[ previous ] [ next ] [ threads ]
 From:  Pauline Middelink <middelink at polyware dot nl>
 To:  Vincent FLEURANCEAU <v dot fleuranceau at parc dash landes dash de dash gascogne dot fr>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Corporate VPN (multiple tunnels) - Feedback nedeed
 Date:  Sat, 3 Apr 2004 10:00:39 +0200
On Thu, 01 Apr 2004 around 09:45:48 +0200, Vincent FLEURANCEAU wrote:
> Hi all!
> I'm looking for people who use m0n0wall in a corporate environment, for 
> their customers or for their own needs.
> I'm about to set up a VPN (with multiple tunnels) between our main 
> office and our 4 "satellite" offices.
> My situation (in France):
> - Many VPN "dealers" only consider MPLS technology and don't trust IPsec 
> at all.
> - Other who dare to use IPsec simply ignore software solutions, i.e. 
> don't trust Linux or even don't know anything about the BSD family :-(
> - It seems no one has been told about Soekris platforms...

They are not compatible technologies.
MPLS works be labeling each IP packet in the router based on certain
creteria, and when it is traveling over the upstream providers network
he can make informed decicions on how to route such a packet. The
packet (if all the routers are programmed well) is unable to escape
such a route, hence you get a kind of tunnel effect.
However, not all upstream providers can handle MPLS, most likely
only on their own network, which means you will be 'locked-in' in
the suolution you now get, without a change to migrate lines over
to say ADSL.

IPsec works over the public IP space, encrypting all the data
as it goes along the big bad internet. Its provider independant,
so kick out you leased line supplier any time you like :)

However, what solution is the best depends on many factors, a few
of them are availability (do you want 300+ people sitting idle
because the main office's Monowall is resetting under high load?)
availabilty of the line. (Most leased lines comes with garantees
in the 99.9% up-time. Most ADSL/SDSL lines are way below that (95%-99%).
Mind you I'm not saying that xDSL is untrustworthy, is can work
quite well even, but it is not garanteed to the same high level as
a lessed line - hence the BIG price difference.)
Another thing is the speed. IPsec encryption takes time. In one
of my tests 2 monowalls were connected back to back through a
IPsec tunnel. I only got 3mbps throughput through it... :(
Again I'm not blaming monowall, it could just as easly been
that the machines were to light (no hardware acc.), but still,
IPsecing an 34Mbps leased line is not an option...

BTW. If somebody could do the same test with an un-accelarated
     monowall setup, it would be nice to have this data. The
     Numbers on the website only reflect unencrypted throughput,
     while important, not as important as knowning how fast it

    Met vriendelijke groet,
        Pauline Middelink
GPG Key fingerprint = 2D5B 87A7 DDA6 0378 5DEA  BD3B 9A50 B416 E2D0 C3C2
For more details look at my website http://www.polyware.nl/~middelink