OpenVPN vs. IPsec - Pros and cons, what to use?

security vlan openvpn ipsec

Interestingly I have not found any good search results when searching for "OpenVPN vs IPsec". So here's my question:

I need to set up a private LAN over an untrusted network. And as far as I know, both approaches seem to be valid. But I do not know which one is better.

I would be very thankful if you can list the pros and cons of both approaches and maybe your suggestions and experiences regarding what to use.

Update (Regarding the comment/question):

In my concrete case, the goal is to have any number of servers (with static IPs) connected transparently to each other. But a small portion of dynamic clients like "road warriors" (with dynamic IPs) should also be able to connect. The main goal is however having a "transparent secure network" run on top of the untrusted network. I am quite a newbie so I do not know how to correctly interpret "1:1 Point to Point Connections" => The solution should support broadcasts and all that stuff so it is a fully functional network.


I have all of the scenarios setup in my environment. (openvpn site-site, road warriors; cisco ipsec site-site, remote users)

By far the openvpn is faster. The openvpn software is less overhead on the remote users. The openvpn is/can be setup on port 80 with tcp so that it passes at places that have limited free internet. The openvpn is more stable.

Openvpn in my environment does not force policy to the end user. Openvpn key distribution is a little harder to do securely. Openvpn key passwords are up to the end users (they can have blank passwords). Openvpn is not approved by certain auditors (the ones that only read bad trade rags). Openvpn takes a little bit of brains to setup (unlike cisco).

This is my experience with openvpn: I know that most of my negatives can be alleviated through either configuration changes or process changes. So take all my negatives with a bit of skepticism.


One key advantage of OpenVPN over IPSec is that some firewalls don't let IPSec traffic through but do let OpenVPN's UDP packets or TCP streams travel without hindrance.

For IPSec to function your firewall either needs to be aware of (or needs to ignore and route without knowing what it is) packets of the IP protocol types ESP and AH as well as the more ubiquitous trio (TCP, UDP and ICMP.

Of course you might find some corporate environments the other way around: allowing IPSec through but not OpenVPN, unless you do something crazy like tunneling it via HTTP, so it depends on your intended environments.


OpenVPN can do Ethernet-layer tunnels, which IPsec cannot do. This is important for me because I want to tunnel IPv6 from anywhere that has only IPv4 access. Maybe there is a way to do this with IPsec, but I haven't seen it. Also, in a newer version of OpenVPN you will be able to make Internet-layer tunnels which can tunnel IPv6, but the version in Debian squeeze can't do that, so an Ethernet-layer tunnel works nicely.

So if you want to tunnel non-IPv4 traffic, OpenVPN wins over IPsec.


OpenVPN is

much easier to administer set-up and use in my opinion.. Its fully transparent VPN, which i love...

IPsec is more a "professional" approach with many more options regarding classical routing within vpns..

If you want just a point - to - point vpn (1-to-1), i would suggest using OpenVPN

Hope this Helps :D

Related

Does each subdomain need it's own SSL certificate?
Human readable format for http headers with tcpdump
Where is my mysql log on OS X?
How to keep rsync from chown'ing transferred files?
SSHFS mount that survives disconnect
How can I fully log all bash scripts actions?
Dealing with HTTP w00tw00t attacks
How do I list all connected Salt Stack minions?
Curl: disable certificate verification
Nginx - root versus alias, for serving single files?
Perform rsync while following sym links
scp without known_hosts check