We are a small VSP offering custom VoIP Solutions which end users connect to using (currently) an IPSEC VPN. Currently we have a Draytek 2955 in the Datacentre rack and deploy variou Draytek routers to customers (dependant on acces tecnology). Our 2955 is sitting on a 1Gb Ethernet connection although the router will only handle 70 presently.
Things are going well and we are expanding fast and we are looking at upgrading our core router to increase capacity and improve redundancy. We're considering this unit (or a pair of) http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-quadcore-rack-edition-pfsense-appliance.html/
onto which to base pfsense 2.0.1.
Currently we terminate VPN's between customer sites and our network using IPSEC VPN and allocate customers an internal IP range from an internally assigned pool. In the early days we tried terminating IPSEC from a Draytek to a pfsense 1.2.3 box we had some success but randomly found the tunnel would refuse to pass data. What i am considering is deploying the hardware as suggested and migrating the current users (around 15 sites) onto the cluster using IPSEC (as i dont want to replace the CPE), and then deploy further customers over OpenVPN using pfsense at both ends.
I notice from research and trialing that in order to terminate multiple site to site VPNs onto a central pfsense box we need to configure multiple pfsense "Servers" each one on a different port. This isnt a major problem, but i am a little concerend about the use of resources in this scenario, any help would be appreciated.
Just to fill you in, the Hosted PBX's reside on a VMWare cluster and sit within /30 subnets for security meaning that a VPN to a customer site will only be able to see the PBX. On the existing Draytek i am able to add in individual IPs as routes so i can allow customer site subnets to connect to other servers outside their PBX /30 subnet, this is something i would like to replicate in pfsense.
Apologies for the lenghtly email, i suppose what i am trying to ask in short is, should i be using ipsec or openvpn to maximise efficiency and throughput (i know will need to use some ipsec). Any thoughts and advice would be appreciated.