Vpn appliance

covex · Mar 2, 2007, 9:33 PM

hello to all!
i need to replace my old openbsd vpn server and looking at monowall and pfsense as an alternative. i need a firewall with ability to hold vpn 150-200 tunnels (3des/md5). i'm using turbo dsl service (3 dsl lines combine together) 6mbps up and 1.5 down.
all inputs on hardware config for this kinda box are greatly appreciated!

hoba · Mar 2, 2007, 9:53 PM

To saturate 6/1.5 mbit/s with ipsec you don't need too much horsepower. However having some sparepower won't hurt. You probably should have some memory in that machine but besides that I would think a midrange box should serve you well.

covex · Mar 2, 2007, 10:05 PM

thanks!
something like p4 2.8/1gb/2x 10/100 nics. i've noticed everybody go for intel. will 3com do the job? any special reqs for cpu (celeron vs p4) or memory? do i have to worry about having pci-x?
do i need additional encryption hardware

hoba · Mar 2, 2007, 10:35 PM

That box would already be overpowered for what you need but it's better than running at the limits. Keep in mind, you just have to deliver 7.5 mb/s encryption/decryption (WAN up/downstream). You don't need a VPN accelerator board for this. Intel or 3com nics are both fine. PCI-X only is needed for gigabit throughputs.

covex · Mar 2, 2007, 11:05 PM

i've just run tunnel from cdlive pfsense box (p4/1gb ram/3com nics) to netgear fvs318v3. with 3dec/md5 when i connect to remote pc with pcanywhere everything is very slow, but aes128/sha-1 is fine.
yesterday i tried monowall with 3des/md5 on the same box and the speed was ok.
i have some linksys befvp41 boxes in my setup that are not capable to run aes128.

i need to add something…
3des/md5 tunnels works faster on older linksysbefvp41 then newer netgear fvs318v3!!!

hoba · Mar 3, 2007, 2:12 AM

Which version of pfsense did you test with? Is it already a snapshot that includes IPSEC filtering? Also which m0n0 version did you use for testing?

covex · Mar 3, 2007, 3:47 AM

whatever is posted in download sections of their websites. cd version

hoba · Mar 3, 2007, 3:50 AM

Please test with the latest snapshot. It's based on a newer FreeBSD version: http://snapshots.pfsense.com/FreeBSD6/RELENG_1/

covex · Mar 3, 2007, 6:51 AM

it worked, thanks! now it is about the same speed that i have on my old open bsd box. how stable this snapshot? is it safe to put it in the production environment?

what about monowall will it be up to the task? i've read that it wont use more then 64mb of memory even under heavy load…

hoba · Mar 3, 2007, 4:52 PM

The m0n0wall 1.3 branch and the snapshots run on FreeBSD 6.2 and perform from my tests pretty similiar. The pfSense RELENG1 snapshots are only bugfixes of 1.0.1 plus some small usability additions and a few minor new features. They are considered pretty stable though we don't mark them as "stable" yet. See http://pfsense.blogspot.com/2007/01/102-beta-period-will-start-soon-5-9s.html

covex · Mar 3, 2007, 6:43 PM

thanks! i'll give pfsense a try…
one more question though.
i'm not familiar with bsd at all but i know that my old bsd box is setup the way that every time i add new remote location i don't have to do anything on the vpn server, just do settings on remote endpoint.
is it posible to recreate on pfsense or do i have to setup each tunnel separatly?

hoba · Mar 3, 2007, 6:46 PM

Not sure how this is done in your old config but you at least have to setup identifiers for the remote endpoints when using the mobile clients option.

covex · Mar 3, 2007, 7:43 PM

here is isakmpd.conf file. will it help?

XXXXXXXXX Firewall @ HQ

### What will actually connect
[Phase 1]
XXX.XXX.XXX.XXX = Ics
Default= Remote_store

[Phase 2]
Connections= Hq-ics,Hq-remote

Define the gateways

[Ics]
Phase= 1
Transport= udp
Local-address= XXX.XXX.XXX.XXX
Address= XXX.XXX.XXX.XXX
Configuration= Default-main-mode
Authentication= xxxxxxxx

[Remote_store]
Phase= 1
Transport= udp
Local-address= XXX.XXX.XXX.XXX
Configuration= Default-main-mode
Authentication= xxxxxxxx

Define the connection

[Hq-ics]
Phase= 2
ISAKMP-peer= Ics
Configuration= Default-quick-mode
Local-ID= Net-hq
Remote-ID= Net-ics

[Hq-remote]
Phase= 2
ISAKMP-peer= Remote_store
Configuration= Default-quick-mode
Local-ID= Net-hq
Remote-ID= Net-remote

Define the networks

[Net-ics]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.2.0
Netmask= 255.255.255.0

[Net-hq]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0

[Net-remote]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0

Golbal settings

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE

hoba · Mar 3, 2007, 8:23 PM

Do you use the same identifier for all tunnels? Not sure if this will work with the mobile client option but you can give it a try. See http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ for how to set such a scenario up.

covex · Mar 3, 2007, 9:46 PM

am i using identifier??!! :o ;D

covex · Mar 5, 2007, 7:32 PM

as far as i know this is the only config file i have for all my tunnels.
in pfsense it always asks for remote gateway ip, so i guess there is no way to set it up like i wanted :(

hoba · Mar 5, 2007, 7:36 PM

Try the mobile IPSEC option like I told you before and have a look at the tutorial I posted. You will see that one end just waits for incoming connections without knowing from where the connections are coming from.

covex · Mar 6, 2007, 3:13 AM

hmmm… i tried this tutorial but when i did i must have been smoking a wrong pipe. i see now where i went wrong. i'll try it again tomorrow.