My prosumer firewall supports IPSec. My phone does, natively, and it’s working on all my laptops.
But while looking into newer gear, it seems that no one has IPSec VPN anymore. I’ve seen SSL, Wiregurd, L2TP, and OpenVPN.
Just curious what protocols everyone is using for VPN since it seems I’m stuck in the dark ages.
Just from my experience, WireGuard seems to be the popular choice here recently.
What brands are you thinking of when you say “prosumer”?
Mikrotik and Ubiquiti gear supports IPsec.
IPsec is definitely still used, although for point to site connections things like openvpn and wireguard are becoming more popular.
I’ve been using openvpn for nearly 20 years and it has served me well. Lately I’ve been using wireguard and it is really easy to set up (no CA to manage, just exchange hex keys). Lately I’ve been really enamored with Zerotier (full mesh peer to peer overlay network).
I use OpenVPN. Wireguard is the new hotness but very few prebuilt devices support it out of the box.
In short, only use IPSec for site-to-site use cases. IPSec does not cut through NAT well whatsoever. For devices needing remote access, Wireguard and OpenVPN are solid choices.
I’ve moved off of IPSec to OpenVPN just for the extra functionality. It’s unfortunate that OpenVPN is not supported in the EdgerouterX GUI (but it is supported via CLI).
My corporate still using IPSec to connect to external parties. But for homelab purpose, i’m definitely using WG for light weight & speed.
Are you sure about ubiquiti? I see some L2TP over IPSec, but not native IPSec.
I’ve been debating PFSense or Uniquiti.
Same here, OpenVPN software is built into my router from the factory. So I don’t have to do anything other than set it up and turn it on. I’ve never notice any kind of performance issues - though I’m already limited by my slow upload speeds of my home network. I don’t do any heavy file transfers - only to secure untrusted connections when I’m away from home.
I hear good things about Wireguard but there are several major limitations for me that make it useless: No VPN over TCP, no TAP support. Sometimes I require VPN over TCP while travelling to ensure I can get by simple VPN filtering I often encounter. I require TAP support for a few Android devices I use. So Wireguard isn’t even an option for me.
I’ve used IPSec with clients for a long time. But it seems I need to look into OpenVPN or Wireguard
Important to note that IKE and IPsec do different things and aren’t replacements for each other. IKE is used in IPsec.
Pfsesnse router with unifi hardware would be my recommendation. Been a great combo for me so far
I think most devices have LT2P/IPSec clients built in. For example, Windows 10 does, Android does. I don’t have any Apple products, but I assume that MacOS and Ios would.
You can set up other protocols on Ubiquiti. I haven’t done it - I prefer to configure from the config tree where I can - or at least implement command line scripts that have a correlation to the config tree.
Just guessing, I’d assume that OpenVPN is the most popular overall for enthusiasts and Wireguard is generating the most buzz.
Ubnt absolutely supports IPsec
That said, each protocol has its uses.
Personally
IPsec (and v2) for lan to lan connections
Wireguard for road warriors (and PiHole)
SSTP for lan to lan connections over an LTE connection (on one side) as I’ve seen IPsec blocked
IPSec is supported on the USG. I don’t know about the edge router but I would assume so.
My Edgerouter X has an IPSec setting as well as a L2TP. The IPSec does not include any L2TP settings but the L2TP has an area for IPSec settings. Documentation shows plenty of ways to set up IPSec that do not include a mention of L2TP settings.
No VPN over TCP, no TAP support.
Wow. There’s been so much hype about Wireguard this is actually the 1st time I’m hearing about any feature drawbacks. If you hop on r/homelab there are people who literally berate you for not using Wireguard, so thanks a lot for this.
Don’t bother with OpenVPN now that Wireguard is out. OpenVPN has a pretty significant performance hit. The only advantage that OpenVPN has is that you can push client config from the server, which is really useful if you want a split-tunnel VPN. If you add a new subnet for example, it’s trivial to push that route to all clients when they connect. With Wireguard, IPs and routes must be manually set on each client. IPSec allows dynamic IPs pushed from the server, but I don’t think you can push routes, DNS servers, etc.
I’ve generally replaced OpenVPN entirely with Wireguard, minus a couple of my VPSes which only need the VPN to talk to my syslog server. In those cases I haven’t replaced it partially out of laziness, but also because performance doesn’t matter and so that I can manage their config centrally from the VPN server.