All locations would be connecting back to location A.
Currently we’re bridging a single subnet between locations for voice, and other networks are not routed. I’d like to change that to something like the above, and do away with the bridging. Is something like IPSec + OSPF over GRE or IPIP the best way to go? Looking for as little overhead as possible with some amount of security.
Second question is less relevant to this forum, but is there a good way to automate deployment of this?
We do something similar for one of our customers, using OpenVPN Server on the MT at the main office (“A”), and OpenVPN clients at the satellite locations. We find that OVPN is a much lower setup overhead than IPSec (once you have the initial certificates made for OVPN), and the way it handles dynamic IPs at the satellite locations is much more intuitive (in fact, OVPN Clients can even be behind one or more layer of NAT and connect just fine – the server needs to either have a static IP or a functioning dynamic-DNS IP, and while you can port forward to the OVPN Server, you’ll have less headache if the server is what holds the public IP).
Once we have the OVPN tunnel set up, we then use OSPF to handle distributing the routes. In our case, we want a “split tunnel” configuration – Internet bound traffic from the satellite locations should not transit the VPN.
Our customer is not trying to transit voice traffic from the satellite locations, so I can’t speak to how well that works compared to an IPSec tunnel or anything. The OVPN tunnels are stable enough for their monitoring equipment to maintain a consistent connection (at least until the underlying Internet service at the satellite location goes down :p).
All the offices have cable or DSL connections, nothing fancy, unfortunately.
I’ll look at open VPN, although my understanding is that they dropped support for it, and IPSec seems to be getting better with each release. Has that changed?
They just added the ability to OVPN to DNS addresses in v6.4, and I haven’t seen anything official to indicate that support has been dropped.
In my experience, IPSec does work reliably on MT units; it’s just a lot more complicated to configure than OVPN. Also, IPSec does not create a virtual interface (whereas OVPN does on both the client and server sides), meaning you don’t have the option to dynamically route using IPSec.