>From experience and what I've read, IPSEC is easy to setup and work
with where there is no natting/firewalling.

Where there is natting/firewalling IPSEC or the firewall/nat is not so
trivial to setup.

Your choice is based on the amount of time you are ready to spend. In
this two site-scenario, I can bet that OpenVPN would take less than
1hr from scratch!

And as Tom has said in his two mails IPSEC/GRE is not so simple in
theory either!

*Just a very happy user of OpenVPN*

Ditched IPSEC after about a week of effort to setup IPSEC in all our
required scenarios. Then was in awe when I managed to do the same
within 1 hour with OpenVPN from scratch (reading the documentation
included). Never looked back.

Prasanna.

On 1/5/07, Joshua Perry <[EMAIL PROTECTED]> wrote:
> Hey Andrew, OpenVPN sounds interesting, and I did breeze past it a couple
> times while researching branch office vpn solutions.  There are a couple
> reasons that I went with IPSec, I don't know if they really hold any weight,
> but here is my thought pattern.
>
> -GRE/IPSec is pretty industry standard at this point, our cisco gear
> supports it, our Watchguard supports it, so if I needed to I would be able
> to support something besides a remote pc host.
>
> -Besides the IKE the encryption is done in kernel mode which is bound to
> improve throughput, I don't know if that is really a bottleneck with our
> infrastructure so it's something that I would love to benchmark against
> OpenVPN.  We do a lot of large file transfers as we are a large format
> digital print company (billboards, trade show booths, etc...).
>
> -GRE an IPSec are integrated in the OS pretty tightly, not just the Kernel
> support but it is also supported natively by Gentoo's network setup scripts.
>
> -It is simple :) perhaps not as simple as OpenVPN to setup, but simple as in
> not quite as overkill as OpenVPN, I merely wanted to encrypt data between
> two hosts, the setup definitely was not OE but it didn't take more than 30
> minutes to configure.  Once that worked, the GRE tunnel went up in another 5
> minutes and really transport mode IPSec is pretty transparent to the GRE
> tunnel. I was passing and routing traffic with no problems.
>
> So it kind of fit my requirements better, not that OpenVPN doesn't which I
> will probably give a try, but it seemed a better fit.  The problem didn't
> come until I wanted to put a firewall up to secure the box against the harsh
> internet.  I decided to try shorewall because I didn't really want to manage
> iptables chains by hand and that is where I have been having problems.  I
> first tried intersecting the IPSec and the GRE tutorial documents and then I
> have been trying to understand how shorewall translates it's
> zone/policies/interfaces into IPTables rules and chains as I was not able to
> find any information specifically on opening up IPSec protected GRE
> anywhere.
>
> So, I guess this may over all be a configuration that is not supported by
> shorewall.  If that is the case I guess I have the options of managing the
> chains by hand or using OpenVPN instead of GRE over IPSec.
>
> Thank you for the input.
>
> Josh
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Andrew
> Suffield
> Sent: Thursday, January 04, 2007 7:43 PM
> To: [email protected]
> Subject: Re: [Shorewall-users] GRE over IPSec VPN
>
> On Thu, Jan 04, 2007 at 05:11:07PM -0700, Joshua Perry wrote:
> > I'm not sure what to do at this point
>
> Consider using openvpn instead? Chances are it does everything you
> need and would be far less work to set up (the firewall rules are
> trivial; the openvpn config files can be understood in less than an
> hour and take about five minutes to write, and then it should be
> working).
>
> You didn't say, but since your diagram shows a pair of private
> networks, I'm assuming that you control both endpoints and aren't
> trying to connect to somebody else's insanity (if you are, I can only
> offer my condolences, ipsec+GRE is about as bad as it gets).
>
>
> I'm not sure why people always leap for ipsec, it's probably the most
> complicated option available - only the most fiendishly sophisticated
> systems need it, it is sheer masochism for everybody else. And if
> you're using linux instead of a cisco router, it's pretty unlikely
> that you need to be using GRE for anything.
>
> Perhaps it would help if all the pages on shorewall.net relating to
> ipsec, pptp, and any other tunneling protocols had a big banner on the
> top saying:
>
> ************************************************************************
> *  ____ _____ ___  ____                                                *
> * / ___|_   _/ _ \|  _ \                                               *
> * \___ \ | || | | | |_) |                                              *
> *  ___) || || |_| |  __/                                               *
> * |____/ |_| \___/|_|                                                  *
> *                                                                      *
> * If you just want to hook two linux systems together with a VPN over  *
> * the Internet, this is almost certainly overkill. Consider reading    *
> * http://shorewall.net/OPENVPN.html instead, it's much easier.         *
> ************************************************************************
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to