VPN/IPSEC tunnel
Kevin Fenzi
kevin at scrye.com
Mon Dec 6 17:05:23 UTC 2010
On Mon, 6 Dec 2010 05:38:14 +0100
<J.Witvliet at mindef.nl> wrote:
> Does not agree,
>
> "People" claim that openvpn is supposedly easier to configure,
> compared with *swan.
Indeed. At least part of it is going to be a personal preference.
If you know and have used ipsec for a long time thats likely to be
easier for you. ;)
> However, for a _very_ simple tunnel that migth be true, but most of
> the problems people encounter with ipsec are often related to either
> certificates, CA's, routing, or smartcards. And they will encouter
> likewise problems (but other syntax) when using openvpn.
>
> When confronted with more complex network setup (mesh topology),
> scalability, or ipv6 your best (or even only) option remains ipsec.
I'll disagree with you there. I have setup openvpn in all kinds of
setups. ;) It's a great deal more flexable. It can bridge or route, it
can work on any port udp or tcp, it can go through proxies, it uses the
normal bridging/routing tools as any other real device.
> Interoperability with existing vpn products? Forget openvpn!
Indeed. You need openvpn on both ends. If you don't control one end
point, ipsec may be your only/best choice.
> Even for very simple hapsnap tunnels one might even consider the
> tunnel capabilities of openssh.....
ssh performs pretty poorly in some cases, doesn't automatically
reconnect, requires a higher level of access, only works over tcp, etc.
> Hw
kevin
--
> ----- Oorspronkelijk bericht -----
> Van: users-bounces at lists.fedoraproject.org
> <users-bounces at lists.fedoraproject.org> Aan:
> users at lists.fedoraproject.org <users at lists.fedoraproject.org>
> Verzonden: Sat Dec 04 21:41:35 2010 Onderwerp: Re: VPN/IPSEC tunnel
>
> On Sat, 04 Dec 2010 13:32:04 -0430
> Patrick O'Callaghan <pocallaghan at gmail.com> wrote:
>
> > On Sat, 2010-12-04 at 18:57 +0100, Luc MAIGNAN wrote:
> > > Is openVPN can make IPSec tunnels or just SSL ?
> >
> > I believe it's fully IPSec compliant.
>
> Nope. Openvpn uses it's own ssl based protocol. It cannot directly
> interoperate with ipsec tunnels. ;)
>
> That said, if you have control over both endpoints, IMHO openvpn is a
> vastly better choice than ipsec.
>
> kevin
>
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd.
> Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u
> is toegezonden, wordt u verzocht dat aan de afzender te melden en het
> bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid
> voor schade, van welke aard ook, die verband houdt met risico's
> verbonden aan het elektronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If
> you are not the addressee or if this message was sent to you by
> mistake, you are requested to inform the sender and delete the
> message. The State accepts no liability for damage of any kind
> resulting from the risks inherent in the electronic transmission of
> messages.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20101206/d6b3f371/attachment.bin
More information about the users
mailing list