OpenVPN to IPSec?
-
I'd like to convert my OpenVPN site-to-site links to IPSec to take advantage of the higher speeds offered by IPSec. However, I am extremely confused about how to replicate my current OpenVPN setup/routing.
For OpenVPN - Site A (client) connects to Site B (server) and in the settings on each side I have the local and remote subnets listed. I allow all on the correct firewall tabs and pfSense takes care of routing everything. The pfSense boxes can hit each other and clients behind each pfSense can ping clients behind the other pfSense.
If I want to convert this to IPsec, I should create a Phase 1 entry at each side. I can do this and I see the Phase 1 entry connect. I then create a Phase 2 entry for one of my multiple subnets … and this is where I am stuck. I cannot get any traffic to pass and the two pfSense boxes cannot even ping each other.
What am I missing here? I can't do much experimentation because this is a production link between our datacenters.
-
Where did you hear IPSec would give you superior speed? Citation needed. Most people are converting things the other way.
Edit- I suppose it could be faster if you had AES-NI hardware and very fast links… -
Edit- I suppose it could be faster if you had AES-NI hardware and very fast links…
Which I do. Haswell Xeon CPUs and 1Gbps between sites.
It's the same reason I run IPSec via PIA at home. I can hit 600-700Mbps over PIA with IPSec, but only a few hundred Mbps with PIA over OpenVPN.
-
IPsec just needs the p2 to match the subnets. You can have multiple phase2's. In addition, you need to allow the traffic on the IPSec tab of the firewall rules. Try an any any to get it going and narrow it down later.
-
IPsec just needs the p2 to match the subnets. You can have multiple phase2's. In addition, you need to allow the traffic on the IPSec tab of the firewall rules. Try an any any to get it going and narrow it down later.
Ok, so I need a single P1 - then just a P2 for each subnet I want routed from site-to-site? I will delete the OpenVPN site-to-site and give this another shot tonight. Thank you.
-
I finally got around to this and it's working great. Thank you.
If I wanted to route all internet traffic through the site-to-site VPN, is this article still valid?
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel#Configure_outbound_NAT
At the end, it says to modify the Outbound NAT at Site B (where you want your Internet traffic to exit), even though you want Site A to use the Internet at Site B. Is that still correct?
Edit: This worked perfectly, I missed where it said to add a route of 0.0.0.0/0 at Site A, thus my confusion.
