VPN recommendations?

William Herrin bill at herrin.us
Fri Feb 11 19:35:51 UTC 2022


On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon <sneddon at gmail.com> wrote:
> 1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It is very much a static set-it-and-forget-it technology, but that doesn’t work in a dynamically changing environment.

Hi Dan,

Depending on how you configure it, IPSEC can work fine with dynamic
routing. The thing to understand is that IPSec has two modes:
transport and tunnel. Transport is between exactly two IP addresses
while tunnel expects a broader network to exist on at least one end.
"Tunnel" mode is what everyone actually uses but you can deconstruct
it: it's built up from transport mode + a tunnel protocol (gre or ipip
I don't remember which) + implicit routing and firewalling which
wreaks havoc on dynamic routing. Now, it turns out that you can
instead configure IPSec in transport mode, configure the tunnel
separately and leave out the implicit firewalling.

> This may not apply to William Herrin’s (OP) use case of a VPN appliance

It's not relevant to my situation, no. I need the VPN to establish a
statically addressed clean layer 3 on top of dynamically addressed and
natted endpoints to support the next appliance in the chain where
dynamic addressing is not possible. I don't actually care if it adds
security; it just needs to establish that statically addressed layer.
Oh yeah, and it has to be listed under "virtual private network" on
the government NIAP list.
https://www.niap-ccevs.org/product/PCL.cfm?ID624=34

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the NANOG mailing list