On Tue, 2005-10-25 at 00:51 -0700, Kenneth Porter wrote: > --On Monday, October 24, 2005 9:53 PM -0400 Leonard Isham > <leonard.isham@xxxxxxxxx> wrote: > > > OpenVPN gets my vote. www.openvpn.net > Agreed. It runs over SSL instead of IPSec, almost completely in userspace, No, it does not "run over" SSL. It uses SSL/TLS for its key management (the equivalent of Pluto/Racoon/IKE in IPSec land) but then uses ESPinUDP encapsulation (very MUCH like IPSec NAT-T) for the actual transport (as described in the OpenVPN documentation). Just because it also states elsewhere that it uses SSL or that it is based on SSL it does not mean that it runs "over" SSL/TLS (which would require a tcp transport anyways and OpenVPN is normally udp based with an option to run over tcp). But you are correct, it does run almost completely in userspace. Which is why its performance is relatively poor compared to IPSec in high traffic environments. It also does not scale well in semi-mesh or full-mesh VPN environments. The newer 2.x server mode helps out with server centric or "star" VPNs but the peer-to-peer mode gets really unwieldy if you are putting together more than a small number of systems (in peer-to-peer mode each system requires unique endpoint UDP ports and you rapidly run into n^2 scaling problems for full mesh). > which I find is easier to set up. The stock Fedora kernel includes the > required kernel tun/tap device, so you don't need a custom kernel, nor > special router support. If you can open a ssh or https connection to your > VPN server, then you can get to it with OpenVPN, assuming the port is open. > ISP's don't see it as "VPN". (Some forbid VPN connections.) You don't need a custom kernel nor special router support for IPSec either (you're a couple of years out of date with that information). IPSec is already in the 2.6 kernels and you've got two choices for the IKE side of things on FC4, OpenSWAN and IPSec-tools. OpenSWAN (pluto for IKE) isn't much more difficult to set up than OpenVPN and can even be easier in some environments. IPSec-tools is the KAME based Racoon (IKE) and setkey package for those with masochistic tendencies and desires to monkey with all the little nuts and bolts of IPSec. Either can be installed from yum just as easily as openvpn. Both support IPSec NAT-T (IPSec ESPinUDP encapsulation over 4500/udp) and work over NAT devices just fine. For larger VPNs with a lot of systems, certificate based OpenSWAN can be a lot easier to set up than OpenVPN, particularly if you have to set up OpenVPN in peer-to-peer mode where each connection requires configuring unique UDP endpoint ports. OpenVPN server mode can help with it's address pool technique and their coming out with some newer tricks for handing out and routing addresses in server mode that hasn't quite make it to release yet. But that doesn't help out much once you get away from a star topology. OpenVPN needs to impliment a server-to-server mode before they can really address that. OTOH... If what you are looking for is bridging or transporting of non-ip protocols, then OpenVPN is definitely the choice to go with using the tap device instead of the tun device. One interesting (to me at least) advantage of OpenVPN over IPSec is that it can directly tunnel IPv6 over an IPv4 tunnel. With IPSec, you additionally have to build a SIT tunnel to encapsulate the IPv6 in IPv4 and THEN run that over the IPSec tunnel. :-( The Join project out of Germany was using OpenVPN as an IPv6 tunnel broker service. They even turned off encryption, since all they wanted was the UDP encapsulation of IPv6 running over IPv4 and they couldn't afford the performance hit and scaling problems. I'm using it in this way for my own personal tunnelbroker service when I'm running roadwarrior and want IPv6 from where ever I'm located and I don't want to dink with 6to4 (which sucks over NAT). For the record... I've got all of the above, IPSec (AH/ESP), IPSec NAT-T, and OpenVPN VPN, in place at several locations (some side by side on my tunnel anchors even) for IPv4 and IPv6. My recommendation would be based on the intended application and environment. If your application is performance sensitive or involves a large number of connections or something more complicated that a simple star, then I would go with IPSec. If you have to also traverse NATs, then IPSec NAT-T. Not performance sensitive or scaling sensitive, then OpenVPN is just fine and probably easier to set up for smaller VPNs. Also for the record (regarding the CIPE comment in the original article)... It wasn't RedHat or Fedora that abandoned CIPE. The author abandoned it and it's been an orphan for about 2 years now. Last I looked, he hadn't posted to his own mailing list (even to respond to repeated requests) in over 18 months (this may have changed - last I looked was a couple of months ago). This is even after some security problems have cropped up. Anyone who IS using CIPE should probably STOP using CIPE. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
