[ previous ] [ next ] [ threads ]
 From:  "Keith Redfield" <kredfield at airsurfwireless dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Routing over IPSEC
 Date:  Sat, 29 Jan 2005 17:59:48 -0800
Thanks, I've gotten quite an education on tunneling and VPN's lately. I will have to give router
summarization another try - when I did it, I could ping all the m0n0 interfaces (had 2 vlans on the
same major net), but couldn't get any packets past the m0n0 - but I may have made a configuration
error. This will make me be a little more rigorous about my numbering anyway - never a bad thing. 
Looking forward to seeing further developments here.


From: Peter Curran [mailto:lists at closeconsultants dot com]
Sent: Sat 1/29/2005 4:50 PM
To: Keith Redfield; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Routing over IPSEC

> Further to this..with the OpenVPN client-server is this issue resolved? -
> i.e. we can create m0n0<->m0n0 tunnels which support routing protocols? Has
> anyone tried?

Well an answer is that you can forward routing protocols across OpenVPN .

Is OpenVPN the answer for this kind of problem?  It is _an_ answer.

There is a performance issue with OpenVPN - IPsec based VPN's are doing their
work inside the kernel, OpenVPN is a user-land system.  On a 3GHz P4 it
probably doesn't matter, but if you are planning on using an embedded device
(Soekris/WRAP etc) then there is inevitably a difference.

Using routing protocols with m0n0wall is not really on - there is no support
inside m0n0 itself, which means that you have to use some form of bridging to
move m0n0 out of the way (from a layer-2 perspective).  Wide area bridging
(remote birdging) is not considered a sensible or credible way to build a
network in 2005 (or 1995 either come to that).

I have already stated my opinion - that is the use of explicit tunnels using
GRE or IPIP, protected by IPsec transport mode, is probably the best way
forward from an interoperability/functionality viewpoint.  As this is all
internal to the kernel it is probably a more peformant solution that OpenVPN.



Peter Curran                              Leveraging Internet Technology
Close Consultants                              for Businesses
p: +44-1225-463700                      
f: +44-1225-463705                       
e: peter at closeconsultants dot com            
sip: peter at closeconsultants dot com

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.