Re: [pfSense] Open VPN or IPSec for site to site VPNs
Thanks all for the Input. I have tested today with our guest network and main office and it has connected fine, Only issue was a restart of Racoon was needed. I had deleted the IPSec entry for the guest network and then setup the openVPN site to site link. It was up but couldn't route traffic (with an initial allow all on both sides for the firewall rule) A restart of the racoon service and this was then routing / working. Will see how it goes with this initial test on 1 network. Many thanks for peoples input, it is appreciated. Gavin ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open VPN or IPSec for site to site VPNs
On 20/04/12 21:32, Bob Gustafson wrote: On Fri, 2012-04-20 at 21:04 +0200, David Brown wrote: On 20/04/12 20:08, Jim Pingle wrote: On 4/20/2012 12:23 PM, Gavin Will wrote: Traditionally used IPSec VPN's for site to site links however with replacing remote site routers with PFsense boxes I thought about using Open VPN instead. Any pro's cons? I quite like the ability to push a route easily with OpenVPN. Off the top of my head... Pros for OpenVPN: * Plays nicer with NAT and other intermediate filtering, since it only requires a single UDP or TCP port * Able to route traffic arbitrarily on a basic VPN setup * No issues with reconnecting/disconnecting * Easy to add secondary peers * Very easy to setup a remote access VPN with authentication * Shared key mode works well with OSPF for dynamic routing Cons for OpenVPN: * Little in the way of vendor compatibility, mainly only found on OSS firewalls * People have a tendency to fear the unknown so they don't try it, or dislike it because it's unfamiliar. Once they drink the kool-aid though, they rarely stop. :-) Pros for IPsec: * Long-lived standard * Many implementations on many devices, can usually build a tunnel to just about anything * Fairly easy to build a tunnel between two firewalls * Familiarity, many people use it because they have used it before. Cons for IPsec: * Long history of problems reconnecting/rebuilding tunnels * Rare if devices support multiple peers * Implementations between vendors can often have quirks * Requires both UDP and ESP for Tunneled traffic * Remote access/mobile clients can have issues, but may work (see our ticket system for open issues) * Lots of problems traversing NAT or behind restrictive firewalls/networks * Routing arbitrary networks (not using Phase 2's in tunnel mode) requires IPsec in transport mode + GIF/GRE, which few vendors support. Jim I'd add another couple of pros for OpenVPN: * It's easy to set up multiple independent OpenVPN VPN's on the same server or client, running on different ports on the same IP address. * If you don't mind installing a little extra software, it is easy to use on lots of different clients. * It's easy to set up an OpenVPN server in existing networks with minimal changes - all you need is a port forward from the firewall through to the OpenVPN server. We have several independent OpenVPN setups on a server, with clients able to connect with different accesses. And some of our users have multiple client setups on their laptops for connecting to many different servers. How does either of these VPN approaches compare with using SSH Tunneling? (see various Linux Journal articles on this subject) Bob G A VPN gives you a connection from one network (or computer) to another. A SSH tunnel lets you tunnel a single TCP/IP connection over a SSH connection. So the ssh tunnel is far more limited (though that's sometimes a good thing), and in particular it is very inconvenient if you want to use UDP, ICMP, or other protocols. ssh is useful for ad-hoc and occasional holes in networks, but it's not a replacement for a vpn. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open VPN or IPSec for site to site VPNs
Hi there, Traditionally used IPSec VPN's for site to site links however with replacing remote site routers with PFsense boxes I thought about using Open VPN instead. Any pro's cons? I quite like the ability to push a route easily with OpenVPN. Comments appreciated. Cheers Gavin -Oorspronkelijk bericht- Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] Namens Gavin Will Verzonden: vrijdag 20 april 2012 18:23 Aan: pfSense support and discussion Onderwerp: [pfSense] Open VPN or IPSec for site to site VPNs Hi Gavin, The biggest con is the ability to route through the tunnel. Personally I found OpenVPN connections to be more stable the IPSEC VPNs Cheers, Jochem ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open VPN or IPSec for site to site VPNs
On 4/20/2012 12:23 PM, Gavin Will wrote: Traditionally used IPSec VPN's for site to site links however with replacing remote site routers with PFsense boxes I thought about using Open VPN instead. Any pro's cons? I quite like the ability to push a route easily with OpenVPN. Off the top of my head... Pros for OpenVPN: * Plays nicer with NAT and other intermediate filtering, since it only requires a single UDP or TCP port * Able to route traffic arbitrarily on a basic VPN setup * No issues with reconnecting/disconnecting * Easy to add secondary peers * Very easy to setup a remote access VPN with authentication * Shared key mode works well with OSPF for dynamic routing Cons for OpenVPN: * Little in the way of vendor compatibility, mainly only found on OSS firewalls * People have a tendency to fear the unknown so they don't try it, or dislike it because it's unfamiliar. Once they drink the kool-aid though, they rarely stop. :-) Pros for IPsec: * Long-lived standard * Many implementations on many devices, can usually build a tunnel to just about anything * Fairly easy to build a tunnel between two firewalls * Familiarity, many people use it because they have used it before. Cons for IPsec: * Long history of problems reconnecting/rebuilding tunnels * Rare if devices support multiple peers * Implementations between vendors can often have quirks * Requires both UDP and ESP for Tunneled traffic * Remote access/mobile clients can have issues, but may work (see our ticket system for open issues) * Lots of problems traversing NAT or behind restrictive firewalls/networks * Routing arbitrary networks (not using Phase 2's in tunnel mode) requires IPsec in transport mode + GIF/GRE, which few vendors support. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open VPN or IPSec for site to site VPNs
On Fri, 2012-04-20 at 21:04 +0200, David Brown wrote: On 20/04/12 20:08, Jim Pingle wrote: On 4/20/2012 12:23 PM, Gavin Will wrote: Traditionally used IPSec VPN's for site to site links however with replacing remote site routers with PFsense boxes I thought about using Open VPN instead. Any pro's cons? I quite like the ability to push a route easily with OpenVPN. Off the top of my head... Pros for OpenVPN: * Plays nicer with NAT and other intermediate filtering, since it only requires a single UDP or TCP port * Able to route traffic arbitrarily on a basic VPN setup * No issues with reconnecting/disconnecting * Easy to add secondary peers * Very easy to setup a remote access VPN with authentication * Shared key mode works well with OSPF for dynamic routing Cons for OpenVPN: * Little in the way of vendor compatibility, mainly only found on OSS firewalls * People have a tendency to fear the unknown so they don't try it, or dislike it because it's unfamiliar. Once they drink the kool-aid though, they rarely stop. :-) Pros for IPsec: * Long-lived standard * Many implementations on many devices, can usually build a tunnel to just about anything * Fairly easy to build a tunnel between two firewalls * Familiarity, many people use it because they have used it before. Cons for IPsec: * Long history of problems reconnecting/rebuilding tunnels * Rare if devices support multiple peers * Implementations between vendors can often have quirks * Requires both UDP and ESP for Tunneled traffic * Remote access/mobile clients can have issues, but may work (see our ticket system for open issues) * Lots of problems traversing NAT or behind restrictive firewalls/networks * Routing arbitrary networks (not using Phase 2's in tunnel mode) requires IPsec in transport mode + GIF/GRE, which few vendors support. Jim I'd add another couple of pros for OpenVPN: * It's easy to set up multiple independent OpenVPN VPN's on the same server or client, running on different ports on the same IP address. * If you don't mind installing a little extra software, it is easy to use on lots of different clients. * It's easy to set up an OpenVPN server in existing networks with minimal changes - all you need is a port forward from the firewall through to the OpenVPN server. We have several independent OpenVPN setups on a server, with clients able to connect with different accesses. And some of our users have multiple client setups on their laptops for connecting to many different servers. How does either of these VPN approaches compare with using SSH Tunneling? (see various Linux Journal articles on this subject) Bob G ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open VPN or IPSec for site to site VPNs
On Fri, Apr 20, 2012 at 9:23 AM, Gavin Will gavin.w...@exterity.com wrote: Hi there, Traditionally used IPSec VPN's for site to site links however with replacing remote site routers with PFsense boxes I thought about using Open VPN instead. Any pro's cons? I quite like the ability to push a route easily with OpenVPN. Comments appreciated. Cheers Gavin Gavin, I replaced my remote site routers with pfSense and went to OpenVPN a couple years ago and haven't looked back. It's almost a set-it-and-forget-it situation since we have zero problems. -- Oliver Hansen ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list