Sven Ingebrigt Ulland wrote:
We are about to deploy some fairly critical VPN functionality in our
network, and for that purpose we're considering using OpenBSD with
isakmp/ipsec. We've had a test setup running for some time now with
no problems, but I'm interested in hearing about your long-term
experiences with running openbsd ipsec/isakmpd in critical production
environments. My excuses for the survey-ish feeling of this post.
How long have you been running openbsd isakmpd/ipsec (in production)?
What problems, if any, have you had with the openbsd vpn
implementations? Which of them are the most recurring? How do you
usually fix them?
Have you experienced any interoperability problems when establishing
tunnels with peers that run other implementations (cisco, checkpoint,
etc)? And if so, how do you work around those?
On the outside, it seems to me that the vpn implementation in openbsd
is good and stable, which could also stem from the corporate funding
it received. And the relevant files in cvs seem to be changed rather
infrequently.. also a good sign. But I'm not familiar with the inside,
which is what i was hoping you could help out with.
regards,
Sven U
We have been running vpn's here for over a year using isakmpd on OBSD
beginning with 3.7. We have currently a mix of 3.7 3.8 and 3.9, on
SPARC and AMD, all on SUN hardware.
We use it to connect medical system at two county jails to our hospital
data center. We also use it to connect pharmacists and radiologists to
our systems for after hours service. So an entire county medical
infrastructure would be unable to issue meds or read x-rays after hours
if our vpn tunnels were down.
We have found OBSD to be very reliable. We have a single 'hang' that
could not be resolved by HUP-ing isakmpd, so we simply failed over to
the sasync secondary system. Otherwise once these puppies go up ...
they pretty much just work and work and work.
Interop with Checkpoint has been dead simple, with Cisco less so.
I have found that when tunneling to something the other side has called
"Cisco VPN concentrators", things go more smoothly if you use 3DES and
MD5. Seems that if you try to use SHA that we never seem to get past a
phase one state.
One thing about OBSD you will find to be truly bizarre is that things
work as documented AND the man pages are concise and useful AND all
features and config files are documented.
I used to manage a small herd of Checkpoints and Netscreens, I have
never looked back.
