site-to-site vpn, ipsec or openvpn



  • hello and thanks for reading this,
    I need to setup site-to-site between my sg-1110 physical netgate applicance and pfsense servers running in azure and aws.
    I have no idea which way to go and the ramifications of each.
    One thing I am concerned is that any computer on one side can access any compuuter on the other side. So I am going to need to write firewalls rules and as of now, I do not know too much about firewall rules.
    I noticed that under the firewall section, there is a tab dedicated to openvpn but not for ipsec, I am curious as to why there is no section for ipsec.

    so thanks for reading and hopefully replying,


  • Netgate Administrator

    OpenVPN is actually faster on the SG-1100 from what I have tested, for policy based at least. On most hardware that's not the case. Likely it won't be once we have the SG-1100 crypto driver in place.
    OpenVPN is more flexible but that might not be necessary for s site-to-site tunnel. For multiple tunnels though you can assign each one and then apply separate firewall rules to each tunnel which sounds like it might be something you need.
    For IPSec you get a single tab (once you have enabled a tunnel) that applies rules to traffic coming in across all tunnels.

    Steve



  • hello stephen,
    the reason I was leaning towards openvpn, is , I have been using and paying for an openvpn access server from openvpn.net. one thing about openvpn is it is easy to setup laptops to connect to openvpn server over the internet.
    Perhaps I could do ipsec for site-to-site and openvpn for 'road warriors'.

    I guess the problem is too many options and I am too confused.

    I remember, it was in the 1980's that my uncle, from a small and backwards country came to america and wanted a bag of potato chips, we went to the supermarket and there were too many choices, he was too overwhelemd and walk out of the store, with no chips.

    thanks


  • Netgate Administrator

    Well you could do either or both! But I suggest you use OpenVPN as it's currently faster on the SG-1100 and will allow you to apply different firewall rules to traffic arriving from different sites.

    Steve



  • hi, I am not concernced that openvpn is faster then ipsec.
    i just need an easy quick way to setup a site-to-site vpn between my sg1000 and my azure pfsense.
    I am finding using openvpn on azure cloud close to impossible. it seems that pfsense does not work easily in azure and there is no documention on the changes need to get openvpn to work in azure.
    has anyone setup an ipsec site-to-site between a netgate appliance and azure pfsense?

    thanks,


  • Netgate Administrator

    I already replied on your other thread but switching to IPSec would not help. The openvpn tunnel is working fine it's the routing in Azure that it causing your problem.

    Steve



  • for what it is worth, I have an openvpn server from openvpn.net and it was super easy to setup and use. no command lines and no routes, it just worked from the get go.
    that is why I as asking if ipsec might be easier in azure.


  • Netgate Administrator

    In Azure? I'm not sure how it works, they may be able to set the enable IP forwarding on the interface for their image. pfSense isn't always a VPN server though so it wouldn't be appropriate to do that.

    You need to do 3 things.

    Disable NAT if you need to be able to connect from azure hosts to hosts at the other end of the tunnel.

    Enable IP forwarding on the Azure interface for the pfSense VM.

    Add a route in Azure to the remote subnet via the pfSense WAN IP.

    Steve



  • please remove calum11 from this forum, as he is trying to promote a commerical company that has nothing to do with my posts.
    I am going to report calum11 and ask the this person be removed from the forum.



  • i have reported to the forum moderators that calum11 should be removed from forum for spam and abusive posts.
    boycott veepn!!!


  • Netgate Administrator

    That user has been removed.


Log in to reply