VPN recommendations?

• Previous message (by thread): VPN recommendations?
• Next message (by thread): VPN recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I’ll second PFsense, done quite a bit of this in hub and spoke topologies, spokes being behind NAT (permitted the upstream fw allows udp 500,4500), on a dynamic.  The hub or hubs are ideally on a static. Set the hub site up as responder only, the remotes initiate the tunnel.  Peers are validated either by dynamic name or you simply allow peers sourcing from 0.0.0.0 at the hub site.

This is not limited to PF, I’ve gotten this to work on Cisco firewalls, routers, and other Linux based firewalls.

From: NANOG <nanog-bounces+james=digitalciti.com at nanog.org> On Behalf Of William Herrin
Sent: Thursday, February 10, 2022 12:02 PM
To: nanog at nanog.org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but one of the sites are behind an IPv4 NAT gateway with dynamic public IP addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my customer insists on a network appliance. Site to site VPNs using IPSec and static IP addresses on the plaintext side are a dime a dozen but traversing NAT and dynamic IP addresses (and automatically re-establishing when the service goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
bill at herrin.us<mailto:bill at herrin.us>
<https://bill.herrin.us/>
https://bill.herrin.us/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220210/6b6d6372/attachment.html>

• Previous message (by thread): VPN recommendations?
• Next message (by thread): VPN recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]