On 20/04/12 20:08, Jim Pingle wrote:
On 4/20/2012 12:23 PM, Gavin Will wrote:
Traditionally used IPSec VPN's for site to site links however with replacing
remote site routers with PFsense boxes I thought about using Open VPN instead.
Any pro's cons?
I quite like the ability to push a route easily with OpenVPN.
Off the top of my head...
Pros for OpenVPN:
* Plays nicer with NAT and other intermediate filtering, since it only
requires a single UDP or TCP port
* Able to route traffic arbitrarily on a basic VPN setup
* No issues with reconnecting/disconnecting
* Easy to add secondary peers
* Very easy to setup a remote access VPN with authentication
* Shared key mode works well with OSPF for dynamic routing
Cons for OpenVPN:
* Little in the way of vendor compatibility, mainly only found on OSS
firewalls
* People have a tendency to fear the unknown so they don't try it, or
dislike it because it's unfamiliar. Once they drink the kool-aid though,
they rarely stop. :-)
Pros for IPsec:
* Long-lived standard
* Many implementations on many devices, can usually build a tunnel to
just about anything
* Fairly easy to build a tunnel between two firewalls
* Familiarity, many people use it because they have used it before.
Cons for IPsec:
* Long history of problems reconnecting/rebuilding tunnels
* Rare if devices support multiple peers
* Implementations between vendors can often have quirks
* Requires both UDP and ESP for Tunneled traffic
* Remote access/mobile clients can have issues, but may work (see our
ticket system for open issues)
* Lots of problems traversing NAT or behind restrictive firewalls/networks
* Routing arbitrary networks (not using Phase 2's in tunnel mode)
requires IPsec in transport mode + GIF/GRE, which few vendors support.
Jim
I'd add another couple of pros for OpenVPN:
* It's easy to set up multiple independent OpenVPN VPN's on the same
server or client, running on different ports on the same IP address.
* If you don't mind installing a little extra software, it is easy to
use on lots of different clients.
* It's easy to set up an OpenVPN server in existing networks with
minimal changes - all you need is a port forward from the firewall
through to the OpenVPN server.
We have several independent OpenVPN setups on a server, with clients
able to connect with different accesses. And some of our users have
multiple client setups on their laptops for connecting to many different
servers.
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list