VPN ipsec with one end using dynamic ip changing every 12hours
-
Hi, is it possible to use dynamic vpn in pfsense?
With one end using dynamic ip changing every 12hours, the pfsense box will have static ip.
i have heard about using dyndns but this is for 500 end points so dyndns is out. -
What's "end point"?
-
its 500 peers :)
-
That did not help! What's "peers"? There's mobile IPsec, so I completely fail to see what's the deal with changing IPs here, unless you are connecting 500 sites that change their IPs every 12 hours.
-
a peer is a remote gateway, what i mean is that the cisco routers have public ip addresses that change every 12 hours.
using ipsec lan-to-lan not mobile ipsec.
Doing some testing i found i can configure 0.0.0.0 as the remote gateway and 0.0.0.0/0 as the remote network so its working now. -
Good luck with this "setup".
-
I have had IPsec site to site running with dynamic IPs at each end with RSA certificate authentication for testing but I prefer to have the hub site on a static IP. I use dynamic dns hostnames and put a reference to that host name in the cert as a 'DNS:' entry.
I am intrigued on your architecture for supporting 500 VPN tunnels. How many concentrators are you deploying? I am using two hardware crypto accelerators in each pfSense endpoint for a theoretical 1Gbps throughput but the reality is that VPN's put a lot of load on PC based hardware solutions.
-
Well, 500 VPN tunnels probably not a huge impact on a server with Xenon or some high end quad processors if the peers are single users. I am running OpenVPN AS on a VM running average 75 users without breaking a sweat.
Site to Site VPN supporting large offices would make huge difference in performance so hardware crypto is a must. I'd imagine AES-NI in the CPU would help.
It boils down how much traffic is being sent and received at the hub sever.
-
hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy.
I was thinking on only one concentrator, didnt know of the existence of hardware crypto accelerators.
100mbps of throughput is required over vpn. will this hardware suffice?
Server specs:
https://secure.iweb.com/en/classicServerFlex/classicServerFlex/?id=38d2233b4574e196403bbacfcf533339The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates.
edit: read about AES-NI, will this boost even if using 3des/sha?