Multi-site IPSEC VPN Routing
-
There are ways to make parallel tunnels to make something like this happen with such different subnets, but it would be easier to make tunnels from Site1-Site2.
Unless you want this pfSense to restrict traffic between these two sites ;)
-
Just build that into the IPSec firewall rules on those two sites.
There are ways to make parallel tunnels to make something like this happen with such different subnets, but it would be easier to make tunnels from Site1-Site2.
Unless you want this pfSense to restrict traffic between these two sites ;)
-
Just build that into the IPSec firewall rules on those two sites.
There are ways to make parallel tunnels to make something like this happen with such different subnets, but it would be easier to make tunnels from Site1-Site2.
Unless you want this pfSense to restrict traffic between these two sites ;)
is it technically possible to route under multiple ipsec-tunnels?
or how could it be done? i.e. with parallel tunnels? -
IPsec is not routed. You can't send arbitrary traffic over an IPsec tunnel like you can with OpenVPN. You'd have to setup multiple parallel tunnels, one for each subnet, or use 2.0 and define multiple phase 2 networks for each phase 1 definition.
-
Hi jimp,
is it the same for different betworks behind pfsense?
for example:
Main Office Pfsense 10.0.0.0/24 <–-IPSEC VPN ---> Pfsense Site 1 - 192.168.1.0/24 –- Site 1 Router B (NoNAT) - 172.16.1.0/24
Pfsense Site 1 has static route to Network 172.16.1.0/24.
How to reach subnet 172.16.0.0/24 from main office through tunnel , is it possible?
cya
EDIT:
Hi Jimp u already answered my Question.
http://forum.pfsense.org/index.php/topic,25492.0.html
Thx -
hit me hard if i'm wrong, but i think you should be able to route OpenVPN-Tunnels..
-
hit me hard if i'm wrong, but i think you should be able to route OpenVPN-Tunnels..
Yes, you can. OpenVPN can be routed however you like. If you need to pass a bunch of random subnets over a VPN, it's definitely the way to go. Some people are stuck with IPsec if they connect to third-party vendor equipment though.
-
Hi,
i never tried OPENVPN for Site to Site. But i have to connect to Checkpoint FW, so its no option for me.
Cya
-
i know, i know…
this is such a pile of rubbish, OpenVPN is so much more flexible than IPSec is more secure.. it's really like over-bruce himself said, IPSec is still the most secure way to secure IP, but still an disappointment in regards of implementation.. it's almost always that you would use openvpn but have to get along with ipsec cause of compatibility (Mobile Client's, your Case, etc..)
Sorry everyone for this ipsec-rant, but i had to get rid of this…
now, i feel so much better :)spiritbreaker, did you set your additional tunnels up and are they working fine now?
-
Why do you say that IPSEC is more secure than OpenVPN?
Both can use similar encryption algorithms as well as Keys for authentication…
-
i am not in the position to answer that exactly, but i believe people like niels ferguson or even bruce schneier, who analyzed the ipsec-protocol multiple times and found that ipsec was a great disappointment concerning the complexity.. but that IPSec would be the best way to secure IP.
I never said that openvpn would be secure since both provide a level of security which someone would expect from an vpn. openvpn has even the advantage being far more flexible (routing, etc..) than ipsec. but for site-to-site i.e. i use ipsec. that could be my personal affection, originated from everything i read i.e. these forums and of my imagination that ipsec has a more secure negotiation and is implemented that complex, that it could even become an advantage.
but again, i'm not an expert in terms of VPN's any type.
-
i am not in the position to answer that exactly, but i believe people like niels ferguson or even bruce schneier, who analyzed the ipsec-protocol multiple times and found that ipsec was a great disappointment concerning the complexity.. but that IPSec would be the best way to secure IP.
I never said that openvpn would be secure since both provide a level of security which someone would expect from an vpn. openvpn has even the advantage being far more flexible (routing, etc..) than ipsec. but for site-to-site i.e. i use ipsec. that could be my personal affection, originated from everything i read i.e. these forums and of my imagination that ipsec has a more secure negotiation and is implemented that complex, that it could even become an advantage.
but again, i'm not an expert in terms of VPN's any type.
I agree with you that IPSEC is much more complex in setting up. I'm just concerned about how OpenVPN is "less secure", as I use it a lot! I'm guessing that IPSEC's added "security" is that by nature it will only pass a single subnet that the tunnel was set up for, while openvpn will pass anything. Given this, OpenVPN requires a greater level of "firewalling" when it comes to site to site VPNs with OpenVPN.
Don't think it matters too much with road warriors though..
Edit: OpenVPN can pass any arbitry subnet, however the ip addresses of the openvpn endpoints have to remain constant as set in the openvpn config and given out at connection time.
-
no, personally i don't think you have to worry, it's just like saying i hang my stuff 30 feet high so no one could reach it (under normal circumstances, before someone tells me, yes, but if..) and then saying it would be more secure to hang it 35 feet high.
openvpn has no flaws like lets say pptp with it´s weak password hashing or poor encryption keys..
to me it would be fine if everybody (universities, big networking companies, OS-Providers, etc..) would do SSL-VPN's as their standards, but unfortunately they don't. i.e. of iPhones which don't support installing third party devices (tun, tap) you don't have much choice, or if you have to connecting to third-party-vendor-stuff…
it depends, on implementation (i heard, IPSec with NAT-T is too not an ace either), on technology being used, on the usecase, on so many things.. but i'm glad that pfsense does them all.
