On 20/04/12 21:32, Bob Gustafson wrote:
On Fri, 2012-04-20 at 21:04 +0200, David Brown wrote:
On 20/04/12 20:08, Jim Pingle wrote:
On 4/20/2012 12:23 PM, Gavin Will wrote:
Traditionally used IPSec VPN's for site to site links however with replacing
remote site routers with PFsense boxes I thought about using Open VPN instead.
Any pro's cons?
I quite like the ability to push a route easily with OpenVPN.
Off the top of my head...
Pros for OpenVPN:
* Plays nicer with NAT and other intermediate filtering, since it only
requires a single UDP or TCP port
* Able to route traffic arbitrarily on a basic VPN setup
* No issues with reconnecting/disconnecting
* Easy to add secondary peers
* Very easy to setup a remote access VPN with authentication
* Shared key mode works well with OSPF for dynamic routing
Cons for OpenVPN:
* Little in the way of vendor compatibility, mainly only found on OSS
firewalls
* People have a tendency to fear the unknown so they don't try it, or
dislike it because it's unfamiliar. Once they drink the kool-aid though,
they rarely stop. :-)
Pros for IPsec:
* Long-lived standard
* Many implementations on many devices, can usually build a tunnel to
just about anything
* Fairly easy to build a tunnel between two firewalls
* Familiarity, many people use it because they have used it before.
Cons for IPsec:
* Long history of problems reconnecting/rebuilding tunnels
* Rare if devices support multiple peers
* Implementations between vendors can often have quirks
* Requires both UDP and ESP for Tunneled traffic
* Remote access/mobile clients can have issues, but may work (see our
ticket system for open issues)
* Lots of problems traversing NAT or behind restrictive firewalls/networks
* Routing arbitrary networks (not using Phase 2's in tunnel mode)
requires IPsec in transport mode + GIF/GRE, which few vendors support.
Jim
I'd add another couple of pros for OpenVPN:
* It's easy to set up multiple independent OpenVPN VPN's on the same
server or client, running on different ports on the same IP address.
* If you don't mind installing a little extra software, it is easy to
use on lots of different clients.
* It's easy to set up an OpenVPN server in existing networks with
minimal changes - all you need is a port forward from the firewall
through to the OpenVPN server.
We have several independent OpenVPN setups on a server, with clients
able to connect with different accesses. And some of our users have
multiple client setups on their laptops for connecting to many different
servers.
How does either of these VPN approaches compare with using SSH
Tunneling? (see various Linux Journal articles on this subject)
Bob G
A VPN gives you a connection from one network (or computer) to another.
A SSH tunnel lets you tunnel a single TCP/IP connection over a SSH
connection. So the ssh tunnel is far more limited (though that's
sometimes a good thing), and in particular it is very inconvenient if
you want to use UDP, ICMP, or other protocols. ssh is useful for ad-hoc
and occasional "holes" in networks, but it's not a replacement for a vpn.
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
