[Freeswitch-users] freeswitch on ipsec

Cal Leeming [Simplicity Media Ltd] cal.leeming at simplicitymedialtd.co.uk
Thu Apr 11 23:16:11 MSD 2013


I agree that using proprietary IPSec appliances (such as the Cisco's) can
be troublesome, however there are plenty of free appliances (such as the
Halon) that support this functionality.

In a proper network design, you really should not have tunneling systems
placed onto the server itself for the following reasons;

* There is really no security benefit by doing so, unless you don't trust
your LAN against MITM attacks.. And to be honest, if you're concerned about
your LAN being MITM then you have some much bigger problems to deal with
(as any attacker could just extract the keys from your machine anyway).
This applies both in physical colo and cloud hosting.

* Local network debugging becomes an issue, and in some cases, can cause
applications to act strangely.. for example if the tunnel interface is
dropped whilst an application is listening, it can cause problems depending
on how the code was written.

* Increases overall complexity.. you wouldn't mix database and httpd on the
same server, so why would you do it with networking?

* Applying multiple outbound routes on a machine can again confuse some
applications, this is best handled by a dedicated firewall box

By all means if you set up a separate Linux box specifically for the role
of tunnel aggregation, configure selective routes to send over your tunnel,
and either use that as your default gw or set up the necessary routes on
your firewall appliance.

It's worth mentioning that doing these things properly usually takes more
time and effort, especially if you do not have prior experience in
networking.. setting up the tunnel on your server instances may be quicker,
but it's not the "correct way" imho.

Cal

On Thu, Apr 11, 2013 at 7:35 PM, Daniel Ivanov <sertys at gmail.com> wrote:

> I have used asterisk over openswan in production for quite a time and if
> you're going for <500cps , you shouldn't worry and put them on same
> machine. Freeswitch deployment is the same. I would recommend against a
> proprietary or commercial ipsec implementation appliance. The learning
> curve is steep and troubleshooting is not easier by no means. Build your
> test setup and go for it.
> On Apr 9, 2013 9:47 PM, "Cal Leeming [Simplicity Media Ltd]" <
> cal.leeming at simplicitymedialtd.co.uk> wrote:
>
>> From personal experience, I would strongly recommend running the VPN
>> within the network layer rather than directly on the server.
>>
>> You could use a pre-built appliance for this (such as Halon VSR), or
>> build your own router using iptables, or even use a Cisco etc.
>>
>> This means you don't have to maintain a tunnel for each individual
>> machines, and keeps a nice clean separation of layers which makes debugging
>> networking problems easier.
>>
>> If you use this approach, then running FreeSWITCH over any tunnel should
>> *just work*.. if you use it locally, then strange things might happen..
>>
>> This is just based on my own personal experience, others may disagree..
>> YMMV :)
>>
>> Hope this helps
>>
>> Cal
>>
>> On Tue, Apr 9, 2013 at 5:44 PM, sibu <sibxol at btconnect.com> wrote:
>>
>>> Dear Freeswitch-Users/Developers
>>>
>>> I am new to this  list and freeswitch.
>>>
>>> I would like to know if anyone has tried freeswitch with an ipsec VPN
>>> such as
>>> openswan or strongswan and what were/should-be the  settings (eg
>>> transport-
>>> mode, tunnel-mode etc), results  and  requirements vis a vis cpu-power,
>>> network-speed etc etc
>>>
>>> all hints and suggestions welcomed
>>> thanks in advance
>>> sibu xolo
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130411/e39a9304/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list