Fusion FTTN VPN: IPsec or OpenVPN

[klui]

I'm curious in knowing why people who filled out the VPN survey at https://www.research.net/s/Sonic-VPN chose OpenVPN over IPsec. Perhaps there are other advantages to the former over the latter that I had not considered besides performance. Fusion FTTN tops out at a little over 50 Mbps so there should not be any throughput advantage. Third party router firmware should also support IPsec in addition to OpenVPN.

I chose IPsec because my firewall does not support OpenVPN and normally used by the enterprise. While I can insert another device to support OpenVPN I would prefer to use what I have.

[kgc]

IPsec has a lot of interoperability problems that I don't see an easy way around. If there was universal support for IKE2/EAP (and not locked to MS-CHAP2!) we would be happy to just do that. But, since that isn't an option, we're stuck in a situation where we are either deploying a new solution that is open to MITM attacks or requires certificate based authentication which would be challenging to support.

OpenVPN requires client support but is easier on the systems end and supporting a handful of "official" client applications is comparably manageable.

I also haven't found very many consumer devices that have integrated VPN support and came to the conclusion that homebrew router firmware with OpenVPN support was going to be the most likely fixed VPN for most customers. Perhaps you're aware of some hardware that I missed?

I don't think we've got it nailed down yet.

[forest]

I chose IPsec, mainly because routers like the EdgeRouter Lite (a $90 device that can route at gigabit speeds) have hardware offload support for it, allowing much faster throughput than with OpenVPN.

[hhwong]

I also haven't found very many consumer devices that have integrated VPN support and came to the conclusion that homebrew router firmware with OpenVPN support was going to be the most likely fixed VPN for most customers. Perhaps you're aware of some hardware that I missed?

I don't think we've got it nailed down yet.

I don't think you'll find a lot of consumer devices w/VPN support, because most people who want VPN are really prosumers, who will step up to the higher-priced routers from Zyxel, Cisco and Ubiquiti (among others) I suspect the home-brew router firmware on cheap consumer-grade stuff won't be able to keep up with FTTNx2 anyway, and they'll step up to more appropriate offerings.

(this is the marketing side me poking out) What you guys should be really doing is segmenting the market and focusing those who really want VPN (and why) vs. the general populace who probably would be fine with basic AT&T infrastructure. Rather than just support hardware they may not support the speed, perhaps Sonic should go the other way and doing its own testing (or even certification) of VPN routers.

As I've said in other threads, I also have the Edgerouter Lite - prosumer features at a consumer price. The going commentary is that the problem w/OpenVPN is that it is single-threaded. So, if you're running OpenVPN on Intel or equivalent CPUs, it will gladly handle Gigabit speeds. Desktops, yes, but many consumer (and some prosumer) offerings aren't that powerful. I would be happy for me to be wrong, though.

[thread starter]

IPsec has a lot of interoperability problems that I don't see an easy way around. If there was universal support for IKE2/EAP (and not locked to MS-CHAP2!) we would be happy to just do that. But, since that isn't an option, we're stuck in a situation where we are either deploying a new solution that is open to MITM attacks or requires certificate based authentication which would be challenging to support.

OpenVPN requires client support but is easier on the systems end and supporting a handful of "official" client applications is comparably manageable.

I also haven't found very many consumer devices that have integrated VPN support and came to the conclusion that homebrew router firmware with OpenVPN support was going to be the most likely fixed VPN for most customers. Perhaps you're aware of some hardware that I missed?

I don't think we've got it nailed down yet.

OpenVPN uses certificates as well. How is IPsec certificate management more challenging than OpenVPN?

Maybe the difficulty has to do with the wide performance delta in the consumer space for VPN-capable routers vs. the enterprise. Dane did not include how people would forsee using VPN. I think it would be interesting to note those who chose OpenVPN what they selected for the following questions:

• 3. What traffic do you expect to use VPN with?
  4. Do you expect to primarily use VPN with a whole-home hardware VPN device, or with client/software

My guess is those who chose IPsec will probably select All traffic/whole home for 3, and Commercial hardware for 4. If people who chose OpenVPN selected Open source hardware VPN device or Individual PC/laptop & mobile devices, then that's a separate demographic of your user base from those who prefer IPsec.

[kgc]

OpenVPN uses certificates as well. How is IPsec certificate management more challenging than OpenVPN?

Largely because if wraps it up an a config file that is supported by the clients. The official client even is able to fetch it directly from the server after login with a username and password. Compared to walking a user through importing a client certificate by hand on [insert os of choice] on [insert device of choice] which may or may not support the required IPsec profiles in the first place.

I've got a couple of edgerouters on order to test out to see what they support and how easily they can be setup.

[klui]

OpenVPN uses certificates as well. How is IPsec certificate management more challenging than OpenVPN?

Compared to walking a user through importing a client certificate by hand on [insert os of choice] on [insert device of choice] which may or may not support the required IPsec profiles in the first place.

Importing certs is easy compared to creating them. Different devices will have different ways of doing this and I think for those who are technically comfortable/capable it shouldn't be too big of a hassle. I think the complexity of IPsec in regards to P1/P2 proposals are what drives many, including myself, away.

Having never set up an IPsec/OpenVPN server, I asked the question on Juniper's forums and was told OpenVPN uses standard IPsec concentrators. So perhaps we could kill two birds with one stone. Please let us know if you need any testers. http://forums.juniper.net/t5/ScreenOS-F ... d-p/273659

[kgc]

...for those who are technically comfortable/capable it shouldn't be too big of a hassle.

Well, I think that's part of the point. I might be walking down the wrong path because I'm looking for a customer friendly solution that our support team would be able to support. But would someone who wasn't technically comfortable/capable even be looking to us to provide a fixed VPN solution in the first place?

OpenVPN is a SSL VPN, not IPsec.

[klui]

...for those who are technically comfortable/capable it shouldn't be too big of a hassle.

Well, I think that's part of the point. I might be walking down the wrong path because I'm looking for a customer friendly solution that our support team would be able to support. But would someone who wasn't technically comfortable/capable even be looking to us to provide a fixed VPN solution in the first place?

OpenVPN is a SSL VPN, not IPsec.

It's perfectly reasonable that client/PC-based VPN solutions be easy to setup. It almost seems OpenVPN was created for PCs to accommodate most cases people have access to http/https and not IPsec. I am having difficulty reconciling what the reply on Juniper's site means. I can't find where in OpenVPN's website that says they use a regular IPsec concentrator.

[forest]

I've got a couple of edgerouters on order to test out to see what they support and how easily they can be setup.

I look forward to good news on that front. People using the EdgeRouter Lite have been reporting near-gigabit routing with NAT, and IPsec VPN performance considerably faster than Sonic's fastest FTTNx2 service. Apparently the Cavium chip's offload features work quite nicely.

With the $90 price tag, this device looks like a great choice not only for FTTN, but for future upgrades to fiber as well.