OpenVPN vs IPSec

[Eugene Grosbein]

19.11.2017 21:20, Victor Sudakov wrote:

> IPSec per se does not use or require interfaces, unless you first
> configure gif/gre tunnels and then encrypt traffic between tunnel
> endpoints in IPSec transport mode.

There is also if_ipsec(4), too.

> I wonder if the same approach will not work with OpenVPN's tap/tun interfaces
> (I have not tried, so maybe not).

I tried and it won't work within single OpenVPN instance and that's unusually hard
and meaningless with multiple OpenVPN instances just because OpenVPN was not designed
to interact with other system parts.

>> to process with SNMP agent/routing daemon/packet filters etc. because
>> distinct OpenVPN instances cannot share routing correctly in beetween.
> 
> IPSec is oblivious to routing too. It just encrypts/decrypts packets
> according to the SPD.

Yes, IPSec does not try to be the single combine for encryption, and to interface manipulation,
and to routing propagation. But it combines with additional subsystems just fine.

>> In short, OpenVPN just is not designed to play nice and standard-compiliant way
>> with other parts of the system and sometimes that's unacceptable.
>> And sometimes that's irrelevant.
> 
> When I had to setup a VPN with a Macintosh user (road warrior), I
> found out that an IPSec VPN would be beyond my mental abilities as I
> could not wrap my head around the correct racoon and mpd5
> authentication setup between FreeBSD and Mac.  That's for all the talk
> about being standard-compliant. OpenVPN saved me.

Hmm, I got no problems to make such setup. I use single IPSec shared secret
for whole group of roaming users to encrypt their initial fraffic
and distinct login/password pairs in the mpd.secret file for CHAP-based
authentication within L2TP tunnels before assignment of internal IP addresses.

You can find my letter to RU.UNIX.BSD of Juny 20 with subject "Re: STABLE+IPSEC"
describing this setup.