Need help choosing which vpn platform to use, ipsec/l2tp or openvpn

elementalwindx

I'm setting up a site to multi site vpn. HQ to remote sites. I need to be able to have full accessibility to all the remote sites and all devices connected to it.

Which would be the best to use? The HQ uses pfsense, all the remote sites use mikrotik.

Thanks.

Rico

In a nutshell: IPsec is faster, OpenVPN more flexible.
Personally I go with OpenVPN for all my 50 Sites and Remote Access Server.

-Rico

elementalwindx

If I go with openvpn, won't I have to go into the server to add a new openvpn server for each remote site? I'm trying to avoid that.

Or wouldn't I have to make some kind of change to the server like add the new remote sites subnet?

If not, how do I go about doing this?

Thanks!

johnpoz

doesn't mikrotik support openvpn? I thought it did?

If it does would be just the work of setting up the site2sites... How many do you have?

Quick google - first hit
https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/

elementalwindx

It does support openvpn, but not sure how I would push my remote sites subnet through the client side of openvpn in a way that I don't have to touch the server.

johnpoz

Do you have overlaps in your networks space? Your going to have to touch the routers at each site to setup the vpn.

But that is just a 1 time thing..

elementalwindx

They all have separate subnets.

IE:
HQ 10.0.0.0/24
Site A 10.0.1.0/24
Site B 10.0.2.0/24
Site C 10.0.3.0/24
Site D 10.0.4.0/24

I don't mind setting up some kind of config in the sites client side. That's the ideal method I'm looking for.
I just need HQ to be able to talk to sites and sites to talk back to HQ. Don't need any sites to talk to the other sites. (That could be a plus though if whatever way I choose does this)

Rico

To have the HQ talking to Remote Sites or vice versa and Remote Site to Remote Site (HQ acting as Hub there) will work with either OpenVPN or IPsec.

-Rico

Rico

Check out this great hangout: https://www.netgate.com/resources/videos/site-to-site-vpns-on-pfsense.html
I bet this will clear up 99% of your questions.

-Rico

elementalwindx

Any idea how?

I've got HQ and Site A hooked up, but they don't ping each other.

What I did was in the server side, I didn't put anything in the remote network field.

If I put the 10.0.1.0/24 subnet in the remote network field, it'll ping just fine. So it seems somewhere I have to enter an IP into the server for each site I add. (I'm trying to avoid that)

Rico

Yes you need to specify the IPv4 Remote Networks box.
What is the problem with this? I don't get your point...

-Rico

elementalwindx

@Rico

I'm trying to avoid entering a long string of 50+ remote subnets into the server. There is a possibility this could grow to 100+ sites quickly.

Rico

Is your typing this slow? Entering 50 subnets in one box is like max. 3 minutes. As johnpoz said this is some one time thing.
You go with PKI now? You have some more configuration like CSO per Site anyway.
If you go with shared key you can have only one Site per Server Instance anyway.
I go with PKI with one Instance per Site to spread the load.
In short: You can't run any VPN without some administrative work...

-Rico

elementalwindx

If I go full mikrotik I get it to work the way I want, but I'm partial to pfsense and it's already in their network.

In mikrotik what I do is I setup a normal ipsec/l2tp server, then for each new site I create a secret (basically a client login/password). Inside that secret I can specify a route such as 10.0.1.0/24 172.16.16.5/24 1 (172... is vpn tunnel address) and when the client connects to the vpn server, a route is automatically added to the table of the vpn server, so everyone at HQ knows where 10.0.1.0 is.

I'm trying to achieve this same goal in pfsense. It doesn't appear pfsense has this similar secrets section so ipsec doesn't seem to be the way to go in this pfsense/mikrotik combo. Generating a SSL for each new client would be too much of a pain in the butt. Looking for as simple as I can get like described above.

johnpoz

Again this is not a problem, and takes all of couple of minutes to setup... Did you watch the handout linked to by Rico?

elementalwindx

@johnpoz said in Need help choosing which vpn platform to use, ipsec/l2tp or openvpn:

Again this is not a problem, and takes all of couple of minutes to setup... Did you watch the handout linked to by Rico?

According to that video, I have a hub and spoke design, although I don't need the remote sites to talk to each other so no need for 2+ connections at the remote sites, just one.

According to the video it looks like if I use openvpn, I'd have to create an openvpn server for each remote site, or an ssl for each remote site. Definitely don't want to do this.

It appears that possibly using mobile ipsec with multiple phase 2's might be the way to go.

In the video around 37:00 he talks about defining multiple phase 2 for multiple sites in his non-mobile client ipsec tunnel. So if I went this way, what would be the purpose of specifying the remote server? Also if multiple servers from multiple public ips are connecting to it, how would the remote server field even work?

johnpoz

Just because you have a hub, ie your HQ doesn't mean your remote (spokes) need to talk to each other through it, or even have to be allowed..

You don't need to setup site2site if all you want is remote to log into HQ, but if you want to be able to get to the spokes from hq its much easier to setup site2site. etc..