Re: [pfSense] pfSense Routing - VPN's

Sun, 18 May 2014 12:32:28 -0700 

OpenVPN vs IPsec:
I find IPsec to be a bit more 'fussy' than OpenVPN, mainly because an IPsec setup with multiple tunnels to a single instance will share a single "logical" interface, making policy/rule management a bit more prone to human error, in contrast to OpenVPN where each site-to-site tunnel can appear as a discrete interface. Still, OpenVPN CAN manage multiple OpenVPN rules on a single interface for common rules if desired. (i.e. Allow any DNS). I also find IPsec can be a bit fussy with regard to ESP and its MTU issues, though pfSense makes it much easier with MSS clamping ONLY on IPsec tunnels, which eliminates the need to reduce the MTU on the WAN interface (and all interfaces bridged to WAN). Benefits of IPsec? Some day I'll meet someone who can tell me whether IPsec has any increased cryptographic strength for a given cipher/key/RNG combination due of the fact that the phase 2 re-keying is done in a quasi-out-of-band fashinon (i.e. using phase 1 IKE). In other words, I assume that cracking a phase-2 key would only benefit an attacker until the next phase-2 re-key, unless they have also cracked the phase-1 IKE. Cracking a phase-1 key exchange seems like it could be extremely difficult if (for example) a properly decrypted phase 1 IKE looks like entropy. 

Renumeration (re-IP'ing)

No need to renumerate the main branch in your example as long as the 
main branch isn't assigned a subnet mask of less than 24 bits (/23 , 
/16, /8, etc).  pfSense at the main branch will have interfaces (ergo 
routes) for each of the discrete 10.0.(4,5,6..n).0/24 tunnels, making 
routing to them implicit.  In your example, the 'spokes' off the main 
branch would need to be told to find your other LAN subnets via this 
tunnel. In OpenVPN it's done right in the tunnel configuraiton: (OpenVPN 
Advanced "route 10.0.0.0 255.255.0.0;".


Good luck.

On 5/18/2014 7:12 AM, Alex Threlfall wrote:

Interesting, we're not using OpenVPN at present, just the built in IPSEC
stuff in pfSense, what benefits are there in switching to OpenVPN?

So our main branch is say 10.0.4.0, and the other branches are 10.0.5.0,
10.0.7.0, 10.0.2.0 and 10.0.3.0, all /24's - would using this methodology
require me to re-ip the main branch?

--
Alex Threlfall
Cyberprog New Media
www.cyberprog.net



-----Original Message-----
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
Sent: 16 May 2014 07:55
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] pfSense Routing - VPN's

This is exactly what we do.

We make the hub the OpenVPN server, and the spokes the clients because
the hub IP is static, and we can manage all of the OpenVPN listeners on

one

instance.

If your whole network is a /16, and each spoke is a /24, all you need is a

route

directive on each of the spokes for the entire /16.  In OpenVPN Advanced
"route 192.168.0.0 255.255.0.0;"

You don't need any routing directives on the 'hub' because the addition of
each connection will take care of that.

With respect to rules:
We find it best to make the first rule on the hub's OpenVPN interface

this:

"Any source/port NOT destined for THIS hub subnet is allowed to pass".

That

way each branch can manage their ingress policy privately because the hub
will just route anything not destined for its subnet.

We also find it best to set up DNS forwarders to the spoke networks, i.e.
Hub: mybranch.mycompany.com dns dips are at 192.168.11.1.  Spokes can
dip the hub if so configured which can in turn dip OTHER spokes if so
configured.  Inverse lookups work too.  For example, add a dns forwarder

of

10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the

subnet

192.168.10.0/24

It's been rock-solid for many years now!

Good luck.






On 5/16/2014 1:16 AM, A Mohan Rao wrote:


        its very simple...!
        first u have to configure a main vpn site to site vpn server at your
main branch then u can easily configure a b c etc.
        with share key and tunnel network.


        On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall <a...@cyberprog.net>
wrote:


                Hi All,



                                I currently have a number of sites which

have VPN's

between them, with each site having a VPN to one another. This is becoming
harder to manage, we currently have 5 sites, (6 if you include my home)

and

it would make sense to me to adopt more of a star architecture with a

central

site.



                                However, I can't work out how to configure

this! Each

site has it's own /24 of private address, and I have a central branch. How

can I

configure things so that the if branch B needs to get to branch C, it

knows

that it must go via branch A?



                                Branch A has the best connectivity - bonded

FTTC's,

so would make sense as well as it being our "hub" branch for the stock
control system also.



                                Any advice would be appreciated!



                --

                Alex Threlfall

                Cyberprog New Media

                www.cyberprog.net





        _______________________________________________
                List mailing list
                List@lists.pfsense.org
                https://lists.pfsense.org/mailman/listinfo/list






        _______________________________________________
        List mailing list
        List@lists.pfsense.org
        https://lists.pfsense.org/mailman/listinfo/list




_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list






















					Reply via email to