On Fri, 2012-04-20 at 21:04 +0200, David Brown wrote: > On 20/04/12 20:08, Jim Pingle wrote: > > On 4/20/2012 12:23 PM, Gavin Will wrote: > >> Traditionally used IPSec VPN's for site to site links however with > >> replacing remote site routers with PFsense boxes I thought about using > >> Open VPN instead. > >> > >> Any pro's cons? > >> > >> I quite like the ability to push a route easily with OpenVPN. > > > > Off the top of my head... > > > > Pros for OpenVPN: > > * Plays nicer with NAT and other intermediate filtering, since it only > > requires a single UDP or TCP port > > * Able to route traffic arbitrarily on a basic VPN setup > > * No issues with reconnecting/disconnecting > > * Easy to add secondary peers > > * Very easy to setup a remote access VPN with authentication > > * Shared key mode works well with OSPF for dynamic routing > > > > Cons for OpenVPN: > > * Little in the way of vendor compatibility, mainly only found on OSS > > firewalls > > * People have a tendency to fear the unknown so they don't try it, or > > dislike it because it's unfamiliar. Once they drink the kool-aid though, > > they rarely stop. :-) > > > > Pros for IPsec: > > * Long-lived standard > > * Many implementations on many devices, can usually build a tunnel to > > just about anything > > * Fairly easy to build a tunnel between two firewalls > > * Familiarity, many people use it because they have used it before. > > > > Cons for IPsec: > > * Long history of problems reconnecting/rebuilding tunnels > > * Rare if devices support multiple peers > > * Implementations between vendors can often have quirks > > * Requires both UDP and ESP for Tunneled traffic > > * Remote access/mobile clients can have issues, but may work (see our > > ticket system for open issues) > > * Lots of problems traversing NAT or behind restrictive firewalls/networks > > * Routing arbitrary networks (not using Phase 2's in tunnel mode) > > requires IPsec in transport mode + GIF/GRE, which few vendors support. > > > > Jim > > I'd add another couple of pros for OpenVPN: > * It's easy to set up multiple independent OpenVPN VPN's on the same > server or client, running on different ports on the same IP address. > * If you don't mind installing a little extra software, it is easy to > use on lots of different clients. > * It's easy to set up an OpenVPN server in existing networks with > minimal changes - all you need is a port forward from the firewall > through to the OpenVPN server. > > We have several independent OpenVPN setups on a server, with clients > able to connect with different accesses. And some of our users have > multiple client setups on their laptops for connecting to many different > servers. >
How does either of these VPN approaches compare with using SSH Tunneling? (see various Linux Journal articles on this subject) Bob G _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
