On 4/20/2012 12:23 PM, Gavin Will wrote: > Traditionally used IPSec VPN's for site to site links however with replacing > remote site routers with PFsense boxes I thought about using Open VPN > instead. > > Any pro's cons? > > I quite like the ability to push a route easily with OpenVPN.
Off the top of my head... Pros for OpenVPN: * Plays nicer with NAT and other intermediate filtering, since it only requires a single UDP or TCP port * Able to route traffic arbitrarily on a basic VPN setup * No issues with reconnecting/disconnecting * Easy to add secondary peers * Very easy to setup a remote access VPN with authentication * Shared key mode works well with OSPF for dynamic routing Cons for OpenVPN: * Little in the way of vendor compatibility, mainly only found on OSS firewalls * People have a tendency to fear the unknown so they don't try it, or dislike it because it's unfamiliar. Once they drink the kool-aid though, they rarely stop. :-) Pros for IPsec: * Long-lived standard * Many implementations on many devices, can usually build a tunnel to just about anything * Fairly easy to build a tunnel between two firewalls * Familiarity, many people use it because they have used it before. Cons for IPsec: * Long history of problems reconnecting/rebuilding tunnels * Rare if devices support multiple peers * Implementations between vendors can often have quirks * Requires both UDP and ESP for Tunneled traffic * Remote access/mobile clients can have issues, but may work (see our ticket system for open issues) * Lots of problems traversing NAT or behind restrictive firewalls/networks * Routing arbitrary networks (not using Phase 2's in tunnel mode) requires IPsec in transport mode + GIF/GRE, which few vendors support. Jim _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list