version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0 author=jrmu charset=UTF-8 csum= ctime=1610534284 host=125.224.27.48 name=Debate.Ipsec rev=3 targets=Openbsd.Iked text=(:title IPSec, not WireGuard:)%0a%0a# OpenBSD has a native IPSec implementation: [[openbsd/iked|IKED]]. It's easy to configure%0a# Using iked will allow us to force users to import us as a certificate authority, to bypass SSL censorship%0a# WireGuard "lacks cipher and protocol agility"%0a # Many users/operating systems today lack wireguard%0a # Any users on an obsolete client will be unable to connect%0a # Unnecessarily paranoid security%0a%0a--> Imagine you have a VPN server with 200 road warrior clients somewhere out there in the world - which is a very normal use-case. If you were to change the cipher you are using from one day to the next one, you would need to upgrade your WireGuard software on all those laptops, phones, etc. at the same time. That is literally impossible. Administrators who have tried this needed months to deploy configuration changes. Sometimes even middle-sized companies need years to conduce a process like this.%0a--> Compatibility matters and although you are using some weaker cipher, for many this is no reason to shut down their business and cut off hundreds of sales people from doing their job. -- "[[https://blog.ipfire.org/post/why-not-wireguard|Why Not Wireguard]]" time=1610534365 title=IPSec, not WireGuard author:1610534365=jrmu diff:1610534365:1610534299:=10,11c10%0a%3c --> Imagine you have a VPN server with 200 road warrior clients somewhere out there in the world - which is a very normal use-case. If you were to change the cipher you are using from one day to the next one, you would need to upgrade your WireGuard software on all those laptops, phones, etc. at the same time. That is literally impossible. Administrators who have tried this needed months to deploy configuration changes. Sometimes even middle-sized companies need years to conduce a process like this.%0a%3c --> Compatibility matters and although you are using some weaker cipher, for many this is no reason to shut down their business and cut off hundreds of sales people from doing their job. -- "[[https://blog.ipfire.org/post/why-not-wireguard|Why Not Wireguard]]"%0a\ No newline at end of file%0a---%0a> --> Imagine you have a VPN server with 200 road warrior clients somewhere out there in the world - which is a very normal use-case. If you were to change the cipher you are using from one day to the next one, you would need to upgrade your WireGuard software on all those laptops, phones, etc. at the same time. That is literally impossible. Administrators who have tried this needed months to deploy configuration changes. Sometimes even middle-sized companies need years to conduce a process like this. -- "[[https://blog.ipfire.org/post/why-not-wireguard|Why Not Wireguard]]"%0a\ No newline at end of file%0a host:1610534365=125.224.27.48 author:1610534299=jrmu diff:1610534299:1610534284:=1,2d0%0a%3c (:title IPSec, not WireGuard:)%0a%3c %0a host:1610534299=125.224.27.48 author:1610534284=jrmu diff:1610534284:1610534284:=1,8d0%0a%3c # OpenBSD has a native IPSec implementation: [[openbsd/iked|IKED]]. It's easy to configure%0a%3c # Using iked will allow us to force users to import us as a certificate authority, to bypass SSL censorship%0a%3c # WireGuard "lacks cipher and protocol agility"%0a%3c # Many users/operating systems today lack wireguard%0a%3c # Any users on an obsolete client will be unable to connect%0a%3c # Unnecessarily paranoid security%0a%3c %0a%3c --> Imagine you have a VPN server with 200 road warrior clients somewhere out there in the world - which is a very normal use-case. If you were to change the cipher you are using from one day to the next one, you would need to upgrade your WireGuard software on all those laptops, phones, etc. at the same time. That is literally impossible. Administrators who have tried this needed months to deploy configuration changes. Sometimes even middle-sized companies need years to conduce a process like this. -- "[[https://blog.ipfire.org/post/why-not-wireguard|Why Not Wireguard]]"%0a\ No newline at end of file%0a host:1610534284=125.224.27.48