>From experience and what I've read, IPSEC is easy to setup and work with where there is no natting/firewalling.
Where there is natting/firewalling IPSEC or the firewall/nat is not so trivial to setup. Your choice is based on the amount of time you are ready to spend. In this two site-scenario, I can bet that OpenVPN would take less than 1hr from scratch! And as Tom has said in his two mails IPSEC/GRE is not so simple in theory either! *Just a very happy user of OpenVPN* Ditched IPSEC after about a week of effort to setup IPSEC in all our required scenarios. Then was in awe when I managed to do the same within 1 hour with OpenVPN from scratch (reading the documentation included). Never looked back. Prasanna. On 1/5/07, Joshua Perry <[EMAIL PROTECTED]> wrote: > Hey Andrew, OpenVPN sounds interesting, and I did breeze past it a couple > times while researching branch office vpn solutions. There are a couple > reasons that I went with IPSec, I don't know if they really hold any weight, > but here is my thought pattern. > > -GRE/IPSec is pretty industry standard at this point, our cisco gear > supports it, our Watchguard supports it, so if I needed to I would be able > to support something besides a remote pc host. > > -Besides the IKE the encryption is done in kernel mode which is bound to > improve throughput, I don't know if that is really a bottleneck with our > infrastructure so it's something that I would love to benchmark against > OpenVPN. We do a lot of large file transfers as we are a large format > digital print company (billboards, trade show booths, etc...). > > -GRE an IPSec are integrated in the OS pretty tightly, not just the Kernel > support but it is also supported natively by Gentoo's network setup scripts. > > -It is simple :) perhaps not as simple as OpenVPN to setup, but simple as in > not quite as overkill as OpenVPN, I merely wanted to encrypt data between > two hosts, the setup definitely was not OE but it didn't take more than 30 > minutes to configure. Once that worked, the GRE tunnel went up in another 5 > minutes and really transport mode IPSec is pretty transparent to the GRE > tunnel. I was passing and routing traffic with no problems. > > So it kind of fit my requirements better, not that OpenVPN doesn't which I > will probably give a try, but it seemed a better fit. The problem didn't > come until I wanted to put a firewall up to secure the box against the harsh > internet. I decided to try shorewall because I didn't really want to manage > iptables chains by hand and that is where I have been having problems. I > first tried intersecting the IPSec and the GRE tutorial documents and then I > have been trying to understand how shorewall translates it's > zone/policies/interfaces into IPTables rules and chains as I was not able to > find any information specifically on opening up IPSec protected GRE > anywhere. > > So, I guess this may over all be a configuration that is not supported by > shorewall. If that is the case I guess I have the options of managing the > chains by hand or using OpenVPN instead of GRE over IPSec. > > Thank you for the input. > > Josh > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Andrew > Suffield > Sent: Thursday, January 04, 2007 7:43 PM > To: [email protected] > Subject: Re: [Shorewall-users] GRE over IPSec VPN > > On Thu, Jan 04, 2007 at 05:11:07PM -0700, Joshua Perry wrote: > > I'm not sure what to do at this point > > Consider using openvpn instead? Chances are it does everything you > need and would be far less work to set up (the firewall rules are > trivial; the openvpn config files can be understood in less than an > hour and take about five minutes to write, and then it should be > working). > > You didn't say, but since your diagram shows a pair of private > networks, I'm assuming that you control both endpoints and aren't > trying to connect to somebody else's insanity (if you are, I can only > offer my condolences, ipsec+GRE is about as bad as it gets). > > > I'm not sure why people always leap for ipsec, it's probably the most > complicated option available - only the most fiendishly sophisticated > systems need it, it is sheer masochism for everybody else. And if > you're using linux instead of a cisco router, it's pretty unlikely > that you need to be using GRE for anything. > > Perhaps it would help if all the pages on shorewall.net relating to > ipsec, pptp, and any other tunneling protocols had a big banner on the > top saying: > > ************************************************************************ > * ____ _____ ___ ____ * > * / ___|_ _/ _ \| _ \ * > * \___ \ | || | | | |_) | * > * ___) || || |_| | __/ * > * |____/ |_| \___/|_| * > * * > * If you just want to hook two linux systems together with a VPN over * > * the Internet, this is almost certainly overkill. Consider reading * > * http://shorewall.net/OPENVPN.html instead, it's much easier. * > ************************************************************************ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
