dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
16
cyberdeath
join:2012-08-29
Hartfield, VA

cyberdeath to HELLFIRE

Member

to HELLFIRE

Re: VPN Tunnel Over Private Circuit - IPSec or OpenVPN

Hi Hellfire,

Thank you for your response! I apologize for not including the fact that OpenVPN uses SSL (since, as you said, it'd really be IPSec vs. SSL...but I was trying to be more verbose by specifying the exact product I was looking at).

And you are exactly right about using OpenVPN using SSL much like SSH does (except SSH would NOT be a good solution due to overhead).

I agree with the equipment, too...I may have used an old Pentium 2 for my server (years ago) running Gentoo but I certainly wouldn't do that for this.

I actually was looking at different options...and I just so happen to have two Xeon E5645 x2 servers with 2 Gigabit ports available at each site. They both run linux. Hopefully this will suffice for either solution.

I should also specify that if I did the IPSec implementation, I would likely be using OpenSwan to implement the tunnel (to make it easier for management by other team members).

Turnkey solutions are great, of course, if you have an endless supply of money. I honestly had not planned to spend any budget on this until I was told by the ISP that they cannot guarantee that the circuit will be secure...which I find hard to believe there aren't regulations that require this for private circuits.

So, with all of that being said, I'm certainly looking to do it myself.

From what it sounds like, you seem to like OpenVPN better and I tend to sway that way too from the comments I've read online. I just worry whether it's the fact that people can't figure out how to setup the IPSec tunnel ("it's more difficult") or if it is truly a better solution.

However, I'm most interested to know which protocol (IPSec or SSL/OpenVPN) is more efficient in terms of latency and bandwidth (the pipe would be 100Mbps). Of course, this circuit should not need to be resilient as this is a dedicated line. But, if it was to drop, I would like for it to pick back up automatically without intervention (which I believe both solutions do). At times, this entire pipe is going to be saturated so, whatever I do, I want to get the most bandwidth while still being secure (AES256).

If you or any other board member has any suggestions, please let me know.

Thanks!

bdnhsv
join:2012-01-20
Huntsville, AL

1 recommendation

bdnhsv

Member

Who's your service provider? I too am a little shocked they would make such a statement if they are providing a dedicated p-p circuit and it's all contained within their footprint. I take it this will be delivered with fiber to your locations and then the SP will have either a switch or media converter there for you to connect to?
cyberdeath
join:2012-08-29
Hartfield, VA

cyberdeath

Member

I'm glad I'm not the only one who feels this way. To answer your questions:

Service Provider? I will send it to you privately. I ask that you do not share the information.

But, the other answer....yep, they are providing a Cisco ME series router which is connecting to a fiber uplink and providing us with copper connectivity (by our choice...they also offer fiber) on our end. The circuit is a P2P circuit between two locations and it will solely run through their network infrastructure...likely on a VLAN of sorts. So, I feel comfortable to some extent from a technical standpoint...but when it comes down to it...if the data is stolen...it's on me (and my company)...at this point since no safeguards (at the endpoints) are in place...and those devices do not support encryption anyway.
cyberdeath

cyberdeath to bdnhsv

Member

to bdnhsv
Do you think I should be able to demand that they offer secure services? Being the type of company I work for...security is paramount so I will likely need to encrypt anyway...but do you think they should be the ones providing the encryption/assurance/(&/or warranties/insurance)?