[hipl-users] Re: Trying to understand OpenVPN instructions

• From: Samu Varjonen <samu.varjonen@xxxxxxxxxxx>
• To: hipl-users@xxxxxxxxxxxxx
• Date: Tue, 31 Mar 2009 18:26:03 +0300

Robert Moskowitz kirjoitti:

Miika Komu wrote:

Robert Moskowitz wrote:

Hi,

A HIP and OpenVPN tunnel have roughly the same througput. It is even possible run HIP inside the OpenVPN tunnel, even though this seems to halve the throughput at least without any optimizations.

What is a HIP tunnel?

BEET SA.

So this is not a well worded comparison. BEET packets are smaller than OpenVPN packets? In congested networks this may make a difference?

Running HIP-over-VPN has redundant crypto and smaller MTU. This halves the throughput. Please suggest how to rephrase?

Well, what value is there in running HIP over a VPN? Only thing I come up with is remote access to internal systems where there is no rule to allow HIP through the firewall and/or no way to map internal systems to external addressing (the eternal NAT traversal and/or topology hiding issue).

So where you NEED to run HIP within a VPN, you pay the price.

Can you configure OpenVPN to use LSIs?

I think the OpenVPN experiments were done using HITs.

Oh? I have never seen any documentation that OpenVPN supports IPv6. Can it do 6 over 6? 4 over 6? I have only seen 4 over 4.

AFAIK, the tunnel was created using HITs as inner addresses and VPN IPv4 virtual addresses as outer addresses.

Does this make sense?

Since this is HIP within VPN, yes. And not what I am looking for. This HIP-VPN orientation needs to be explicit in the manual pages.

According to Samu, there's htun (with propietary crypto) and vtun as alternatives to OpenVPN. Particularly, tinc might be good candidate.

vtun is IPv4 only, last I looked. Not familiar with htun or tinc.

Tinc claims to support IPv6.
http://www.tinc-vpn.org/

Almost like we DO have a use for ESP tunnel mode... :) But not really as there is the 6in4, 4in6 needs that ESP tunnel does not handle well?

Are you talking about plugging HIP over VPN or vice versa?

I need classic VPN capablity over HIP in limited cases. Either I am on the road and need to access non-HIP systems within my home network (IPv6 or v4, I currently use SSH and want to use HIP instead), or I want to reach external non-HIP systems via a HIP mid-box and hide my internal address (use an address on the mid-box).

LSIs are implemented using raw sockets and iptables. I can imagine that there could be problems, but you never know for sure until you try.

I just thought LSIs for mobility if the VPN only supports IPv4 for the outter addressing.

--
BR,
Samu

"Programmer is an organism that changes caffeine into code"

• References:
  • [hipl-users] Re: long delay in mobility handling procedure
    • From: Szabolcs Nováczki
  • [hipl-users] Re: Trying to understand OpenVPN instructions
    • From: Robert Moskowitz

Other related posts:

• » [hipl-users] Trying to understand OpenVPN instructions- Robert Moskowitz
• » [hipl-users] Re: Trying to understand OpenVPN instructions- Miika Komu
• » [hipl-users] Re: Trying to understand OpenVPN instructions- Robert Moskowitz
• » [hipl-users] Re: Trying to understand OpenVPN instructions- Miika Komu
• » [hipl-users] Re: Trying to understand OpenVPN instructions- Robert Moskowitz
• » [hipl-users] Re: Trying to understand OpenVPN instructions - Samu Varjonen
• » [hipl-users] Re: Trying to understand OpenVPN instructions- Miika Komu

1. Home
2. hipl-users
3. Archive
4. 03-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---