Hi Leroy,
On 08/10/20 00:58, Leroy Tennison via Openvpn-users wrote:
We use OpenVPN but are getting requests from customers for IPSec. In
doing research I came across a reference stating the OpenVPN
development team has "subscribed to" some standard for secure
development but, of course, now I can't find it. Does anyone have a
reference to what I'm talking about?
New to me, but I have not been following that too closely...
I'm painfully aware that IPSec is more complex, difficult to set up
and less robust in recovering from failed connections than OpenVPN but
am looking for additional justification. Anything that anyone has to
offer (third-party commercial products such as firewall vendors using
OpenVPN, reviews/analysis of OpenVPN, "security expert"
recommendations, etc) would be appreciated.
Like the others have said, most third-party commercial products for
roadwarriors (non site-to-site) have built in their own extensions.
Windows, for example, has had a IPsec+L2TP client for years but almost
no one knows how to effectively use it and thus it is not used at all.
The main issue with IPsec is NATting, which it is horrible at; I've been
in a project where an external consultant recommended IPsec over OpenVPN
(this was in 2005!) and the project collapsed more or less due to
NATting issues. With OpenVPN-over-TCP they got things up and running
smoothly after that.
Also, if your roadwarriors (clients) travel to internet-restricted
countries a lot (e.g. China) then IPsec will almost certainly not work,
whereas with OpenVPN you still have a chance.
A quick&dirty breakdown of what protocol to choose would be:
- site-to-site only? IPsec is an option but OpenVPN can handle it;
wireguard is also good at this
- many clients that connect over "open" internet: almost any commercial
IPsec client can do this over UDP , some even over TCP but you will be
locked in to a commercial closed-source vendor; OpenVPN excels at this ,
whether it's UDP or TCP based.
- clients in "difficult" spots , like some countries and even some bars
and airport wifi setups: IPsec will most likely fail, as it cannot
handle NATting and TCP well; OpenVPN-over-TCP is a good solution for this.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
