OpenVPN vs IPSec
Eric Masson
emss at free.fr
Sun Nov 19 16:05:00 UTC 2017
Victor Sudakov <vas at mpeks.tomsk.su> writes:
Hi,
> That is, if you use kernel IPsec. But StrongSwan is completely
> userland AFAIK.
Nope, StrongSwan provides a userland ipsec stack but clearly states it's
not intended to be used on security gateways. Its typical use case is
when the kernel stack misses a required algorithm.
> And the kernel IPsec implementation has had problems with NAT
> traveral. Does it stil have problems and requre extra patches for NAT
> traveral?
Seems to me no patch has been required for a long time. ipsec is even
now enabled in GENERIC and has no performance impact when not used
(thanks to bz@).
> Maybe I'm indeed the faulty layer between keyboard and chair, but
> FreeBSD+IPsec+L2TP is still beyond me. Pure IPsec is fine more or
> less with me.
ipsec works fine, L2TP/ipsec is somewhat more convoluted. racoon needs 2
patches from what I've read here :
https://forums.freebsd.org/threads/26755/
As I've now switched my gateways to LEDE/OpenWRT, I no longer toy with
this kind of setup on FreeBSD.
--
Les L*n*x**ns sont par définition des nioubies, biscotte on
buvait déjà de la Guiness autour de trucs BSD alors que la pingouinade
n'était même pas une lueur lubrique dans le regard de Linus T.
-+- FYlG in <http://www.le-gnu.net> : Gouin gouin les pingouins -+-
More information about the freebsd-net
mailing list