Re: [m0n0wall] Corporate VPN (multiple tunnels)

From:	Hilton Travis <Hilton at QuarkAV dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Corporate VPN (multiple tunnels) - Feedback nedeed
Date:	Fri, 02 Apr 2004 08:29:35 +1000
Hi Vincent,

On Thu, 2004-04-01 at 17:45, Vincent FLEURANCEAU wrote:
> Hi all!
> 
> I'm looking for people who use m0n0wall in a corporate environment, for 
> their customers or for their own needs.
> 
> I'm about to set up a VPN (with multiple tunnels) between our main 
> office and our 4 "satellite" offices.
> 
> My situation (in France):
> 
> - Many VPN "dealers" only consider MPLS technology and don't trust IPsec 
> at all.

This is weird, as IPSEC is a worldwide standard, accepted by everyone
from the major banks down to your local Ma and Pa furniture restorer. 
MPLS, on the other hand, is an emerging technology without a lot of
practical experience.  I'm surprised they prefer a new, not-as-proven
technology over an industry-accepted standard such as IPSEC.

> - Other who dare to use IPsec simply ignore software solutions, i.e. 
> don't trust Linux or even don't know anything about the BSD family :-(

What - they'd rather use Netgear, D-Link or some other solution where
they cannot even vet the code themselves, therefore cannot possibly know
if there are vulnerabilities in it?

> - It seems no one has been told about Soekris platforms...

That's quite possible, I never heard of Soekris until I started looking
into m0n0wall.

> ... so that:
> 
> - They want to sell me 5 or their favorite DSL routers (up to $1,000 
> each ;-)
> - I'll have to deal with very expensive MPLS-based VPN "packages" sold 
> by ISP.

That's another reason to steer clear of MPLS - if its expensive and new,
then you don't know exactly how secure it is, its not cheap to
implement, and many places outside of France may well not support it.

As for expensive, proprietary IPSEC boxes, unless it is a Cisco or
something (and even then, I'd prefer m0n0wall/Soekris) then I'd be wary
of prices like this.

> So, it would be very nice if someone (preferably French people so that I 
> can call them at their office) could give me feedback on her/his own 
> experience in designing a similar configuration.
> 
> I'm very confident with m0n0wall, but I have to gather arguments and 
> facts to convince my boss to let me go on for it.  So, please let me 
> know how you managed to set it up!
> 
> More, I plan to use m0n0wall on Soekris hardware, so I have 2 other 
> questions:
> 
> - Does the 4501 (basic) model suit for all 5 gateways?
> - Is the VPN add-on card useful (or even needed) for all 5 gateways?

The hardware you choose will be based on the speed of the networks you
wish to connect.  If they are all 512/128 ADSL networks, then the
net4501 should be able to handle the VPN requirements.  If they are all
1500/256, then I'd think that the net4501 would be bordering on being
underpowered.  This is a guess, I have no stats.  I have heard that the
VPN cards work in m0n0wall, and these would take the VPN en/decryption
load off the CPU, making the net4501 units more suitable in a larger,
high-bandwidth VPN.  However, the net4801 units should easily (easily)
handle this load as well.

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.