OpenVPN vs IPSec

[Victor Sudakov]

Eugene Grosbein wrote:
> 
> > Is there any reason to prefer IPSec over OpenVPN for building VPNs
> > between FreeBSD hosts and routers (and others compatible with OpenVPN
> > like pfSense, OpenWRT etc)?
> > 
> > I can see only advantages of OpenVPN (a single UDP port, a single
> > userland daemon, no kernel rebuild required, a standard PKI, an easy
> > way to push settings and routes to remote clients, nice monitoring
> > feature etc). But maybe there is some huge advantage of IPSec I've
> > skipped?
> 
> OpenVPN may be fine for very simple setups.

I have noticed that it works very fine for me in hub-and-spoke and
road warrior configurations.

> 
> It is unusable for demanding cases like parallel site-to-site VPN tunnels
> with dynamic routing for same network prefix between such primary/backup tunnel;
> for other setups that need distinct full-blown network interface for each tunnel

IPSec per se does not use or require interfaces, unless you first
configure gif/gre tunnels and then encrypt traffic between tunnel
endpoints in IPSec transport mode. I wonder if the same approach will
not work with OpenVPN's tap/tun interfaces (I have not tried, so maybe
not).

> to process with SNMP agent/routing daemon/packet filters etc. because
> distinct OpenVPN instances cannot share routing correctly in beetween.

IPSec is oblivious to routing too. It just encrypts/decrypts packets
according to the SPD.

> 
> In short, OpenVPN just is not designed to play nice and standard-compiliant way
> with other parts of the system and sometimes that's unacceptable.
> And sometimes that's irrelevant.

When I had to setup a VPN with a Macintosh user (road warrior), I
found out that an IPSec VPN would be beyond my mental abilities as I
could not wrap my head around the correct racoon and mpd5
authentication setup between FreeBSD and Mac.  That's for all the talk
about being standard-compliant. OpenVPN saved me.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859