While I have concentrated on support for 2.6 native IPSEC in release 2.2.0, I am still of the opinion that unless you absolutely need IPSEC compatibility that OpenVPN is a much easier (and in the case of roadwarriors, a much better) solution. Having already generated all of the required X.509 certificates, it took me less than 1/2 hr to replace my IPSEC testbed with an OpenVPN one using the new tls-server and tls-client facility. That facility makes setting up a roadwarrior configuration a breeze. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> While I have concentrated on support for 2.6 native IPSEC in release > 2.2.0, I am still of the opinion that unless you absolutely need IPSEC > compatibility that OpenVPN is a much easier (and in the case of > roadwarriors, a much better) solution. > > Having already generated all of the required X.509 certificates, it took > me less than 1/2 hr to replace my IPSEC testbed with an OpenVPN one > using the new tls-server and tls-client facility. That facility makes > setting up a roadwarrior configuration a breeze.totaly agree! it''d be usefult to mention in shorewall''s vpn documentation too:-) -- Levente "Si vis pacem para bellum!"
On Mon, 2004-12-20 at 11:45 +0100, Farkas Levente wrote:> > totaly agree! it''d be usefult to mention in shorewall''s vpn > documentation too:-) >I''ll do that when I have the time. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> While I have concentrated on support for 2.6 native IPSEC in release > 2.2.0, I am still of the opinion that unless you absolutely need IPSEC > compatibility that OpenVPN is a much easier (and in the case of > roadwarriors, a much better) solution. > > Having already generated all of the required X.509 certificates, it took > me less than 1/2 hr to replace my IPSEC testbed with an OpenVPN one > using the new tls-server and tls-client facility. That facility makes > setting up a roadwarrior configuration a breeze.Well, after getting right bits together, kernel-wise, I''ve IPsec to be pretty smooth. I''m going to even go near the roadwarrior thing though, for that I intend to use OpenVPN. At the end of the day, IPsec is about transport mode, not tunneling. That''s where it really shines. My $0.02. A.
On Mon, 2004-12-20 at 13:01 -0500, Adam Sherman wrote:> > At the end of the day, IPsec is about transport mode, not tunneling. > That''s where it really shines. >I mostly agree -- I do find that tunnel mode works very well as a means of securing a wireless network though (see http://shorewall.net/myfiles.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>At the end of the day, IPsec is about transport mode, not tunneling. >>That''s where it really shines. > > I mostly agree -- I do find that tunnel mode works very well as a means > of securing a wireless network though (see > http://shorewall.net/myfiles.htm).Right. What reasons do you have for using IPsec over OpenVPN in this context? A.
On Sun, 2004-12-26 at 19:19 -0500, Adam Sherman wrote:> Tom Eastep wrote: > >>At the end of the day, IPsec is about transport mode, not tunneling. > >>That''s where it really shines. > > > > I mostly agree -- I do find that tunnel mode works very well as a means > > of securing a wireless network though (see > > http://shorewall.net/myfiles.htm). > > Right. What reasons do you have for using IPsec over OpenVPN in this > context?So I''ll have a working IPSEC testbed :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key