Table of Contents
This chapter will go over configuring a site to site VPN link between two m0n0walls, and will discuss how to configure site to site links with third party IPsec-compliant devices. The Example VPN Configurations chapter goes over, in detail, how to configure site to site IPsec links with some third party IPsec devices. If you have gotten m0n0wall working in a site to site IPsec configuration with some third party IPsec device, we would appreciate if you could put together a short write up of how you got it configured, preferably with screenshots where applicable.
IPsec (IP security) is a standard for providing security to IP protocols via encryption and/or authentication, typically employing both. Its use in m0n0wall is for Virtual Private Networks (VPN's).
There are two types of IPsec VPN capabilities in m0n0wall, site to site and remote access.
Site to site VPN's connect two locations with static public IP addresses and allow traffic to be routed between the two networks. This is most commonly used to connect an organization's branch offices back to its main office, so branch users can access network resources in the main office. Prior to VPN's, much more expensive private Wide Area Network (WAN) links like frame relay, point to point T1 lines, etc. were commonly used for this functionality. Some organizations are moving towards VPN links between sites to take advantage of reduced costs.
Site to site VPN's can also be used to link your home network to a friend's home network, to provide access to each other's network resources without opening holes in your firewalls.
While site to site VPN's are a good solution in many cases, private WAN links also have their benefits. IPsec adds processing overhead, and the Internet has far greater latency than a private network, so VPN connections are typically slower (while maybe not throughput-wise, they at least have much higher latency). A point to point T1 typically has latency of around 4-8 ms, while a typical VPN connection will be 30-80+ ms depending on the number of hops on the Internet between the two VPN endpoints.
When deploying VPN's, you should stay with the same ISP for all sites if possible, or at a minimum, stay with ISP's that use the same backbone provider. Geographic proximity usually has no relation to Internet proximity. A server in the same city as you but on a different Internet-backbone provider could be as far away from you in Internet distance (hops) as a server on the other side of the continent. This difference in Internet proximity can make the difference between a VPN with 30 ms latency and one with 80+ ms latency.
m0n0wall provides two means of remote access VPN, PPTP and IPsec (with OpenVPN available in beta versions only for now). m0n0wall's mobile IPsec functionality has some serious limitations that hinder its practicality for many deployments. m0n0wall does not support NAT-Traversal (NAT-T) for IPsec, which means if any of your client machines are behind NAT, IPsec VPN will not work. This alone eliminates it as a possibility for most environments, since remote users will almost always need access from behind NAT. Many home networks use a NAT router of some sort, as do most hot spot locations, hotel networks, etc.
One good use of the m0n0wall IPsec client VPN capabilities is to secure all traffic sent by hosts on a wireless network or other untrusted network. This will be described later in this chapter.
FIXME - A second limitation is the lack of any really good, free IPsec VPN clients for Windows. Most of your remote users will likely be Windows laptop users, so this is another major hindrance.
For most situations, PPTP is probably the best remote access VPN option in m0n0wall right now. See the PPTP chapter for more information.