Re: [pfSense] Open VPN or IPSec for site to site VPNs

Fri, 20 Apr 2012 12:04:23 -0700 

On 20/04/12 20:08, Jim Pingle wrote:

On 4/20/2012 12:23 PM, Gavin Will wrote:

Traditionally used IPSec VPN's for site to site links however with replacing 
remote site routers with PFsense boxes I thought about using Open VPN instead.

Any pro's cons?

I quite like the ability to push a route easily with OpenVPN.


Off the top of my head...

Pros for OpenVPN:
* Plays nicer with NAT and other intermediate filtering, since it only
requires a single UDP or TCP port
* Able to route traffic arbitrarily on a basic VPN setup
* No issues with reconnecting/disconnecting
* Easy to add secondary peers
* Very easy to setup a remote access VPN with authentication
* Shared key mode works well with OSPF for dynamic routing

Cons for OpenVPN:
* Little in the way of vendor compatibility, mainly only found on OSS
firewalls
* People have a tendency to fear the unknown so they don't try it, or
dislike it because it's unfamiliar. Once they drink the kool-aid though,
they rarely stop. :-)

Pros for IPsec:
* Long-lived standard
* Many implementations on many devices, can usually build a tunnel to
just about anything
* Fairly easy to build a tunnel between two firewalls
* Familiarity, many people use it because they have used it before.

Cons for IPsec:
* Long history of problems reconnecting/rebuilding tunnels
* Rare if devices support multiple peers
* Implementations between vendors can often have quirks
* Requires both UDP and ESP for Tunneled traffic
* Remote access/mobile clients can have issues, but may work (see our
ticket system for open issues)
* Lots of problems traversing NAT or behind restrictive firewalls/networks
* Routing arbitrary networks (not using Phase 2's in tunnel mode)
requires IPsec in transport mode + GIF/GRE, which few vendors support.

Jim


I'd add another couple of pros for OpenVPN:
* It's easy to set up multiple independent OpenVPN VPN's on the same server or client, running on different ports on the same IP address. * If you don't mind installing a little extra software, it is easy to use on lots of different clients. * It's easy to set up an OpenVPN server in existing networks with minimal changes - all you need is a port forward from the firewall through to the OpenVPN server.
We have several independent OpenVPN setups on a server, with clients able to connect with different accesses. And some of our users have multiple client setups on their laptops for connecting to many different servers. 


_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to