OpenVPN vs IPSec

[Victor Sudakov]

Muenz, Michael wrote:
> Am 19.11.2017 um 13:08 schrieb Victor Sudakov:
> > Muenz, Michael wrote:
> >>> Is there any reason to prefer IPSec over OpenVPN for building VPNs
> >>> between FreeBSD hosts and routers (and others compatible with OpenVPN
> >>> like pfSense, OpenWRT etc)?
> >>>
> >>> I can see only advantages of OpenVPN (a single UDP port, a single
> >>> userland daemon, no kernel rebuild required, a standard PKI, an easy
> >>> way to push settings and routes to remote clients, nice monitoring
> >>> feature etc). But maybe there is some huge advantage of IPSec I've
> >>> skipped?
> >>>
> >> Hi,
> >>
> >> partners/customers with Cisco IOS or ASA wont be able to partner up
> >> without IPSEC.
> > Sure, that's why I wrote "and others compatible with OpenVPN
> > like pfSense, OpenWRT etc" in the first paragraph.
> >
> 
> Are you just searching for arguments against IPSec or real life cases?

Actually, I' searching for arguments *for* IPSec.

> IMHO when you have both ends under control OpenVPN is just fine.
> If you are planning to interconnect with many customers/vendors IPSec 
> fits best.

I have a personal success story of establishing transport mode IPSec
between Windows and FreeBSD/racoon. But when other OSes are involved,
I have the impression that there is no pure IPSec, it's usually
IPSec+L2TP, and that's where the FreeBSD part becomes complicated
(interaction between ipsec, mpd5 and racoon is required).

> 
> In the last 15 years I was never asked about a Site2Site VPN with OpenVPN
> from any customer or partner of the firewalls I managed.

OK, thank you, I have now one argument: IPSec is multi-vendor.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859