[CentOS] Optimal VPN

Fri Dec 10 13:48:22 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 12/10/10 2:42 AM, David Sommerseth wrote:
> On 09/12/10 17:29, Steve Clark wrote:
>> On 12/09/2010 10:30 AM, David Sommerseth wrote:
>>> On 25/11/10 14:12, J.Witvliet at mindef.nl wrote:
> [...snip...]
>>>
>>>> Furthermore, openvpn is only compatible with openvpn, while using ipsec you might be able to connect to other boxes.
>>>>
>>> That is mostly true, except for those vendors adding their own
>>> proprietary extensions to their ipsec implementations ... thus making it
>>> a vendor lock-in again.
>>>
>>>
>> Hmm... We run ipsec, (using ipsec-tools on both Linux and FreeBSD),
>>   to Cisco, Juniper, NetScreen and many others without problem.
>> What vendors are you talking about?
>
> I don't have personal hand-on experiences with ipsec issues.  However, I
> would expect things to work flawlessly as long as you don't enable
> vendor specific features, or if you enable compatible features.
>
> <http://www.veiligmobiel.com/IPsecCompatibility.htm>
>
> And I believe it will be even more differences if you try to use a
> "tunnelled" setup versus a "transport" setup, where the tunnelled mode
> will act more a like a SSL based VPN.  If I have understood it correctly.

On Ciscos I've always run GRE tunnels with only the GRE packets going through 
ipsec to get interfaces that can handle dynamic routing protocols, multicast, 
etc.  Is there a way to get that kind of tunnel interface with ipsec alone?

-- 
   Les Mikesell
    lesmikesell at gmail.com