My two-cents: * IPsec hardware crypto is supported for a lot more platforms than OpenVPN out of the box, so IPsec uses to be noticeably faster. i.e, and UBNT Edgerouter Lite will give me about 20Mbps over OpenVPN vs almost 1Gbps (line rate) over IPsec. * IPsec code in OpenBSD is audited, OpenVPN is a port.
Regards! 2017-06-29 12:32 GMT+02:00 Luescher Claude <starg...@tango.lu>: > Why are you using ipsec in the 21th century: > > https://serverfault.com/questions/202917/openvpn-vs-ipsec- > pros-and-cons-what-to-use > > I see no pros here just cons unless you need to setup a vpn with some > crappy old device which should be just switched out with an obsd box anyway > :) > > > On 2017-06-29 11:29, Liviu Daia wrote: > >> On 29 June 2017, Liviu Daia <liviu.d...@gmail.com> wrote: >> [...] >> >>> On the server: >>> >>> # iked -d >>> ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 0, 510 bytes >>> ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to >>> 89.136.163.27:500 msgid 0, 471 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 1, 1520 bytes >>> ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 >>> msgid 1, 1440 bytes >>> sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 >>> policy 'sb1' >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> >>> On the home router: >>> >>> # iked -d >>> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t >>> ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to >>> x.y.z.t:500 msgid 0, 510 bytes >>> ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to >>> 89.136.163.27:500 policy 'home' id 0, 471 bytes >>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 >>> msgid 1, 1520 bytes >>> ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to >>> 89.136.163.27:500 policy 'home' id 1, 1440 bytes >>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG >>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 >>> msgid 2, 1520 bytes >>> >>> The warning about pubkey doesn't go away if I copy the server's >>> certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in >>> /etc/iked/certs. And then there's this, which doesn't look normal: >>> >>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG >>> >> [...] >> >> Ok this post sent me on the right course: >> >> http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html >> >> Here's what I did: >> >> cd /etc/ssl/vpn/private >> openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t >> ... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router. >> >> After that the VPN works, I can send packets from a machine at home >> and I'm seeing them on enc0 on the remote server: >> >> # tcpdump -n -i enc0 >> >> tcpdump: listening on enc0, link-type ENC >> 05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >> > 10.0.0.102: icmp: echo request (encap) >> 05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >> > 10.0.0.102: icmp: echo request (encap) >> 05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >> > 10.0.0.102: icmp: echo request (encap) >> ... >> >> However, I'm now running into what seems to be a firewall problem, >> an I'm getting no answer. I do have "pass quick inet proto esp" on both >> VPN ends. Any idea where / how to fix this? >> >> Also, IPs aren't assigned automatically to the VPN ends. I can >> add them to hostname.enc0, but is this the right thing to do? I tried >> adding a line >> >> config address 10.0.0.102 >> >> to /etc/iked.conf, but that's rejected as a syntax error. A clue stick >> again please? >> >> Regards, >> >> Liviu Daia >> > >
