We have been using OBSD VPN tunnels for a while now, since 3.5 We still have a handful of 3.5 systems running and have no issues.
We have approx 35 locations running all the time and the tunnels just work. We also have them connecting to our datacenter which, unfortunally we have not had time yet to get of checkpoint NG. They connect and have zero issues, unless we apply an update to checkpoint and then we have to re-hup isakmpd or wait until the tunnels neg themselves. Usually, we just run a script remotely to do the re-hup for us from a trusted environment and it saves us a lot of time. We only update checkpoint after hours, but doing anything on OBSD is 100% perfect. We are replacing Checkpoint to 3.9 using 2 redundant systems this month.. the back side of our network (datacenter) is gigabit and OBSD is working great for us. Let me say, checkpoint is toast for us, we are huge fans of OBSD isakmpd. Just hoping that SASYNC re-neg on failback works better in the next release of OBSD, but let me say, that is zero impact on our go forward, I love what the OBSD community has put together. Great OS James -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sven Ingebrigt Ulland Sent: Monday, August 21, 2006 10:43 AM To: [email protected] Subject: Experience with isakmpd/ipsec in production? We are about to deploy some fairly critical VPN functionality in our network, and for that purpose we're considering using OpenBSD with isakmp/ipsec. We've had a test setup running for some time now with no problems, but I'm interested in hearing about your long-term experiences with running openbsd ipsec/isakmpd in critical production environments. My excuses for the survey-ish feeling of this post. How long have you been running openbsd isakmpd/ipsec (in production)? What problems, if any, have you had with the openbsd vpn implementations? Which of them are the most recurring? How do you usually fix them? Have you experienced any interoperability problems when establishing tunnels with peers that run other implementations (cisco, checkpoint, etc)? And if so, how do you work around those? On the outside, it seems to me that the vpn implementation in openbsd is good and stable, which could also stem from the corporate funding it received. And the relevant files in cvs seem to be changed rather infrequently.. also a good sign. But I'm not familiar with the inside, which is what i was hoping you could help out with. regards, Sven U
