New 3..8 site L2L VPN setup - OpebVPN or IPSEC ?

bingo600

Hello

I have an existing 4 site L2L IPSEC network , using Cisco ASA EZVPN (NEM mode)

I'd like to replace all ASA's with pfSense (Core i5 dual core / 8MB RAM) and either OpenVPN or IPSEC.
The primary reason is that the Cisco EZVPN (ASA) in NEM mode is only allowing one "inside" net.
And i need to do multi vlan on each site.

The central site will be offering misc "services" to the remote sites, ie. several VoIP PABX'es for testing.

But i still think i'll allow local internet exit's , meaning a dynamic routing protocol might come in handy , as def-gw would be local.

What would you recommend for a new design ?
IPSEC or OpenVPN between the sites ?

I might have to run a few Centran OpenVPN L2L to external PABX providers too.

TIA
Bingo
BW from each site would be "moderate" ie. 10..30MB/s peak, and i'm sure the i5 would handle that fine.

Would yo

bingo600

Ohh btw. I'm NOT interested in TAP L2 mode , only L3 TUN mode.
Would i still be able to do OSPF (w. some tricks) , or do i have to do BGP ?

/Bingo

Derelict

@bingo600 said in New 3..8 site L2L VPN setup - OpebVPN or IPSEC ?:

10..30MB/s peak

Is that megabytes (MB, 80 - 240 megabits) or 10 - 30 megabits (Mb)??

Do the remote sites need to communicate with each other?

Are you running a routing protocol now?

bingo600

@Derelict

OOpz my bad ... Meant Mbit/s (Mb) not MByte/s

It would be nice if the sites could communicate with eachother.
I have no routing right now (Well ASA's NEM route) , a /24 per site.

I could do it with static routes , and assign a 10.x.0.0/16 per site
Then route 10.0.0.0/8 from each site to the central.

It might be more KISS , instead of figthing OSPF (FRR) over a Tunnel.
OSPF understanding (Cisco version) i have a lot of.

/Bingo

Derelict

@bingo600 said in New 3..8 site L2L VPN setup - OpebVPN or IPSEC ?:

It would be nice if the sites could communicate with eachother.

Hmm. That seems like it would either be required or not. Not be a nice-to-have.

bingo600

Ok

Intersite communication is required

/Bingo

Derelict

At those data rates you can use either OpenVPN or IPsec. IPsec VTI with OSPF sounds like a fun project. You could easily do it with a supernet as you described too.

bingo600

I'll watch the VTI hangaround video
IPsec VTI doesn't mean anything to me right now (besides i suppose VTI might be Virtual Tunnel IF)

Any hints/pointers examples are most welcome.

But ie. one box goes to India, so onsite visits to fix small probs. are not well seen.

If i'm thinking logistics as in fast replacement boxes, what Netgate Boxes with min. 3-Lans would do the job , i have a budget of $400 / Box. Can those (netgate boxes) be pulled up from "blank to webaccess" via RS-232 (and a usb boot "stick")?

The Q's (hope Ivar isn't around) are excellent , but replacements and low-level "boot prepare" could be an issue.

/Bingo

bingo600

Maybe this one gives the basic setup (use FRR instead) or ?

https://help.pureport.com/support/solutions/articles/43000485827-vpn-config-guide-pfsense-route-based-vpn-with-bgp

On further thought (& reading) , i think i'll skip VTI for now.
It seems to be quite a new feature, and i'll get trouble if i loose a site halfway around the world.

Maybe i should just stick with OpenVPN & Static routes.

I have an L2L openvpn @home -> Summerhouse , using Certificates & the full monty.

Would there be any significant disadvantage in using a Loooong shared key for this setup ??

Or should i go for a CA on the central site & distribute the certs from there.

/Bingo