dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3398
share rss forum feed

cyberdeath

join:2012-08-29
Hartfield, VA

VPN Tunnel Over Private Circuit - IPSec or OpenVPN

Hello everyone,

I am currently looking at purchasing a private circuit that will run through our provider's network between two locations (but not internet accessible). However, I cannot assuredly trust said provider so I need security between the two locations. Hence where the VPN comes in.

I will be provided with a copper connection on each end. I plan to connect a server's ethernet port (say, for example, eth1) on each side. Then, I plan to connect eth0 to the internal network and all I would like to do is have whatever goes into eth0 encrypted through eth1...to the other eth1 and then decrypted for the other network on eth0 and vice-versa.

What would be my best VPN solution? OpenVPN or IPSec? Of course, if you have another suggestion, please include it but also include information on it so I can research.

The key things I'm looking for in this VPN is: security (AES256) and speed...as little latency as possible as SIP traffic will be tunneled over this as well.

I have done a great deal of research on this and am torn as to what the best solution is. But, I also have not seen anyone with a private network connection specify which one works better.

Please advise.

Thanks,
cyberdeath


HELLFIRE
Premium
join:2009-11-25
kudos:18

IPsec is a STANDARD, OpenVPN is a PRODUCT.

That being said, OpenVPN IIRC uses SSL encryption (same stuff as HTTPS uses), which at the low end uses RC4 encryption,
but can go as high as AES as the algorithm.

The latency is going to be a function of the circuit itself, and how much load en/decrypting the packets, so scale
your hardware accordingly -- ie. no 15y/o CPUs running flat out on this stuff.

Last recommendation is based your taste for a turnkey solution or a DIY solution. If you're turnkey, look to stuff
by Sonicwall, Juniper, Cisco, Dell, Watchguard, etc. The key you're looking for is "site to site VPN" which anyone
and their dog can do these days. If you're DIY, should be easy enough to load a couple older computers with OpenVPN,
configure, and you're off to the races.

My 00000010bits

Regards


cyberdeath

join:2012-08-29
Hartfield, VA

Hi Hellfire,

Thank you for your response! I apologize for not including the fact that OpenVPN uses SSL (since, as you said, it'd really be IPSec vs. SSL...but I was trying to be more verbose by specifying the exact product I was looking at).

And you are exactly right about using OpenVPN using SSL much like SSH does (except SSH would NOT be a good solution due to overhead).

I agree with the equipment, too...I may have used an old Pentium 2 for my server (years ago) running Gentoo but I certainly wouldn't do that for this.

I actually was looking at different options...and I just so happen to have two Xeon E5645 x2 servers with 2 Gigabit ports available at each site. They both run linux. Hopefully this will suffice for either solution.

I should also specify that if I did the IPSec implementation, I would likely be using OpenSwan to implement the tunnel (to make it easier for management by other team members).

Turnkey solutions are great, of course, if you have an endless supply of money. I honestly had not planned to spend any budget on this until I was told by the ISP that they cannot guarantee that the circuit will be secure...which I find hard to believe there aren't regulations that require this for private circuits.

So, with all of that being said, I'm certainly looking to do it myself.

From what it sounds like, you seem to like OpenVPN better and I tend to sway that way too from the comments I've read online. I just worry whether it's the fact that people can't figure out how to setup the IPSec tunnel ("it's more difficult") or if it is truly a better solution.

However, I'm most interested to know which protocol (IPSec or SSL/OpenVPN) is more efficient in terms of latency and bandwidth (the pipe would be 100Mbps). Of course, this circuit should not need to be resilient as this is a dedicated line. But, if it was to drop, I would like for it to pick back up automatically without intervention (which I believe both solutions do). At times, this entire pipe is going to be saturated so, whatever I do, I want to get the most bandwidth while still being secure (AES256).

If you or any other board member has any suggestions, please let me know.

Thanks!


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to cyberdeath

said by cyberdeath:

I honestly had not planned to spend any budget on this until I was told by the ISP that they cannot guarantee that the circuit will be secure...which I find hard to believe there aren't regulations that require this for private circuits.

I've learned the only two guarentees in life are death an taxes... That being said, you could look into a MPLS VPN
which would basically do the same thing you're trying to do, it would only put the management / config / etc on the
carrier than you.

I haven't used OpenVPN personally, so I can't comment on how easy / hard it is to do anything. Best thing
is if you're set on doing this, and have the time and equipment to try this out, go for it. Obviously don't
go expecting to set it up in an afternoon or not; I'd do this as a side project and test it out with one or
two applications and make sure it works before putting the thing fully into place.

said by cyberdeath:

However, I'm most interested to know which protocol (IPSec or SSL/OpenVPN) is more efficient in terms of latency and bandwidth (the pipe would be 100Mbps).

The difference would be negligible in terms of bandwidth... the hit would be on the endpoints that have to crunch the
en/decryption. If you want to scale to 100Mbps, I'd DEFINATELY go with the Xeon / GigE NICs over the Pentium 2.

Regards

bdnhsv

join:2012-01-20
Huntsville, AL

1 recommendation

reply to cyberdeath

Who's your service provider? I too am a little shocked they would make such a statement if they are providing a dedicated p-p circuit and it's all contained within their footprint. I take it this will be delivered with fiber to your locations and then the SP will have either a switch or media converter there for you to connect to?


cyberdeath

join:2012-08-29
Hartfield, VA

1 edit
reply to HELLFIRE

Thanks for the reply. I think your methodology is probably best...test both of them...and that's what I think I will ultimately end up having to do. I was hoping to avoid this by seeing what others previous experiences were to hopefully save me the headache.


cyberdeath

join:2012-08-29
Hartfield, VA

1 edit
reply to cyberdeath

If anyone has another suggestion, I'm open to it.

I really appreciate both of your replies and apologize for my delay in replying...it's my thread and I'm the slow one.... .


cyberdeath

join:2012-08-29
Hartfield, VA
reply to bdnhsv

I'm glad I'm not the only one who feels this way. To answer your questions:

Service Provider? I will send it to you privately. I ask that you do not share the information.

But, the other answer....yep, they are providing a Cisco ME series router which is connecting to a fiber uplink and providing us with copper connectivity (by our choice...they also offer fiber) on our end. The circuit is a P2P circuit between two locations and it will solely run through their network infrastructure...likely on a VLAN of sorts. So, I feel comfortable to some extent from a technical standpoint...but when it comes down to it...if the data is stolen...it's on me (and my company)...at this point since no safeguards (at the endpoints) are in place...and those devices do not support encryption anyway.
--
cyberdeath


cyberdeath

join:2012-08-29
Hartfield, VA
reply to bdnhsv

Do you think I should be able to demand that they offer secure services? Being the type of company I work for...security is paramount so I will likely need to encrypt anyway...but do you think they should be the ones providing the encryption/assurance/(&/or warranties/insurance)?
--
cyberdeath


HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to cyberdeath


Do you know the make / model of the Cisco ME device they're sending you? ME3400? If so, functionally it's
no different from a 10/100 switch you pick up for your home network, but for Service Providers. And yeah,
running through the service provider core, all you need is one misconfiguration, or rogue technician
stopping by the CO one night to screw yourself over security-wise.

Regards


cyberdeath

join:2012-08-29
Hartfield, VA

It is a 3400. And I had a feeling it was more of a switch than a router when I read up a little on them. And even over a VLAN...it's very easy to set up a mirror port...

I'm glad it's not overparanoia...but I do have a degree in IT with a concentration in security...(not that I learned anything that I didn't learn on my own...but more for the fact that it's an interest).

Thank you for that confirmation...I, too, think about that "rogue technician..." or even, like you said, misconfiguration...and we're sharing our data with our neighbors...

...and imagine our neighbors were our competition...

That reminds me of the days when cable modems were on a hub and spoke configuration in communities....and you could see other users networks within your area... .
--
cyberdeath


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to cyberdeath

More correctly a multi-layer switch, but the security functionality is going to be largely at layer 2 -- ie. mac / frame / VLANs, etc.

Let us know how it goes.

Regards


cyberdeath

join:2012-08-29
Hartfield, VA

Hi HELLFIRE,

I ended up deciding to go with OpenVPN as it seemed quite extensible and I don't plan to integrate Cisco devices or others that only work with ipsec. After installation, I noticed that my bandwidth was minimally impacted. Of course, I did notice a decrease from a solid 11MBps to about 10.3MBps with the VPN tunnel.

For others who are deciding... of course you have to go with what works but I would have to say that I now would suggest OpenVPN.

Thanks to HELLFIRE and bdnhsv for the input.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to cyberdeath

No problems cyberdeath, and glad it all worked out for you in the end.

Regards