Need help choosing which vpn platform to use, ipsec/l2tp or openvpn
-
doesn't mikrotik support openvpn? I thought it did?
If it does would be just the work of setting up the site2sites... How many do you have?
Quick google - first hit
https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/ -
It does support openvpn, but not sure how I would push my remote sites subnet through the client side of openvpn in a way that I don't have to touch the server.
-
Do you have overlaps in your networks space? Your going to have to touch the routers at each site to setup the vpn.
But that is just a 1 time thing..
-
They all have separate subnets.
IE:
HQ 10.0.0.0/24
Site A 10.0.1.0/24
Site B 10.0.2.0/24
Site C 10.0.3.0/24
Site D 10.0.4.0/24I don't mind setting up some kind of config in the sites client side. That's the ideal method I'm looking for.
I just need HQ to be able to talk to sites and sites to talk back to HQ. Don't need any sites to talk to the other sites. (That could be a plus though if whatever way I choose does this) -
To have the HQ talking to Remote Sites or vice versa and Remote Site to Remote Site (HQ acting as Hub there) will work with either OpenVPN or IPsec.
-Rico
-
Check out this great hangout: https://www.netgate.com/resources/videos/site-to-site-vpns-on-pfsense.html
I bet this will clear up 99% of your questions.
-Rico
-
Any idea how?
I've got HQ and Site A hooked up, but they don't ping each other.
What I did was in the server side, I didn't put anything in the remote network field.
If I put the 10.0.1.0/24 subnet in the remote network field, it'll ping just fine. So it seems somewhere I have to enter an IP into the server for each site I add. (I'm trying to avoid that)
-
Yes you need to specify the IPv4 Remote Networks box.
What is the problem with this? I don't get your point...-Rico
-
I'm trying to avoid entering a long string of 50+ remote subnets into the server. There is a possibility this could grow to 100+ sites quickly.
-
Is your typing this slow?
Entering 50 subnets in one box is like max. 3 minutes. 
As johnpoz said this is some one time thing.
You go with PKI now? You have some more configuration like CSO per Site anyway.
If you go with shared key you can have only one Site per Server Instance anyway.
I go with PKI with one Instance per Site to spread the load.
In short: You can't run any VPN without some administrative work...-Rico
-
If I go full mikrotik I get it to work the way I want, but I'm partial to pfsense and it's already in their network.
In mikrotik what I do is I setup a normal ipsec/l2tp server, then for each new site I create a secret (basically a client login/password). Inside that secret I can specify a route such as 10.0.1.0/24 172.16.16.5/24 1 (172... is vpn tunnel address) and when the client connects to the vpn server, a route is automatically added to the table of the vpn server, so everyone at HQ knows where 10.0.1.0 is.
I'm trying to achieve this same goal in pfsense. It doesn't appear pfsense has this similar secrets section so ipsec doesn't seem to be the way to go in this pfsense/mikrotik combo. Generating a SSL for each new client would be too much of a pain in the butt. Looking for as simple as I can get like described above.
-
Again this is not a problem, and takes all of couple of minutes to setup... Did you watch the handout linked to by Rico?
-
@johnpoz said in Need help choosing which vpn platform to use, ipsec/l2tp or openvpn:
Again this is not a problem, and takes all of couple of minutes to setup... Did you watch the handout linked to by Rico?
According to that video, I have a hub and spoke design, although I don't need the remote sites to talk to each other so no need for 2+ connections at the remote sites, just one.
According to the video it looks like if I use openvpn, I'd have to create an openvpn server for each remote site, or an ssl for each remote site. Definitely don't want to do this.
It appears that possibly using mobile ipsec with multiple phase 2's might be the way to go.
In the video around 37:00 he talks about defining multiple phase 2 for multiple sites in his non-mobile client ipsec tunnel. So if I went this way, what would be the purpose of specifying the remote server? Also if multiple servers from multiple public ips are connecting to it, how would the remote server field even work?
-
Just because you have a hub, ie your HQ doesn't mean your remote (spokes) need to talk to each other through it, or even have to be allowed..
You don't need to setup site2site if all you want is remote to log into HQ, but if you want to be able to get to the spokes from hq its much easier to setup site2site. etc..
