[ previous ] [ next ] [ threads ]
 From:  Peter Curran <lists at closeconsultants dot com>
 To:  "Keith Redfield" <kredfield at airsurfwireless dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Routing over IPSEC
 Date:  Sun, 30 Jan 2005 00:50:18 +0000
> Further to this..with the OpenVPN client-server is this issue resolved? -
> i.e. we can create m0n0<->m0n0 tunnels which support routing protocols? Has
> anyone tried?

Well an answer is that you can forward routing protocols across OpenVPN .

Is OpenVPN the answer for this kind of problem?  It is _an_ answer.

There is a performance issue with OpenVPN - IPsec based VPN's are doing their 
work inside the kernel, OpenVPN is a user-land system.  On a 3GHz P4 it 
probably doesn't matter, but if you are planning on using an embedded device 
(Soekris/WRAP etc) then there is inevitably a difference.

Using routing protocols with m0n0wall is not really on - there is no support 
inside m0n0 itself, which means that you have to use some form of bridging to 
move m0n0 out of the way (from a layer-2 perspective).  Wide area bridging 
(remote birdging) is not considered a sensible or credible way to build a 
network in 2005 (or 1995 either come to that).

I have already stated my opinion - that is the use of explicit tunnels using 
GRE or IPIP, protected by IPsec transport mode, is probably the best way 
forward from an interoperability/functionality viewpoint.  As this is all 
internal to the kernel it is probably a more peformant solution that OpenVPN.



Peter Curran				  Leveraging Internet Technology
Close Consultants			       for Businesses
p: +44-1225-463700			 
f: +44-1225-463705			  
e: peter at closeconsultants dot com		  
sip: peter at closeconsultants dot com 

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.