VPN ipsec with one end using dynamic ip changing every 12hours
Hi, is it possible to use dynamic vpn in pfsense?
With one end using dynamic ip changing every 12hours, the pfsense box will have static ip.
i have heard about using dyndns but this is for 500 end points so dyndns is out.
What's "end point"?
its 500 peers :)
That did not help! What's "peers"? There's mobile IPsec, so I completely fail to see what's the deal with changing IPs here, unless you are connecting 500 sites that change their IPs every 12 hours.
a peer is a remote gateway, what i mean is that the cisco routers have public ip addresses that change every 12 hours.
using ipsec lan-to-lan not mobile ipsec.
Doing some testing i found i can configure 0.0.0.0 as the remote gateway and 0.0.0.0/0 as the remote network so its working now.
Good luck with this "setup".
I have had IPsec site to site running with dynamic IPs at each end with RSA certificate authentication for testing but I prefer to have the hub site on a static IP. I use dynamic dns hostnames and put a reference to that host name in the cert as a 'DNS:' entry.
I am intrigued on your architecture for supporting 500 VPN tunnels. How many concentrators are you deploying? I am using two hardware crypto accelerators in each pfSense endpoint for a theoretical 1Gbps throughput but the reality is that VPN's put a lot of load on PC based hardware solutions.
Well, 500 VPN tunnels probably not a huge impact on a server with Xenon or some high end quad processors if the peers are single users. I am running OpenVPN AS on a VM running average 75 users without breaking a sweat.
Site to Site VPN supporting large offices would make huge difference in performance so hardware crypto is a must. I'd imagine AES-NI in the CPU would help.
It boils down how much traffic is being sent and received at the hub sever.
hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy.
I was thinking on only one concentrator, didnt know of the existence of hardware crypto accelerators.
100mbps of throughput is required over vpn. will this hardware suffice?
The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates.
edit: read about AES-NI, will this boost even if using 3des/sha?