OpenVPN vs IPSec

Victor Sudakov vas at mpeks.tomsk.su
Sun Nov 19 15:14:25 UTC 2017 

Eugene Grosbein wrote:
> 
> > IPSec per se does not use or require interfaces, unless you first
> > configure gif/gre tunnels and then encrypt traffic between tunnel
> > endpoints in IPSec transport mode.
> 
> There is also if_ipsec(4), too.

Oh, I forgot about this recent addition. It was a really good design
idea, thank you for reminding me. 

I now even remember discussing it with Andrey in his LJ and suggesting
a small cosmetic feature which he implemented by my request.

Have you tried in in production? What does it do to the MTU?

> 
> > I wonder if the same approach will not work with OpenVPN's tap/tun interfaces
> > (I have not tried, so maybe not).
> 
> I tried and it won't work within single OpenVPN instance and that's unusually hard
> and meaningless with multiple OpenVPN instances just because OpenVPN was not designed
> to interact with other system parts.

Thanks, I will now know and avoid such configurations.

> 
> >> to process with SNMP agent/routing daemon/packet filters etc. because
> >> distinct OpenVPN instances cannot share routing correctly in beetween.
> > 
> > IPSec is oblivious to routing too. It just encrypts/decrypts packets
> > according to the SPD.
> 
> Yes, IPSec does not try to be the single combine for encryption, and to interface manipulation,
> and to routing propagation. But it combines with additional subsystems just fine.
> 
> >> In short, OpenVPN just is not designed to play nice and standard-compiliant way
> >> with other parts of the system and sometimes that's unacceptable.
> >> And sometimes that's irrelevant.
> > 
> > When I had to setup a VPN with a Macintosh user (road warrior), I
> > found out that an IPSec VPN would be beyond my mental abilities as I
> > could not wrap my head around the correct racoon and mpd5
> > authentication setup between FreeBSD and Mac.  That's for all the talk
> > about being standard-compliant. OpenVPN saved me.
> 
> Hmm, I got no problems to make such setup. I use single IPSec shared secret
> for whole group of roaming users to encrypt their initial fraffic
> and distinct login/password pairs in the mpd.secret file for CHAP-based
> authentication within L2TP tunnels before assignment of internal IP addresses.

And what does it look like (both shared secret and login/password)
from the point of view of a Windows/Mac client?

> 
> You can find my letter to RU.UNIX.BSD of Juny 20 with subject "Re: STABLE+IPSEC"
> describing this setup.

May I ask you kindly to publish a howto in your LJ?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859

More information about the freebsd-net mailing list