[pfSense] Open VPN or IPSec for site to site VPNs
Jim Pingle
lists at pingle.org
Fri Apr 20 14:08:17 EDT 2012
On 4/20/2012 12:23 PM, Gavin Will wrote:
> Traditionally used IPSec VPN's for site to site links however with replacing remote site routers with PFsense boxes I thought about using Open VPN instead.
>
> Any pro's cons?
>
> I quite like the ability to push a route easily with OpenVPN.
Off the top of my head...
Pros for OpenVPN:
* Plays nicer with NAT and other intermediate filtering, since it only
requires a single UDP or TCP port
* Able to route traffic arbitrarily on a basic VPN setup
* No issues with reconnecting/disconnecting
* Easy to add secondary peers
* Very easy to setup a remote access VPN with authentication
* Shared key mode works well with OSPF for dynamic routing
Cons for OpenVPN:
* Little in the way of vendor compatibility, mainly only found on OSS
firewalls
* People have a tendency to fear the unknown so they don't try it, or
dislike it because it's unfamiliar. Once they drink the kool-aid though,
they rarely stop. :-)
Pros for IPsec:
* Long-lived standard
* Many implementations on many devices, can usually build a tunnel to
just about anything
* Fairly easy to build a tunnel between two firewalls
* Familiarity, many people use it because they have used it before.
Cons for IPsec:
* Long history of problems reconnecting/rebuilding tunnels
* Rare if devices support multiple peers
* Implementations between vendors can often have quirks
* Requires both UDP and ESP for Tunneled traffic
* Remote access/mobile clients can have issues, but may work (see our
ticket system for open issues)
* Lots of problems traversing NAT or behind restrictive firewalls/networks
* Routing arbitrary networks (not using Phase 2's in tunnel mode)
requires IPsec in transport mode + GIF/GRE, which few vendors support.
Jim
More information about the List
mailing list