Open VPN vs IPsec Vpn
-
Hi folks
i used to have ipsec site to site vpn between various clients
ipsec gave me lot's of problems as menitoned in this thread http://forum.pfsense.org/index.php/topic,39383.0.html
and switched to Open VPN, it's working perfectly just one problem the latency is really high between Open Vpn client and server
it's around 2000-3000 ms, while on ipsec it was 200-300 on average
is OPEN VPN less efficient than IPSec VPN.
which one good best and secure OPEN VPN or IPSec Vpn
with thank
kalu -
Do you use OpenVPN with UDP or TCP ? You should use UDP!
Perhaps try to change the encryption algorithm. -
hi Nachfalke Thanks for the reply
Yes i use TCP. (will change to UDP and see the effect)
in open VPN i'm using (peer to peer sharedkey)
thanks
kalu -
TCP is a bit "heavy" protocol in vpn use, with it's ack's and resending missing data
-
The problem of TCP in OpenVPN is, that you use TCP for the OpenVPN tunnel itself and in most cases a second time TCP for the traffic in the tunnel. so there is "double TCP" and then you have the double of overhead like Metu69salemi said in his post.
-
Thanks guys.
but i still have one question.
what features are unavailable if i don't use TCP and use UDP.
mainly i'm confused where to use TCP and where to use UDP.
thanks in advance
kalu -
There is no difference in "features" depending OpenVPN. The only difference while using OpenVPN is the speed enhancement with UDP.
If you like to know the differences between UDP and TCP use google or wikipedia.
-
Thanks Nachtfalke
:) -
If you want to use the VPN tunnel via an http/https proxy you must use TCP.
–> http://openvpn.net/index.php/open-source/documentation/howto.html#http -
If you want to use the VPN tunnel via an http/https proxy you must use TCP.
–> http://openvpn.net/index.php/open-source/documentation/howto.html#httpShame on me!
That was new information for me. Thanks! -
nice piece of information Nachtfalke thanks
i didn't knew that either
kalu -
Well it's rare that you need to use OpenVPN via an http/https proxy ^^"
For roadwarriors which have to go regularly into environments where security is very tight, i have a second instance of our normal openVPN server (UDP 1194) with the same keys/certs providing access on TCP 443.
This usually allows them to reach our main-office.
But this is more of a failover if the normal server isn't reachable.