IPSec is not recommended solution nowdays. OpenVPN runs top of single udp or tcp port, so it usually works on strictly firewalled places like in hotels and so on. -- Eero 2016-04-04 23:18 GMT+03:00 Gordon Messmer <gordon.messmer at gmail.com>:> On 04/04/2016 10:57 AM, david wrote: > >> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and >> probably others I haven't noted). I'd be interested in hearing from anyone >> who wishes to comment about which to use, with the following requirements: >> > > I recommend l2tp/ipsec. It's supported out of the box on a wide variety > of client platforms, which means significantly less work to set up the > clients. > > OpenVPN is a popular choice, and it's fine for most people. It's more > work to set up than l2tp/ipsec, typically. We used it for quite a while at > my previous employer, though ultimately dropped it because the Windows GUI > requires admin rights to run, and we didn't want to continue giving admin > rights to the users we supported. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
OpenVPN is the best opensource VPN for me it can connect to any connection such as airport, hotel, restaurant, resorts, malls it never let me down. And configuration is easy on those who have idea on what they want to achieve. On Tuesday, 5 April 2016, Eero Volotinen <eero.volotinen at iki.fi> wrote:> IPSec is not recommended solution nowdays. OpenVPN runs top of single udp > or tcp port, so it usually works on strictly firewalled places like in > hotels and so on. > > -- > Eero > > 2016-04-04 23:18 GMT+03:00 Gordon Messmer <gordon.messmer at gmail.com > <javascript:;>>: > > > On 04/04/2016 10:57 AM, david wrote: > > > >> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and > >> probably others I haven't noted). I'd be interested in hearing from > anyone > >> who wishes to comment about which to use, with the following > requirements: > >> > > > > I recommend l2tp/ipsec. It's supported out of the box on a wide variety > > of client platforms, which means significantly less work to set up the > > clients. > > > > OpenVPN is a popular choice, and it's fine for most people. It's more > > work to set up than l2tp/ipsec, typically. We used it for quite a while > at > > my previous employer, though ultimately dropped it because the Windows > GUI > > requires admin rights to run, and we didn't want to continue giving admin > > rights to the users we supported. > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org <javascript:;> > > https://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org <javascript:;> > https://lists.centos.org/mailman/listinfo/centos >
Am 05.04.2016 um 12:46 schrieb Francis Mendoza <francis at mytechrepublic.com>:> OpenVPN is the best opensource VPN for me it can connect to any connection > such as airport, hotel, restaurant, resorts, malls it never let me down. > And configuration is easy on those who have idea on what they want to > achieve."easy" is qualitative - PKI is the core of an OpenVPN infrastructure and not trivial anyway. As some one stated before privacy/security is complex everything else is a product. IMHO: IPSec-VPN is a bit more complex then a SSL-VPN like OpenVPN. I even sometimes use an SSL-VPN connection over an IPSec-VPN. -- LF
How is IPSec "not recommended solution nowdays"? I tend to use IPSec for site-to-site connections i.e. the ones that run 24/7 and only require two experienced people to set up (the admins at both endpoints). For host-to-site setups I prefer OpenVPN since explaining to endusers how to set up an ipsec connection is neigh impossible whereas with OpenVPN I can simply tell them to install the software and then unzip an archive into a directory and they are done. Regards, Dennis On 05.04.2016 09:07, Eero Volotinen wrote:> IPSec is not recommended solution nowdays. OpenVPN runs top of single udp > or tcp port, so it usually works on strictly firewalled places like in > hotels and so on. > > -- > Eero > > 2016-04-04 23:18 GMT+03:00 Gordon Messmer <gordon.messmer at gmail.com>: > >> On 04/04/2016 10:57 AM, david wrote: >> >>> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and >>> probably others I haven't noted). I'd be interested in hearing from anyone >>> who wishes to comment about which to use, with the following requirements: >>> >> >> I recommend l2tp/ipsec. It's supported out of the box on a wide variety >> of client platforms, which means significantly less work to set up the >> clients. >> >> OpenVPN is a popular choice, and it's fine for most people. It's more >> work to set up than l2tp/ipsec, typically. We used it for quite a while at >> my previous employer, though ultimately dropped it because the Windows GUI >> requires admin rights to run, and we didn't want to continue giving admin >> rights to the users we supported. >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Well. IPSec might work with site-to-site connections, but usually roadwarrior mode users experience (a lot of) problems. They might be related to hotels that only allow https, http and dns protocols or broken nat implementations and so on. -- Eero 2016-04-05 18:52 GMT+03:00 Dennis Jacobfeuerborn <dennisml at conversis.de>:> How is IPSec "not recommended solution nowdays"? > > I tend to use IPSec for site-to-site connections i.e. the ones that run > 24/7 and only require two experienced people to set up (the admins at > both endpoints). > For host-to-site setups I prefer OpenVPN since explaining to endusers > how to set up an ipsec connection is neigh impossible whereas with > OpenVPN I can simply tell them to install the software and then unzip an > archive into a directory and they are done. > > Regards, > Dennis > > On 05.04.2016 09:07, Eero Volotinen wrote: > > IPSec is not recommended solution nowdays. OpenVPN runs top of single udp > > or tcp port, so it usually works on strictly firewalled places like in > > hotels and so on. > > > > -- > > Eero > > > > 2016-04-04 23:18 GMT+03:00 Gordon Messmer <gordon.messmer at gmail.com>: > > > >> On 04/04/2016 10:57 AM, david wrote: > >> > >>> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and > >>> probably others I haven't noted). I'd be interested in hearing from > anyone > >>> who wishes to comment about which to use, with the following > requirements: > >>> > >> > >> I recommend l2tp/ipsec. It's supported out of the box on a wide variety > >> of client platforms, which means significantly less work to set up the > >> clients. > >> > >> OpenVPN is a popular choice, and it's fine for most people. It's more > >> work to set up than l2tp/ipsec, typically. We used it for quite a > while at > >> my previous employer, though ultimately dropped it because the Windows > GUI > >> requires admin rights to run, and we didn't want to continue giving > admin > >> rights to the users we supported. > >> > >> _______________________________________________ > >> CentOS mailing list > >> CentOS at centos.org > >> https://lists.centos.org/mailman/listinfo/centos > >> > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On 04/05/2016 12:07 AM, Eero Volotinen wrote:> IPSec is not recommended solution nowdays. OpenVPN runs top of single udp > or tcp port, so it usually works on strictly firewalled places like in > hotels and so on.IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of NAT. OpenVPN doesn't really have an advantage, there.
On 04/05/2016 08:52 AM, Dennis Jacobfeuerborn wrote:> For host-to-site setups I prefer OpenVPN since explaining to endusers > how to set up an ipsec connection is neigh impossibleSo, send them a powershell script: Add-VpnConnection -Name "My VPN" -ServerAddress "vpn.example.com" -AuthenticationMethod PAP -TunnelType L2TP -L2tpPsk "whyareyouusingapsk?" -AllUserConnection -Force -RememberCredential -PassThru -SplitTunneling
Yes, openvpn works on any single udp or tcp port. On many hotels only http, https and dns allowed. So you just can't use ipsec, but openvpn works as it's usually configured to listen https port. -- Eero 2016-04-05 19:30 GMT+03:00 Gordon Messmer <gordon.messmer at gmail.com>:> On 04/05/2016 12:07 AM, Eero Volotinen wrote: > >> IPSec is not recommended solution nowdays. OpenVPN runs top of single udp >> or tcp port, so it usually works on strictly firewalled places like in >> hotels and so on. >> > > IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of > NAT. OpenVPN doesn't really have an advantage, there. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >