On Dec 10, 2010, at 8:48 AM, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
> On 12/10/10 2:42 AM, David Sommerseth wrote:
>> On 09/12/10 17:29, Steve Clark wrote:
>>> On 12/09/2010 10:30 AM, David Sommerseth wrote:
>>>> On 25/11/10 14:12, J.Witvliet@xxxxxxxxx wrote:
>> [...snip...]
>>>>
>>>>> Furthermore, openvpn is only compatible with openvpn, while using ipsec you might be able to connect to other boxes.
>>>>>
>>>> That is mostly true, except for those vendors adding their own
>>>> proprietary extensions to their ipsec implementations ... thus making it
>>>> a vendor lock-in again.
>>>>
>>>>
>>> Hmm... We run ipsec, (using ipsec-tools on both Linux and FreeBSD),
>>> to Cisco, Juniper, NetScreen and many others without problem.
>>> What vendors are you talking about?
>>
>> I don't have personal hand-on experiences with ipsec issues. However, I
>> would expect things to work flawlessly as long as you don't enable
>> vendor specific features, or if you enable compatible features.
>>
>> <http://www.veiligmobiel.com/IPsecCompatibility.htm>
>>
>> And I believe it will be even more differences if you try to use a
>> "tunnelled" setup versus a "transport" setup, where the tunnelled mode
>> will act more a like a SSL based VPN. If I have understood it correctly.
>
> On Ciscos I've always run GRE tunnels with only the GRE packets going through
> ipsec to get interfaces that can handle dynamic routing protocols, multicast,
> etc. Is there a way to get that kind of tunnel interface with ipsec alone?
No, because IPSec tunnel mode works for a given routable network segment and multicast routing isn't handled.
I too use GRE tunnels over IPSec transport mode for site-to-site connectivity, so I can support OSPF and other multicast protocols.
For road warriors I use either l2tp (windows) or openvpn (Linux).
-Ross
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
