OpenVPN vs IPSec
    Victor Sudakov 
    vas at mpeks.tomsk.su
       
    Sun Nov 19 14:51:24 UTC 2017
    
    
  
Eric Masson wrote:
> 
> > Because it's in the kernel? But many use (and recommend) StrongSwan
> > which is a userland implementation.
> 
> Key exchange (ike) is managed by a userland process, but, in FreeBSD,
> ipsec transform is kernel domain.
That is, if you use kernel IPsec. But StrongSwan is completely
userland AFAIK.
And the kernel IPsec implementation has had problems with NAT
traveral. Does it stil have problems and requre extra patches for NAT
traveral?
So, if I go for IPsec, I would probably use StrongSwan.
> 
> > IPsec in itself maybe a standard, but IKE does not seem to be much of
> > a standard, I get the impression that there's much incompatibility
> > between vendors (Cisco, racoon etc). 
> 
> In early 2000's there were some glitches (mostly about non standard auth
> extensions added by cisco for example), nowadays most of the issues are
> PEBKAC class and nothing that can't be solved.
Maybe I'm indeed the faulty layer between keyboard and chair, but
FreeBSD+IPsec+L2TP is still beyond me. Pure IPsec is fine more or
less with me.
-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859
    
    
More information about the freebsd-net
mailing list