IPSecVPN and OpenVPN-IPSec are talking about OpenVPN and other SSLVPN over the IPSec protocol, as a result, IPSec gradually fades out of sight and becomes a dedicated VPN for core networks and ultra-high-end devices. Www.2cto.com if you want to develop a VPN product, OpenVPN is like the pull personnel standing outside the bainahui Mall in different regions, attracting everyone. IPSec is like a luxury store in Huaihai Road, the cost is high, and maintenance is difficult. In short, it is not a good thing to say for the reason and is rejected. This article explains from the basic points that IPSec is not so clumsy. Many flexibility is not achieved by grassroots VPN such as OpenVPN. 1. IPSec consists of various components. IPSec is not an integral structure. IPSec is composed of a complete set of components that can be replaced. These components include: Security channel support protocol: IKE, ISAKMP... you can use different authentication methods to authenticate access nodes. Although it is impossible to directly use the crazy SSL protocol used by the WEB, IKE is no worse than it. At this time, we do not need to use the SSL protocol's performance in the WEB field to add points, because VPN is a layer-2 or layer-3 concept, which is different from that of WEB. SSL uses the PKI core, and IKE can also use these PKI components. In fact, the X.509-based authentication method has become an important part of IKE. Tunnel encryption mode: Transmission of ESP, tunnel ESP, transmission AH, tunnel AH transmission mode IPSec provides good support for end-to-end control, In this mode, in addition to encryption or authentication, IPSec does not encapsulate data packets. The tunnel mode provides good support for data protection on the site. OpenVPN is only a tunnel mode, which is unconditionally encapsulated and has poor end-to-end scalability. For example, OpenVPN is insufficient in the face of Windows in strong host mode and when it needs to authenticate the source IP address. Data Structure: SPD and SADB are important evidence of IPSec's choice for encryption. Similar to the OpenVPN route table, OpenVPN can only identify encrypted data in standard routing mode, if you want to use other methods, you must add other identification methods on the front end of the route. For example, for Liunx, You need to mark the data packet on the prerouting hook, then, the data packets of a specific mark are directed to a specific policy route table, and the route is unified. The IPSec data structure is independent of IPSec Encryption and key negotiation. It can be generated in any way and distributed to any device in any way, which is more flexible for implementation, IPSec operations can be performed on packages matching the database directly, which undoubtedly improves the efficiency and interfaces with other protocol stack components. Interfaces with other protocol stack components: interfaces with GRE and VTI. If you think OpenVPN uses a unified routing interface to intercept packets of interest, this is a major advantage (to be honest, I have always thought so. However, when you are facing hundreds of tunnels, you may not be able to sleep at night, even though I have not, but there is already a sense of danger.) It is only for small networks. If there are hundreds of network segments, what's worse is that these network segment routes cannot be aggregated, the routing is not appropriate, regardless of the huge routing table (now high-speed hardware is enough to face this situation), just consider the workload of maintenance personnel is enough for you to drink a pot. In any case, the routing method is the most familiar way for network administrators. There are multiple ways to configure route tables, if we can combine the flexibility of routing configuration with the convenience of routing management, we can overcome the above shortcomings of OpenVPN. Fortunately, we can achieve this through the combination of IPSec and GRE. GRE is another technology. You can hand over the route management work to GRE. IPSec only performs security policy maintenance, which is not implemented by OpenVPN. Such a wide range of replaceable components prove that IPSec is flexible enough to form a variety of complex VPN topologies to meet various needs. OpenVPN is componentized so that OpenVPN can only rely on its own features. External interfaces are at best some event interfaces, and IPSec itself is inherently componentized. 2. IPSec dynamically establishes a tunnel. OpenVPN cannot be well known. One feature is that IPSec can dynamically establish a tunnel and data packets arrive. If the tunnel is not yet established, IKE negotiation is required. Before the negotiation is complete, all data must be queued or discarded when the queue is full. This is not what OpenVPN can do. OpenVPN uses user-mode socket connection to establish a tunnel. For the tunnel client, the virtual network adapter and the route depend on the establishment of the socket connection. Even if the virtual network adapter is established before the socket connection is established by modifying the OpenVPN code, the IP address of the virtual network adapter cannot be obtained to establish the route table. For the server, all socket connections are maintained in the open file descriptor of OpenVPN. After data packets are routed to the virtual Nic, it does not know whether a specific tunnel is available. Therefore, data packets enter a black hole. IPSec can dynamically establish a tunnel because the establishment of the tunnel and the security policy do not depend on any socket connection or other network connections. The tunnel status and Policy existence are not linked, everything is decided by SADB and PDB. These databases have nothing to do with the network. As long as the data packets match the entries in the database, they will be encrypted. Before being encrypted, we need to establish a channel lazily, if a tunnel is not established, IKE negotiation is advanced. 3. it is very troublesome for IPSec to flexibly implement high availability and implement hot standby in OpenVPN of Server Load balancer. It is almost impossible to achieve Load Balancing unless it is divided into network segments, but these are a piece of cake for IPSec, everything is done in SADB and PDB. The pure data can be transmitted and synchronized to any machine. Therefore, any machine can take over the current IPSec without the trouble of user disconnection. OpenVPN cannot synchronize data because the data is highly related to the process, and the data field of the process cannot cross the machine, unless all the data is copied in depth, however, the deep copy process across machines is a very challenging task. 4. IPSec does not pass through the NAT network. It is essentially an encapsulation. The tunnel is an encapsulation of the same layer or a reverse encapsulation of the upper layer. In fact, the data can be arbitrarily encapsulated. The reason why IPSec cannot cross NAT is that the layer-4 validation of pseudo headers is a problem. If we encapsulate all the data, we can bypass this problem. Therefore, we can use the UDP tunnel, the UDP tunnel does not verify the data (UDP can choose not to verify). Once NAT is detected between two VPN nodes, when the two nodes transmit tunnel data, they use unverified UDP to encapsulate the data again (in fact, there is no problem with the test, which is mainly for efficiency ), all the 5-tuples of the data stream are determined in the IKE negotiation phase. The only note is that the VPN node after NAT must be the initiator of IKE, otherwise, you will have to deal with the UDO holes. After IKE is created, obtain the respective 5-tuples, steal the bar and use the quintuple to encapsulate UDP data. (This section provides a pre-Knowledge: IKE uses UDP for negotiation ). 5. The combination of IPSec and GRE is actually OpenVPN. You will find that IPSec and GRE are both OpenVPN, but it is implemented in kernel mode. GRE creates a virtual network card, routes the packets of interest to the virtual network card through the routing, and then applies the IPSec Policy on the virtual network card. All data transmitted from the network card must be encrypted, all the data received from this Nic must be decrypted. Isn't that the idea of OpenVPN? Although IPSec is equivalent in configuration, there is actually an initiator. Can data communication be performed without an initiator ?? 6. from the perspective of operating system concepts and system maintenance, the implementation of user-state is not implemented in kernel state, because user-state APIs are far more unified than kernel-state APIs, the simplest example is that all operating systems implement Berkeley sockets and the interfaces are consistent. However, at the operating system kernel level, the implementations are quite different. This may be the reason why OpenVPN is more advantageous than IPSec. However, in terms of software engineering, the alternative construction design of IPSec is more in line with the high cohesion and low coupling principle of software engineering, is it because of the complexity of the kernel protocol stack of the writable operating system? We sincerely hope to implement the user-mode protocol stack. It is ironic that the protocol stack of many embedded systems is actually implemented in the user mode. Some embedded systems do not distinguish between the kernel mode and the user mode, in such a system, what are the advantages and disadvantages of OpenVPN and IPSec? Note: Full interconnection and star topology integration-advantages of OpenVPN