[AusNOG] VPN Virtual appliance recommendations

Tony td_miles at yahoo.com
Tue Nov 3 11:50:12 EST 2015 

We use pfSense with OpenVPN authenticating users via RADIUS without any issues. 
      From: Jonathan Thorpe <jthorpe at Conexim.com.au>
 To: Ben Trigger <btrigger at livingnetworks.com.au>; "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net> 
 Sent: Tuesday, 3 November 2015, 10:27
 Subject: Re: [AusNOG] VPN Virtual appliance recommendations
   
#yiv4284869381 #yiv4284869381 -- _filtered #yiv4284869381 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;} _filtered #yiv4284869381 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv4284869381 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv4284869381 #yiv4284869381 p.yiv4284869381MsoNormal, #yiv4284869381 li.yiv4284869381MsoNormal, #yiv4284869381 div.yiv4284869381MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv4284869381 a:link, #yiv4284869381 span.yiv4284869381MsoHyperlink {color:blue;text-decoration:underline;}#yiv4284869381 a:visited, #yiv4284869381 span.yiv4284869381MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv4284869381 p {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv4284869381 p.yiv4284869381MsoListParagraph, #yiv4284869381 li.yiv4284869381MsoListParagraph, #yiv4284869381 div.yiv4284869381MsoListParagraph {margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt;font-size:12.0pt;}#yiv4284869381 span.yiv4284869381EmailStyle19 {color:#1F497D;}#yiv4284869381 .yiv4284869381MsoChpDefault {font-size:10.0pt;} _filtered #yiv4284869381 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv4284869381 div.yiv4284869381WordSection1 {}#yiv4284869381 _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Symbol;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Wingdings;} _filtered #yiv4284869381 {font-family:Symbol;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Wingdings;} _filtered #yiv4284869381 {font-family:Symbol;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Wingdings;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Symbol;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Wingdings;} _filtered #yiv4284869381 {font-family:Symbol;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Wingdings;} _filtered #yiv4284869381 {font-family:Symbol;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {font-family:Wingdings;} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {} _filtered #yiv4284869381 {}#yiv4284869381 ol {margin-bottom:0cm;}#yiv4284869381 ul {margin-bottom:0cm;}#yiv4284869381 Hi Ben,    Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a good idea, however given the number of subscribers, there are a few challenges with authentication/authorisation (and probably throughput of a single machine).    1.      Vyatta will allow you to do RADIUS with IKEv2 over L2TP. 2.      While Vyatta does OpenVPN, in my experience, it doesn’t provide any meaningful way to centrally manage authentication for large number of distinct clients.    Given the scale, you probably want to be able to load balance across multiple servers which means you really need a single source of truth for each one.    With OpenVPN’s small footprint and the likely need to load balance connections, it might be worth rolling your own.  This would enable you to maintain a single store that contains your client certificates (and if necessary, client-specific config in the client-config-dir).    You may also be able to use OpenVPN with RADIUS, allowing you to keep the IPSEC/OpenVPN authentication/authorisation data together.    With this in mind, I believe pfSense provides this functionality as well, but have not tried it in this scenario myself.    Kind Regards, Jonathan    

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net]On Behalf Of Ben Trigger
Sent: Tuesday, 3 November 2015 10:51 AM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] VPN Virtual appliance recommendations    Hi All,    Just wondering if anyone has recommendations on a virtual appliance (VMWARE / Xen compatible) which can terminate xx000's of roaming clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at Vyatta, strongswan & openVPN server. Wondering if anyone has experience good or bad to share on these platforms? Or other recommendations?       Many Thanks, 
    --  Ben Trigger | LivingNetworks E: btrigger at livingnetworks.com.au  
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151103/0dfa7200/attachment-0001.html>

More information about the AusNOG mailing list