user space VPN and
performance does not scale well.  The Join project (a now closed OpenVPN
based IPv6 tunnelbroker in Germany) had to disable encryption in their
deployment because the performance didn't scale and was so horrible with
a large number of clients.  I have it deployed for the same purpose and
routinely run into UDP buffer problems which, looking through the
forums, is a common problem with OpenVPN.  None of the suggested fixes
for the UDP buffer problems has eliminated that problem for me.

	OTOH...  IPSec used with X.509 certificates is really no more
complicated to configure than OpenVPN if you are working with either
OpenSWAN or StrongSWAN (both being FreeSWAN 2.0 derivatives).  IPSec is
also THE gold standard for interoperability.

	OTGH...  The Racoon based IPSec tools (BSD / Kame based) is still not
for the faint of heart.  It might be more versatile than the SWAN based
IKE daemons but it's a bugger to figure out and get to fly right.

	I've deployed all of the above (including Racoon, which I have since
seen the error of my ways and replaced with OpenSWAN).  I have OpenVPN,
and OpenSWAN (ESP and NAT-T) in production.  I use OpenVPN for my IPv6
tunneling in some cases only because the current IPSec / IKEv1 doesn't
directly tunnel IPv6 over IPv4 (I had to layer it with an additional SIT
layer).  It's my understanding that IKEv2 does support this but it's not
fully supported in pluto (OpenSWAN IKE daemon) yet.  Once I've got IPv6
tunneled directly on IPv4 in IPSec, I'll probably dump all my OpenVPN
installations other than as a backup VPN.

> Michael

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20090416/b3d730a1/attachment.bin

More information about the Ale mailing list