Re: Attn Draytek VPN Users
cheers for the heads up matie!!!
Re: Attn Draytek VPN Users
Thanks! after your post about pfsense in another thread yesterday I've decided to take a look at this later this week. Might just be the answer to a problem I have in the office.
Re: Attn Draytek VPN Users
Quote:
Originally Posted by
JonEp
Thanks! after your post about pfsense in another thread yesterday I've decided to take a look at this later this week. Might just be the answer to a problem I have in the office.
same here i get loads of issues with dropouts will take a look (this is why i love digital forums)
Re: Attn Draytek VPN Users
Leave it with me and I will post sample ipsec configs when I get time later today, will save you ages in pissing about getting a working config. Any questions, throw em my way and if I can answer I will.
Re: Attn Draytek VPN Users
Thanks, it's interesting to see how they perform when they are in a complex / high usage environment.
I've only used them for lightly used scenarios with 4 sites, for web and file syncronisation etc... Found them reliable in this scenario.
Re: Attn Draytek VPN Users
Sorry I'm gonna stall on posting a config for a few days - found a problem with a site that kept getting power failures, then when power came back up vpn would come back up because of duplicate sad's which either had to be manually deleted, I would have to wait until I get the next one or restart the racoon service which knocks all the vpn's off.
Got a couple of tweaks I wanna try to resolve this first.
Re: Attn Draytek VPN Users
Sample pfSense Config:
http://i101.photobucket.com/albums/m...s/pfconfig.jpg
Sample 2820 Config:
http://i101.photobucket.com/albums/m...ics/2820-1.jpg
http://i101.photobucket.com/albums/m...ics/2820-2.jpg
The trick to resolve the multiple SA's was to go on the pfsense box to system, advanced, miscellaneous, Prefer old IPSEC SA's - did some torture testing for a while and got a few SA's, but the vpn always came back within 8 secs of the 2820 getting on the net. Now vpn's randomly dropping are a thing of the past, they only drop if the site router drops.
Also saw it pushing over 18Mb upload the other say and am confident it won't bottleneck our 25Mb line - I looked into the soekris vpn 14x1 accelerator cards, they claim to be able to do 250Mb of IPSEC, but apparently these only are to go with very slow cpu's and would actually be slower than my p4!
You may notice my phase 1/2 lifetimes are set to max - renewing the SA's is computationally heavy and I prefer not to have latency spikes as we use VOIP, you may prefer to reduce these values for security reasons.
Any questions, will answer if I can.