Site to Site VPNs

hardware_failure

hardware_failure

[H]ard|Gawd
Joined
Mar 21, 2008
Messages
1,413
I am looking to setup 2x new site to site VPN's. I have a limited experience with cisco equipment.

I have new 50/10 comcast internet freshly installed at the main site and the 2 satellite sites. (static IPs) I would like all the tunneling to be done through these comcast connections.

At the main site, I have servers that are on gateways different than the comcast internet (their gateways are pointing to other cisco routers on a different internet connection)

How hard would it be to setup point to point vpns on just the comcast connections, yet allow full access to the servers not using the comcast for internet access?

What hardware/appliances might be recommended?

Thanks.
 
Thanks. I was considering a software distro option to save $ and to simpliy configuration as I have lots of spare hardware.

Your guide mentions OpenVPN client software config. I am looking to setup seamless site to site tunnels interdependent of using client VPN software.
 
It can be done through site to site as well. One site still has to be the server and others the clients. You would set them up just like you would a client PC. Importing the certs/keys into the config.
 
+1 for pfsense and openvpn. I use ipsec to some client offices, but openpvn is less headache and just always works. I get some annoying renegotiation issues sometimes with ipsec, which can lead to a few minutes of downtime here and there while it reconnects.
 
Okay so maybe Im missing something about OpenVPN.....

Everything I have read explains to export a client CA and then use workstation client software to connect to the server.

Is there not a way to have 2x pfsense routers w/OpenVPN site to site with each other and have zero client software?
 
yeah, you can use shared keys on a site to site setup. That's how I do it. Generate a key on 1 side (in the tunnel setup screen), and copy&paste into the key form on the other side.
 
Great thanks. Im setting up the first box now and Ill make a 2nd at home tonight to test it.

Thanks again to both of you for the help.
 
Im about ready to rip what hair I have left out.

I spent over 3hrs last night trying to get this to work. It was pretty easy establishing a point to point OpenVPN between my 2 sites (home and main work building) but after that, brick wall.

I cant ping any clients on either side. Ether from the devices them selves or the built in tool in pfsense. Ive tried any/any rules on all interfaces both sides. Checked all my gateways. Tried to add route x.x.x.x 255.255.255.0 statements. Tried device specific nat rules. I dont know what Im missing. The only thing I can ping from opposing sides is the virtual IP assigned by openvpn.

My gut tells me its either the pfsense's firewalls being too strict or some extra firewall inbetween Im missing.

Logs dont seem to hint to much. The only strange "clue" I got is in the work site's firewall log, I can see entries of my home LAN IP's (my workstation talking to pfsense router) Why would it even see that?!?! That traffic shouldnt leave my home network.

Just for the heck of it I tried jadams guide on bridging. That just broke shit. I get all kinds of things blocked (ie anything incoming on a port other than 80) The one clue I got here was on my home side, its firewall log showed all kinds of traffic on the works lan on the newly created OPT1 interface (big list of workstations hitting servers and each other) but I still cant hit a damn thing thu the vpn.

:confused: :(
 
Try rebooting pfsense on both sides. I have to do that sometimes when adding a new tunnel, it's almost like the route doesn't get activated.
 
hardware_failure said:
Just for the heck of it I tried jadams guide on bridging.

:confused: :(
Click to expand...

LOL, oh boy. I've gotten mostly good reviews with that thing. Though its not for site2site, it can be adapted to it.

Also, im not so sure its in my guide but and its been awhile since I've done it, but I believe that both OpenVPN instances must be bridged to an actual interface at which point firewall rules can be applied to it. The fact that you can see the connections establishes, but cannot ping across it is what leads me to that idea.
 
First of all your goal appears to be a fairly complex setup. Not impossible, but lots of factors to consider.

Therefore.... what is your exact configuration? I would suggest you start off very simple, 2 pfsense each with 1 LAN and 1 WAN and you try to access between the two.

You did use different subnets for each pfSense!?
 
Im sorry for not replying earlier, been crazy at work.

Anyway, I got the openvpn/ hosts talking to each other part working. I needed to put "any" in the protocol area for my rules. Now that Ive kicked my self enuff Im starting to remember ping being ICMP and not tcp/udp etc. I should have tried a connection via http or ftp or something rather than getting frustrated with just pinging. Noob power!

Now I get to play with bridging.

I wanted to thank everyone for their suggestions of pfsense. In my many hrs of trying to get openvpn to pass traffic, I at least became very familiar with the pfsense interface!
 
This would be why I would always endorse purchasing a short term commercial support contract with PFsense. At least that way you have paid support to bail you out for a limited time.
 
Mackintire said:
This would be why I would always endorse purchasing a short term commercial support contract with PFsense. At least that way you have paid support to bail you out for a limited time.
Click to expand...
If I choose to put this into production, (which I likely will) I am definitely going to look into it.

I got bridging to work. In addition too jadams's method I used this:
http://forum.pfsense.org/index.php/topic,38605.0.html

The 2 key things I was missing were:
1. on the OpenVPN / OVPN interfaces, allow ANY on the protocol, not specifically UDP.
2. the 2 LANs (site A and B) needed to be on the same subnet, otherwise I think you have to do a bunch of routing.

I put my home network (site B) on the same subnet as work (site A). And that instantly made everything work alot better.

As Im testing, it really is like a virtual layer 2 switch connection. Its like being plugged into the same switch onsite. I added a bunch of work printers, network shares, SQL data sources, everything I could think of.

On my test PC at home, like mentioned above I set it to the same private subnet and then added a DNS of a local work DNS server. At first hostnames didnt resolve (ie ping DOMAINSERVER). I started to do some reading on what to try next, but upon checking it 10 min later, everything was working. It must have just needed some time to download/cache the lookups or something. (kinda weird, but hey its working!) I even joined the domain. I tested the DHCP forwarder and it works too.

This is really, really cool. Obviously alot of entities would not want a setup like this but for smaller businesses the convenience is awesome. So long as stability is not a factor it can potentially replace a need for terminal/citrix servers. The reason it will likely work so well for me is I have a ton of resources that need to be access that all use different gateways (point to points etc)

Obviously it would be a good idea to replace the any/any/any rules with only whats needed. Lots to play with from here.

Thank you everyone for the suggestions and help.
 
Any particular reason you are using bridging vs a routed subnet for the remote site?
 
May want to check out Untangles OpenVPN setup, Ive been playing with it and it seems to work pretty well
 
You do not have to bridge. You just have to add a command to the configuration to make the clients on site A know how to reach site b private network.

Example: push "route 10.66.0.0 255.255.255.0"
 
Just use (2) Zyxel USG 50 VPN routers. Ironclad stable, does not require subscriptions and Zyxel will even set them up for you. The Zyxel USGs run BSD anyhow...but you get a pretty gui to configure it.
 
You must log in or register to reply here.
Back
Top