Site to Site Recommendations



  • Hello All.

    I have a client who is currently using a point-to-point connection with AT&T.(They utilized cisco routers and Voip). The client wants to reduce the monthly cost for the point to point setup between his two sites. So, this is when i met "PFSense". Would you recommend OpenVpn for this type of setup and if so, where are the guides for basics of setting up PFsense , getting the rules working, and getting OpenVpn setup between the 2 sites?

    I seen some material on one of these related PFsense sites that OpenVpn doesnt filter traffic well. What features  of OpenVpn and Pfsense in general that need  a little more maturity if any?

    Any comments would be greatly appreciated.



  • If you want guidance on OpenVPN, the OpenVPN site is the best place ;)

    As for filtering traffic, at this point pfSense doesn't support applying filtering to the OpenVPN interface(s).  ISTR that this will change with a future release (maybe 1.3).  If restricting traffic to the site networks matters then you're probably best of simply using the pfSense hosts as VPN endpoints IMO.



  • Is it possible to achieve site to site VPN using the pfSense built-in PPTP functionality?

    I am currently not having much luck with it, I can easily connect and use with Windows XP VPN but cannot do it between two pf boxes.  From the 'connecting' pf box I get a series of:

    mpd: [pptp] device: DOWN event in state OPENING
    mpd: [pptp] device is now in state DOWN
    mpd: [pptp] link: DOWN event
    mpd: [pptp] LCP: Down event
    mpd: [pptp] device: OPEN event in state DOWN
    mpd: [pptp] pausing 7 seconds before open
    mpd: [pptp] device is now in state DOWN
    mpd: [pptp] device: OPEN event in state DOWN
    mpd: [pptp] pausing 1 seconds before open
    mpd: [pptp] device is now in state DOWN
    mpd: [pptp] device: OPEN event in state DOWN
    mpd: pptp0: connecting to x.x.x.x:1723
    mpd: [pptp] device is now in state OPENING

    and from the server:

    mpd: [pt0] IFACE: Close event
    mpd: [pt0] device is now in state CLOSING
    mpd: [pt0] bundle: CLOSE event in state OPENED
    mpd: [pt0] closing link "pt0"…
    mpd: [pt0] device: DOWN event in state CLOSING
    mpd: [pt0] device is now in state DOWN
    mpd: [pt0] link: CLOSE event
    mpd: [pt0] LCP: Close event
    mpd: [pt0] LCP: state change Stopped –> Closed
    mpd: [pt0] device: DOWN event in state DOWN
    mpd: [pt0] device is now in state DOWN
    mpd: [pt0] link: DOWN event
    mpd: [pt0] LCP: Down event
    mpd: [pt0] LCP: state change Closed –> Initial
    mpd: [pt0] LCP: phase shift ESTABLISH –> DEAD
    mpd: [pt0] link: DOWN event
    mpd: [pt0] LCP: Down event
    mpd: pptp0: killing connection with x.x.x.x:54802

    Any advice would be appreciated.

    Thanks



  • PPTP != OpenVPN, I'd suggest you try the VPN sub-forum instead.

    If you're doing this between 2 pfSense hosts I'd suggest either IPsec or OpenVPN rather than PPTP.



  • Thanks for your suggestion, I'll look further into IPSec or OpenVPN.  Is there any particular reason why these are better? or are they simply more appropriate for site to site connectivity?



  • Excellent howto found right here: http://files.pfsense.org/mirror/tutorials/openvpn/pfsense-ovpn.pdf

    This has everything you need to set up a basic site-to-site tunnel.

    As for why OpenVPN is better, have a read here: http://www.sans.org/reading_room/whitepapers/vpns/1459.php



  • I decided to go down the IPSec route, after banging by head against the wall and meticulously looking at the configurations to ensure they were the same at both ends I managed to get it working.  I say got it working I really mean I left it and went home and when I came in the next day it magically had connected, probably lost a days worth of effort due to my own impatience.


Log in to reply