I agree that using proprietary IPSec appliances (such as the Cisco's) can be troublesome, however there are plenty of free appliances (such as the Halon) that support this functionality.<div><br></div><div>In a proper network design, you really should not have tunneling systems placed onto the server itself for the following reasons;</div>
<div><br></div><div>* There is really no security benefit by doing so, unless you don't trust your LAN against MITM attacks.. And to be honest, if you're concerned about your LAN being MITM then you have some much bigger problems to deal with (as any attacker could just extract the keys from your machine anyway). This applies both in physical colo and cloud hosting.</div>
<div><br></div><div>* Local network debugging becomes an issue, and in some cases, can cause applications to act strangely.. for example if the tunnel interface is dropped whilst an application is listening, it can cause problems depending on how the code was written.</div>
<div><br></div><div>* Increases overall complexity.. you wouldn't mix database and httpd on the same server, so why would you do it with networking?</div><div><br></div><div>* Applying multiple outbound routes on a machine can again confuse some applications, this is best handled by a dedicated firewall box</div>
<div><br></div><div>By all means if you set up a separate Linux box specifically for the role of tunnel aggregation, configure selective routes to send over your tunnel, and either use that as your default gw or set up the necessary routes on your firewall appliance. </div>
<div><br></div><div>It's worth mentioning that doing these things properly usually takes more time and effort, especially if you do not have prior experience in networking.. setting up the tunnel on your server instances may be quicker, but it's not the "correct way" imho.</div>
<div><br></div><div>Cal<br><br><div class="gmail_quote">On Thu, Apr 11, 2013 at 7:35 PM, Daniel Ivanov <span dir="ltr"><<a href="mailto:sertys@gmail.com" target="_blank">sertys@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>I have used asterisk over openswan in production for quite a time and if you're going for <500cps , you shouldn't worry and put them on same machine. Freeswitch deployment is the same. I would recommend against a proprietary or commercial ipsec implementation appliance. The learning curve is steep and troubleshooting is not easier by no means. Build your test setup and go for it.</p>
<div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Apr 9, 2013 9:47 PM, "Cal Leeming [Simplicity Media Ltd]" <<a href="mailto:cal.leeming@simplicitymedialtd.co.uk" target="_blank">cal.leeming@simplicitymedialtd.co.uk</a>> wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>From personal experience, I would strongly recommend running the VPN within the network layer rather than directly on the server.</div>
<div><br></div><div>You could use a pre-built appliance for this (such as Halon VSR), or build your own router using iptables, or even use a Cisco etc.</div>
<div><br></div><div>This means you don't have to maintain a tunnel for each individual machines, and keeps a nice clean separation of layers which makes debugging networking problems easier.</div><div><br></div><div>
If you use this approach, then running FreeSWITCH over any tunnel should *just work*.. if you use it locally, then strange things might happen..</div>
<div><br></div><div>This is just based on my own personal experience, others may disagree.. YMMV :)<br><br>Hope this helps</div><div><br>Cal</div><br><div class="gmail_quote">On Tue, Apr 9, 2013 at 5:44 PM, sibu <span dir="ltr"><<a href="mailto:sibxol@btconnect.com" target="_blank">sibxol@btconnect.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Freeswitch-Users/Developers<br>
<br>
I am new to this list and freeswitch.<br>
<br>
I would like to know if anyone has tried freeswitch with an ipsec VPN such as<br>
openswan or strongswan and what were/should-be the settings (eg transport-<br>
mode, tunnel-mode etc), results and requirements vis a vis cpu-power,<br>
network-speed etc etc<br>
<br>
all hints and suggestions welcomed<br>
thanks in advance<br>
sibu xolo<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>