# Is there any advantage of openswan over OpenVPN?

## ddaas

Hi,

I've just installed OpenVPN and everything works just fine. It was really easy and after their saying OpenVPN is very good/secure ( http://www.sans.org/rr/whitepapers/vpns/1459.php ).

If OpenVPN is so great why should anyone bother with IPsec?

Could you tell me some advantages of IPsec(openswan) over TLS based VPNs (OpenVPN)? (if there is any.... :Smile: 

----------

## minskpower

OpenVPN is easier to configure and use, however ipsec is the standard nowadays (like SOAP vs XMLRpc). They both have advantages, but ipsec is more flexible for large VPN environments where you would connect large networks behind each server or use the home-in style of roadwarrior.

You can't connect only two computers with ipsec for instance, but you can do it with openVPN.

Use Ipsec in large networks with multiple subnets and to ensure compatibility with windows ipsec, use openVPN for smaller ones or for testing.

I am using openVPN on gentoo. the tun interface is giving me some headaches though.

----------

## tgice

I'd say OpenVPN is much better in general.  SSL VPNs tend to be easier to setup and more compatible with NAT, etc.

Furthermore, the deal maker for me was the fact that OpenVPN has slick native win32 support (I think you need win2k or XP, but still) including a nice little GUI frontend for it that makes connecting from the Windows world a snap.

Last I checked, the others didn't really offer this, at least not in a straightforward manner (without monkeying around in some really funky Windows settings, and even then I don't think IPSec will traverse NAT, period).

----------

## minskpower

 *tgice wrote:*   

> I'd say OpenVPN is much better in general.  SSL VPNs tend to be easier to setup and more compatible with NAT, etc.
> 
> Furthermore, the deal maker for me was the fact that OpenVPN has slick native win32 support (I think you need win2k or XP, but still) including a nice little GUI frontend for it that makes connecting from the Windows world a snap.
> 
> Last I checked, the others didn't really offer this, at least not in a straightforward manner (without monkeying around in some really funky Windows settings, and even then I don't think IPSec will traverse NAT, period).

 

I wouldn't say ipsec configuration is a breeze, but it has it's advantages  :Wink:  Besides windoze has it's own implementation of ipsec.

Openswan supports nat traversal, see http://wiki.openswan.org/index.php/FAQ#a36

----------

## zen_guerrilla

 *minskpower wrote:*   

> You can't connect only two computers with ipsec for instance, but you can do it with openVPN.

 

You're making a mistake. Of course you can connect even only 2 computers with ipsec.

----------

## minskpower

Well I was under the impression that you need at least one gateway running ipsec in between.

Could you please point me to an url describing such a setup for openswan?

Anyway, ipsec for only 2 computers would be too much overhead, openVPN is much better for this.

----------

## TheAl

They differ a lot;

OpenVPN offer you a easy setup to transport encrypted data on a standard IP session. In other words, this is software added on top of a regular IP session (OSI layer 3)

OpenSWAN and some other use IPSec as transport, and this is a secure transport protocol (OSI layer 2).

the IPSec way is the most standard way to transport secure data accros Internet. This can be routed, with news drafs, NATted and you can have DHCP over it.

OpenVPN uses some "tricks" to get it working, and maybe you are limited with (depend of situation).

now, I would use openVPN for small and simple installation, and use IPSec as provider solutions.

----------

## zen_guerrilla

 *minskpower wrote:*   

> Could you please point me to an url describing such a setup for openswan?

 

Google is your friend. I don't know about openswan (never used it) but openbsd has a great implementation of ipsec, check their vpn man page: http://www.openbsd.org/cgi-bin/man.cgi?query=vpn&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

----------

