VPN ipsec with one end using dynamic ip changing every 12hours

zenkovac · Jun 26, 2015, 12:50 AM

Hi, is it possible to use dynamic vpn in pfsense?
With one end using dynamic ip changing every 12hours, the pfsense box will have static ip.
i have heard about using dyndns but this is for 500 end points so dyndns is out.

doktornotor · Jun 26, 2015, 6:58 AM

What's "end point"?

zenkovac · Jun 26, 2015, 12:31 PM

its 500 peers :)

doktornotor · Jun 26, 2015, 2:42 PM

That did not help! What's "peers"? There's mobile IPsec, so I completely fail to see what's the deal with changing IPs here, unless you are connecting 500 sites that change their IPs every 12 hours.

zenkovac · Jun 26, 2015, 4:59 PM

a peer is a remote gateway, what i mean is that the cisco routers have public ip addresses that change every 12 hours.
using ipsec lan-to-lan not mobile ipsec.
Doing some testing i found i can configure 0.0.0.0 as the remote gateway and 0.0.0.0/0 as the remote network so its working now.

doktornotor · Jun 26, 2015, 5:02 PM

Good luck with this "setup".

vbentley · Jun 26, 2015, 11:30 PM

I have had IPsec site to site running with dynamic IPs at each end with RSA certificate authentication for testing but I prefer to have the hub site on a static IP. I use dynamic dns hostnames and put a reference to that host name in the cert as a 'DNS:' entry.

I am intrigued on your architecture for supporting 500 VPN tunnels. How many concentrators are you deploying? I am using two hardware crypto accelerators in each pfSense endpoint for a theoretical 1Gbps throughput but the reality is that VPN's put a lot of load on PC based hardware solutions.

Darkk · Jun 28, 2015, 12:27 AM

Well, 500 VPN tunnels probably not a huge impact on a server with Xenon or some high end quad processors if the peers are single users. I am running OpenVPN AS on a VM running average 75 users without breaking a sweat.

Site to Site VPN supporting large offices would make huge difference in performance so hardware crypto is a must. I'd imagine AES-NI in the CPU would help.

It boils down how much traffic is being sent and received at the hub sever.

zenkovac · Jul 1, 2015, 2:50 AM

hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy.
I was thinking on only one concentrator, didnt know of the existence of hardware crypto accelerators.
100mbps of throughput is required over vpn. will this hardware suffice?
Server specs:
https://secure.iweb.com/en/classicServerFlex/classicServerFlex/?id=38d2233b4574e196403bbacfcf533339

The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates.

edit: read about AES-NI, will this boost even if using 3des/sha?