<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_1_1446508150996_31806"><span id="yui_3_16_0_1_1446508150996_31805">We use pfSense with OpenVPN authenticating users via RADIUS without any issues. </span></div><br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_1_1446508150996_31750"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_1_1446508150996_31749"> <div dir="ltr" id="yui_3_16_0_1_1446508150996_31802"> <hr size="1" id="yui_3_16_0_1_1446508150996_31803"> <font size="2" face="Arial" id="yui_3_16_0_1_1446508150996_31801"> <b><span style="font-weight:bold;">From:</span></b> Jonathan Thorpe <jthorpe@Conexim.com.au><br> <b><span style="font-weight: bold;">To:</span></b> Ben Trigger <btrigger@livingnetworks.com.au>; "ausnog@lists.ausnog.net" <ausnog@lists.ausnog.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, 3 November 2015, 10:27<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [AusNOG] VPN Virtual appliance recommendations<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1446508150996_31748"><br><div id="yiv4284869381"><style>#yiv4284869381 #yiv4284869381 --
_filtered #yiv4284869381 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;}
_filtered #yiv4284869381 {panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv4284869381 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
#yiv4284869381
#yiv4284869381 p.yiv4284869381MsoNormal, #yiv4284869381 li.yiv4284869381MsoNormal, #yiv4284869381 div.yiv4284869381MsoNormal
{margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv4284869381 a:link, #yiv4284869381 span.yiv4284869381MsoHyperlink
{color:blue;text-decoration:underline;}
#yiv4284869381 a:visited, #yiv4284869381 span.yiv4284869381MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
#yiv4284869381 p
{margin-right:0cm;margin-left:0cm;font-size:12.0pt;}
#yiv4284869381 p.yiv4284869381MsoListParagraph, #yiv4284869381 li.yiv4284869381MsoListParagraph, #yiv4284869381 div.yiv4284869381MsoListParagraph
{margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv4284869381 span.yiv4284869381EmailStyle19
{color:#1F497D;}
#yiv4284869381 .yiv4284869381MsoChpDefault
{font-size:10.0pt;}
_filtered #yiv4284869381 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}
#yiv4284869381 div.yiv4284869381WordSection1
{}
#yiv4284869381
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Symbol;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Wingdings;}
_filtered #yiv4284869381 {font-family:Symbol;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Wingdings;}
_filtered #yiv4284869381 {font-family:Symbol;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Wingdings;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Symbol;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Wingdings;}
_filtered #yiv4284869381 {font-family:Symbol;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Wingdings;}
_filtered #yiv4284869381 {font-family:Symbol;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {font-family:Wingdings;}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
_filtered #yiv4284869381 {}
#yiv4284869381 ol
{margin-bottom:0cm;}
#yiv4284869381 ul
{margin-bottom:0cm;}
#yiv4284869381 </style><div id="yui_3_16_0_1_1446508150996_31747">
<div class="yiv4284869381WordSection1" id="yui_3_16_0_1_1446508150996_31746">
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31800"><span style="font-size:11.0pt;">Hi Ben,</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31799"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31798"><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31797">Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a good idea, however given the number of subscribers, there are
a few challenges with authentication/authorisation (and probably throughput of a single machine).</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31796"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4284869381MsoListParagraph" style="" id="yui_3_16_0_1_1446508150996_31795"><span style="font-size:11.0pt;"><span style="">1.<span style="font:7.0pt;">
</span></span></span><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31794">Vyatta will allow you to do RADIUS with IKEv2 over L2TP.</span></div>
<div class="yiv4284869381MsoListParagraph" style="" id="yui_3_16_0_1_1446508150996_31792"><span style="font-size:11.0pt;"><span style="">2.<span style="font:7.0pt;">
</span></span></span><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31793">While Vyatta does OpenVPN, in my experience, it doesn’t provide any meaningful way to centrally manage authentication for
large number of distinct clients.</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31791"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31784"><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31783">Given the scale, you probably want to be able to load balance across multiple servers which means you really need a single source of
truth for each one.</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31753"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31745"><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31744">With OpenVPN’s small footprint and the likely need to load balance connections, it might be worth rolling your own. This would enable
you to maintain a single store that contains your client certificates (and if necessary, client-specific config in the client-config-dir).</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31751"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31819"><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31818">You may also be able to use OpenVPN with RADIUS, allowing you to keep the IPSEC/OpenVPN authentication/authorisation data together.</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31820"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31840"><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31839">With this in mind, I believe pfSense provides this functionality as well, but have not tried it in this scenario myself.</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31821"><span style="font-size:11.0pt;"> </span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31822"><span style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31838">Kind Regards,</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31823"><span style="font-size:11.0pt;">Jonathan</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31837"><span style="font-size:11.0pt;"> </span></div>
<div class="qtdSeparateBR"><br><br></div><div class="yiv4284869381yqt8334628011" id="yiv4284869381yqt21405"><div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31825"><b id="yui_3_16_0_1_1446508150996_31836"><span lang="EN-US" style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31835">From:</span></b><span lang="EN-US" style="font-size:11.0pt;" id="yui_3_16_0_1_1446508150996_31824"> AusNOG [mailto:ausnog-bounces@lists.ausnog.net]
<b>On Behalf Of </b>Ben Trigger<br clear="none">
<b id="yui_3_16_0_1_1446508150996_31834">Sent:</b> Tuesday, 3 November 2015 10:51 AM<br clear="none">
<b id="yui_3_16_0_1_1446508150996_31833">To:</b> ausnog@lists.ausnog.net<br clear="none">
<b id="yui_3_16_0_1_1446508150996_31844">Subject:</b> [AusNOG] VPN Virtual appliance recommendations</span></div>
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31826"> </div>
<div id="yui_3_16_0_1_1446508150996_31828">
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31827">Hi All,</div>
<div id="yui_3_16_0_1_1446508150996_31830">
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31829"> </div>
</div>
<div id="yui_3_16_0_1_1446508150996_31832">
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31831">Just wondering if anyone has recommendations on a virtual appliance (VMWARE / Xen compatible) which can terminate xx000's of roaming clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at Vyatta, strongswan & openVPN server.
Wondering if anyone has experience good or bad to share on these platforms? Or other recommendations?</div>
</div>
<div id="yui_3_16_0_1_1446508150996_31953">
<div class="yiv4284869381MsoNormal" id="yui_3_16_0_1_1446508150996_31952"> </div>
</div>
<div>
<div class="yiv4284869381MsoNormal"> </div>
</div>
<div>
<div class="yiv4284869381MsoNormal">Many Thanks, <br clear="all">
</div>
<div>
<div class="yiv4284869381MsoNormal"> </div>
</div>
<div class="yiv4284869381MsoNormal">-- </div>
<div>
<div>
<div><b><span style="font-size:10.0pt;">Ben</span></b><b><span style="font-size:10.0pt;"> </span></b><b><span style="font-size:10.0pt;">Trigger </span></b><b><span style="font-size:10.0pt;">| Living</span></b><span style="font-size:10.0pt;">Networks</span><span style="font-size:9.5pt;"></span></div>
<div><span style="font-size:10.0pt;">E: </span><a rel="nofollow" shape="rect" ymailto="mailto:btrigger@livingnetworks.com.au" target="_blank" href="mailto:btrigger@livingnetworks.com.au" title="[GMCP] Compose a new mail to btrigger@livingnetworks.com.au" title-off=""><span style="font-size:10.0pt;">btrigger@livingnetworks.com.au</span></a><span style="font-size:10.0pt;"> </span><span style="font-size:9.5pt;"></span></div>
</div>
</div>
</div>
</div></div>
</div>
</div></div><br><div class="yqt8334628011" id="yqt28940">_______________________________________________<br clear="none">AusNOG mailing list<br clear="none"><a shape="rect" ymailto="mailto:AusNOG@lists.ausnog.net" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br clear="none"><a shape="rect" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br clear="none"></div><br><br></div> </div> </div> </div></body></html>