[talk] VPNs: Choosing between OpenVPN and L2TP/IPsec

Isaac (.ike) Levy ike at blackskyresearch.net
Sun Apr 19 13:29:53 EDT 2015


Hi All,

So I thought folks here may have words on a topic which has hit this
list in years past: VPN choices.

Choices are great, but now I'm trying to choose one. :)

Until recently I've been able to escape the complexity altogether, but
now I have need to roll out and manage roving VPN connectivity, and I'm
in a quandary with which tech to start with- and would love to hear any
experiences or tid-bits on each.

THE CHOICES, AS I SEE IT
--

PPTP - off the table, deader than dead.

L2TP/IPsec - Contender
+ easy/reliable cert-based client integration (mostly Macs for my world)
+ well worn (many platforms, many years now)
- IPsec traffic hassles from clients in restrictive/unreliable networks
- These days I shy away from the muddled state of IPsec (1)
- Troubleshooting issues: difficult, complex and opaque in tooling.

OpenVPN - Contender
+ Robust reliability on restrictive/unreliable networks
+ Clear cert-based client integration on many platforms
- Needs third party software for most user applications
- less well worn (some sharp edges here and there for users)
+ and -, SSL based crypto transport
- OpenSSL base, (2)


ENDLESS QUESTIONS
---
What's it like for users these days?
What's it like for administrators these days?
Multi-factor auth?  Key management?
What networking 'gotchas' are folks dealing with?
Anyone rockin' IPv6 inside/outside their tunnls (I'll be trying...)?
What crypto concerns do folks here have?

Even anecdotes about life with commercial products at either end is
informative, although I'm obviously interested in open tech.

Best,
.ike



--
Footnotes:
1) IPsec is awesome, but lets face it, also muddled.  It's not
unreasonable that some major flaw could be discovered which exposes a
fundamental flaw or even intentional backdoor in coming years:
http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html
For the time being, IPsec holds strong with no known weaknesses- but
even the fact that it was backported from IPv6 bits makes it even more
complicated to keep track of...

2) LibreSSL, BoringSSL, and good ol' OpenSSL- a discussion deserving
it's own thread :)
http://www.libressl.org/
http://article.gmane.org/gmane.os.openbsd.tech/37174
https://boringssl.googlesource.com/boringssl/
https://www.openssl.org/



More information about the talk mailing list