nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VPN recommendations?

From: "James R. Price" <james () digitalciti com>
Date: Thu, 10 Feb 2022 19:05:16 +0000
I’ll second PFsense, done quite a bit of this in hub and spoke topologies, spokes being behind NAT (permitted the 
upstream fw allows udp 500,4500), on a dynamic.  The hub or hubs are ideally on a static. Set the hub site up as 
responder only, the remotes initiate the tunnel.  Peers are validated either by dynamic name or you simply allow peers 
sourcing from 0.0.0.0 at the hub site.

This is not limited to PF, I’ve gotten this to work on Cisco firewalls, routers, and other Linux based firewalls.

From: NANOG <nanog-bounces+james=digitalciti.com () nanog org> On Behalf Of William Herrin
Sent: Thursday, February 10, 2022 12:02 PM
To: nanog () nanog org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to build a site to site VPNs at speeds between 
100mpbs and 1 gbit where all but one of the sites are behind an IPv4 NAT gateway with dynamic public IP addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my customer insists on a network appliance. Site 
to site VPNs using IPSec and static IP addresses on the plaintext side are a dime a dozen but traversing NAT and 
dynamic IP addresses (and automatically re-establishing when the service goes out and comes back up with different 
addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
bill () herrin us<mailto:bill () herrin us>
<https://bill.herrin.us/>
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: