Which do you prefer?
It’s the difference between:
-
user-space (ovpn) vs. kernel-space (IPsec).
-
opening 1 udp port (ovpn) on the firewall vs. 2-4 ports (isakmp, esp, ah, nat-t) (IPsec).
-
TLS on steroids (ovpn) vs. IKE (IPsec) for control.
-
DIY (ovpn) vs. vendor & IT support (IPsec).
-
Easy portability (ovpn) vs. difficult portability because of #1 (IPsec).
-
Ease of compatability with an external peer (ovpn) vs. various vendor implementations of IPsec.
-
Both can be tough to implement correctly.
-
Both have quite the learning curve.
-
Not so much documentation (ovpn) vs. very extensive documentation (IPsec).
-
Multicast support (ovpn) vs. GRE trickery (IPsec).
-
L2 support (ovpn) vs. L2TP trickery (IPsec).
-
Both are as secure (or insecure) as you make them, as they both support more or less the same ciphers & hashes. However, for IPsec, the supported features are limited by the vendor, which means it is slower to adopt emerging encryption tech (ECC, Quantum Encryption, newer stream ciphers) than OpenVPN.
In short, if you’re looking for top security, go with OpenVPN. The only reason to use IPsec nowadays is if you have no choice, or you’re implementing an advanced commercial solution (SD-WAN).
Both. IKEv2 for iOS (OpenVPN Connect has been crap since the last update) and OpenVPN for my router.
IPsec (client) is already included in Windows and Android.
If you want to use OpenVPN, then you need to install OpenVPN on all OS’s.
OpenVPN is more flexible if you need to get around a strict firewall, as you can set it up (with the kind help of other software) to get around that horrible firewall.
IPsec doesn’t always work well behind NAT. For example, broadband routers will usually kill a connection to IPsec if it’s been inactive for a certain period of time. So I prefer OpenVPN when I’m behind NAT. If I use data plan on mobile phone which has a public IP ,then, maybe L2tp/IPsec or IKEv2. Also, IPsec is easier to configure on the client side at least whereas OpenVPN requires either open source or proprietary app. So, both have pros and cons, thus should not be seen as better or worse but more like a tool to use to get a job done.
Not so much documentation (ovpn) vs. very extensive documentation (IPsec).
I think this is a moot point… I find OpenVPNs documentation to be very well written and provides plenty of details. IPsec on the other hand, do I read the standards, or the specific vendor implementations? It’s a tough protocol to get up and running if you’re starting from a blank slate.
My 2c.
Sorry, I meant IKEv2. But very good illustration of why L2TP/IPSec was such a nightmare.
Thanks, that’s actually what I meant. Old habits are hard to break.
L2TP is best against firewalls IMO, not openVPN but not really secure…
I lean that way myself (all my personal VPN servers are IKEv2) - although if OpenVPN would fix the damn tun adapter issues that would be my top choice.
I use the same thing! I love that the .mobileconfig works for my Mac also. It’s crazy fast compared to the same level of encryption/authentication as OpenVPN too. My iPhone can hit like 200Mbps using aes128gcm16-sha2_256-ecp256.