Ipsec & pptp tunnel options

[WildMonkey365]

I work for a hosted voip company and our techs currently use pptp tunnels to login to customer networks to administer phones, switches & routers. I keep hearing about Ipsec VPN but I notice the pattern with Ipsec seems to be connecting office to office from what a hear and read. Is Ipsec a good method for logging into customer LAN's to administer/troubleshoot devices like using pptp or should Ipsec be used mainly for connecting offices?

 

[bill001g]

IPSEC is considered more secure but a little more tricky to setup. Both ipsec and pptp have issues passing though consumer nat routers. A lot of vpn is moving to sslvpn based solutions because it passes though routers a little easier, it take more cpu resources than ipsec though.

 

[WildMonkey365]

I set up a IPsec tunnel in our pfsense and I believe I set it up correctly. How do I test to make sure I set it up right. Its my first one. I am trying to ping ip addresses in the remote range I was given and not hitting anything. Should the remote range 10.64.1.0/16 show up in my netscan tool? Its not doing anything. Im assuming its not set up in the remote router.

 

[bill001g]

I set up a IPsec tunnel in our pfsense and I believe I set it up correctly. How do I test to make sure I set it up right. Its my first one. I am trying to ping ip addresses in the remote range I was given and not hitting anything. Should the remote range 10.64.1.0/16 show up in my netscan tool? Its not doing anything. Im assuming its not set up in the remote router.

It to a point depends how you set up the tunnel. I forget the exact command on pfsense to see if the ipsec is up. You should be able to tell if all the keys and stuff were accepted correctly.

You should see a route in the routing table that indicates that 10.64.0.0/16 should be send via the tunnel.

 

[WildMonkey365]

Generally speaking, when setting up site to site IPsec tunnels. Do Subnets have to be different at one location than the other? I have a 7 site job where I will need to replace all 7 firewalls. There are 6 branches & 1 corporate location. The 6 branches will IPsec to corporate and I plan on putting their new Hosted voip phones all on the same subnet/vlan that their pc's are on to avoid the need for a managed vlan switch. I know enough to copy what they already have as far as routing/firewall rules but I've heard that if one site is using vlan1 (192.168.1.1) than the other site cant use the same numbers. What are some things I need to be concerned about? I feel comfortable with the IPsec set ups but I dont want to duplicate someone elses mistakes when putting in this new system.

 

[bill001g]

It is simplest if it is all different subnets. With pfsense as well as most commercial firewall you can nat any combination of source/destination addresses which can get you past duplicate ip issues but it is best to not add the extra complication if you do not have to.