James, Philip will argue that IPsec is "better" because it operates at the kernel level and as a result, you can traffic shape better. While that is true, my statement that openvpn is currently a better option in AstLinux for dynamic IP addresses is still valid. We currently do not support dynamic end points in IPsec.
Philip, openvpn uses UDP for transport, not TCP by default. You CAN use TCP, but it's not recommended. You CAN support routes back from the client to the server. This is called client-to-client routing and requires a few additional config files to work properly. I do this all the time for remote offices so they can have a network printer that is reachable from the main office. Darrick On 08/11/2010 02:28 PM, Philip Prindeville wrote: > Because IPsec copies the QoS markings of packets from the encapsulated > packet into the wrapping packet. > > It is also datagram based, so you won't have to worry about delays caused by > lost packets, retransmission, and reordering (unlike openvpn which runs over > SSL+TCP). > > > On 8/11/10 12:09 PM, James Babiak wrote: >> Why is that? I'm curious because I use openvpn in astlinux all the time >> (both as a server and client) and am pretty happy with it. I use it for >> both static and dynamic remote locations to connect back to my house, >> and generally have about 3-4 openvpn sessions going at a given time. >> I've used it quite successfully with different soft phones apps (on >> laptops and my iphone), and assuming that I have sufficiently good >> bandwidth, have never had an issue sending voip traffic over an openvpn >> tunnel. >> >> My only gripe with openvpn is, unless I'm missing something, the lack of >> clients being able to advertise routes back to the server. And even if I >> set them statically, I could never get it working right. Granted I >> didn't spend too much time on it, and decided to just create a dual >> tunnel (client<-server and server->client). >> >> What benefit(s) does ipsec give over openvpn for voip? >> >> -James >> >> On 08/11/2010 02:28 PM, Philip Prindeville wrote: >>> On 8/10/10 9:25 PM, Darrick Hartman wrote: >>> >>>> On 08/10/2010 11:21 PM, Philip Prindeville wrote: >>>> >>>>> On 8/10/10 8:49 PM, Mark Phillips wrote: >>>>> >>>>>> Would pptp be available as a VPN option? >>>>>> >>>>>> I can find no references to it other than it was an experimental package >>>>>> back in 0.6. >>>>>> >>>>>> Thanks >>>>>> >>>>>> Mark >>>>>> >>>>> It's still in the source tree and buildable, but if you need VPN, I'd go >>>>> with IPsec. >>>>> >>>> Or OpenVPN. Both are good options, depending on the need. If you are >>>> going static IP to static IP, IPsec is the best choice. If you're going >>>> dynamic to static, openvpn (currently) is a better choice. There is >>>> still work to be done for our implementation of IPsec to work with >>>> dynamic end points. >>>> >>>> Darrick >>>> >>> IPsec is also the best choice if you're running VoIP over a tunnel. >>> > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by > > Make an app they can't live without > Enter the BlackBerry Developer Challenge > http://p.sf.net/sfu/RIM-dev2dev > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
