On Dec 10, 2010, at 8:48 AM, Les Mikesell <lesmikesell at gmail.com> wrote: > On 12/10/10 2:42 AM, David Sommerseth wrote: >> On 09/12/10 17:29, Steve Clark wrote: >>> On 12/09/2010 10:30 AM, David Sommerseth wrote: >>>> On 25/11/10 14:12, J.Witvliet at mindef.nl wrote: >> [...snip...] >>>> >>>>> Furthermore, openvpn is only compatible with openvpn, while using ipsec you might be able to connect to other boxes. >>>>> >>>> That is mostly true, except for those vendors adding their own >>>> proprietary extensions to their ipsec implementations ... thus making it >>>> a vendor lock-in again. >>>> >>>> >>> Hmm... We run ipsec, (using ipsec-tools on both Linux and FreeBSD), >>> to Cisco, Juniper, NetScreen and many others without problem. >>> What vendors are you talking about? >> >> I don't have personal hand-on experiences with ipsec issues. However, I >> would expect things to work flawlessly as long as you don't enable >> vendor specific features, or if you enable compatible features. >> >> <http://www.veiligmobiel.com/IPsecCompatibility.htm> >> >> And I believe it will be even more differences if you try to use a >> "tunnelled" setup versus a "transport" setup, where the tunnelled mode >> will act more a like a SSL based VPN. If I have understood it correctly. > > On Ciscos I've always run GRE tunnels with only the GRE packets going through > ipsec to get interfaces that can handle dynamic routing protocols, multicast, > etc. Is there a way to get that kind of tunnel interface with ipsec alone? No, because IPSec tunnel mode works for a given routable network segment and multicast routing isn't handled. I too use GRE tunnels over IPSec transport mode for site-to-site connectivity, so I can support OSPF and other multicast protocols. For road warriors I use either l2tp (windows) or openvpn (Linux). -Ross