
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta content="text/html; charset=utf-8">

</head>

<body>

<div>The Brocade vRouter (née Vyatta, we renamed it about a year ago) definitely supports many, many connections. </div>

<div><br>

</div>

<div>I don't know how many active end points we have going at once, but we use vRouter internally to terminate all remote user-based VPNs.</div>

<div><br>

</div>

<div>I use Viscosity on my Mac and I believe that's the same client we use on our company issued PCs too. It's trivial to setup on the vRouter and create ovpn profiles that can be imported into Viscosity (or an open source client) is simple too. </div>

<div><br>

</div>

<div>Works a treat. At last count there were over 6000 staff worldwide and 5 or 6 end points you can dial into. I can get official stats if you're interested, but I suspect the scale meets where your demand would be. </div>

<div><br>

</div>

<div>We also use vRouter to build P2MP IPSec site-site VPNs for all offices worldwide. There's no WAN links with back haul to the HOs in various regions (APJ, EMEA, US etc), just Internet, vRouter and IPSec. </div>

<div><br>

</div>

<div>So again, eating our own dog food. </div>

<div><br>

</div>

<div>We can discuss the tech stuff and limits on list but if interested in eval or purchase, drop me a line direct. </div>

<br>

<br>

<br>

<div class="gmail_quote">On Tue, Nov 3, 2015 at 2:54 AM -0800, "James Hodgkinson"

<span dir="ltr"><<a href="mailto:yaleman@ricetek.net" target="_blank">yaleman@ricetek.net</a>></span> wrote:<br>

<br>

</div>

<div>

<div>Personally I'd recommend against it, I've tried using it a few different ways and it's got issues with iOS/OSX clients, and even the people in the forums/IRC recommend against using it in general for anything but router-to-router links.<br>

</div>

<div> </div>

<div>James</div>

<div> </div>

<div> </div>

<div>On Tue, 3 Nov 2015, at 10:50, Jonathan Thorpe wrote:<br>

</div>

<blockquote type="cite">

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Hi Joseph,</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">RouterOS is pretty good with OpenVPN, but there’s a major limitation with it – at last check, it only supports

 TCP based connections and not (what I would have thought were) the more common UDP. It works, but TCP in TCP is bad for performance.</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">There might be a way to do part of the auth on RouterOS with RADIUS, but it still needs a Client Certificate

 installed on each instance of the machine. These can of course be transferred over SSH, but that’s a lot to sync.</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Kind Regards,</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Jonathan

</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<div>

<div style="border-right-style:none; border-bottom-style:none; border-left-style:none; border-right-width:initial; border-bottom-width:initial; border-left-width:initial; border-right-color:initial; border-bottom-color:initial; border-left-color:initial; border-top-style:solid; border-top-color:rgb(225,225,225); border-top-width:1pt; padding-top:3pt; padding-right:0cm; padding-bottom:0cm; padding-left:0cm">

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<b><span class="colour" style="color:windowtext"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">From:</span></span></span></b><span class="colour" style="color:windowtext"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">

 AusNOG [mailto:ausnog-bounces@lists.ausnog.net] <b>On Behalf Of </b>Joseph Goldman<br>

<b>Sent:</b> Tuesday, 3 November 2015 11:39 AM<br>

<b>To:</b> ausnog@lists.ausnog.net<br>

<b>Subject:</b> Re: [AusNOG] VPN Virtual appliance recommendations</span></span></span></p>

</div>

</div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<br>

</p>

<p style="margin:0cm 0cm 12pt; color:black; font-family:'Times New Roman',serif; font-size:12pt">

RouterOS (on Routerboard hardware, or on x86 hardware) is pretty flexible with config - although I have never read or seen experiences of it with VPN clients in that number of connections.<br>

</p>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

On 03/11/15 11:27, Jonathan Thorpe wrote:<br>

</p>

</div>

<blockquote style="margin-top:5pt; margin-bottom:5pt">

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Hi Ben,</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a good idea, however given the number

 of subscribers, there are a few challenges with authentication/authorisation (and probably throughput of a single machine).</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="text-indent:-18pt; color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt 36pt">

<span style="">1.<span class="font" style="font-family:'Times New Roman'"><span class="size" style="font-size:7pt"></span></span></span><span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Vyatta

 will allow you to do RADIUS with IKEv2 over L2TP.</span></span></span><br>

</p>

<p style="text-indent:-18pt; color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt 36pt">

<span style="">2.<span class="font" style="font-family:'Times New Roman'"><span class="size" style="font-size:7pt"></span></span></span><span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">While

 Vyatta does OpenVPN, in my experience, it doesn’t provide any meaningful way to centrally manage authentication for large number of distinct clients.</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Given the scale, you probably want to be able to load balance across multiple servers which means you really

 need a single source of truth for each one.</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">With OpenVPN’s small footprint and the likely need to load balance connections, it might be worth rolling your

 own.  This would enable you to maintain a single store that contains your client certificates (and if necessary, client-specific config in the client-config-dir).</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">You may also be able to use OpenVPN with RADIUS, allowing you to keep the IPSEC/OpenVPN authentication/authorisation

 data together.</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">With this in mind, I believe pfSense provides this functionality as well, but have not tried it in this scenario

 myself.</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Kind Regards,</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">Jonathan</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<span class="colour" style="color:rgb(31,73,125)"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<b><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">From:</span></span></b><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"> AusNOG [</span></span><a href="mailto:ausnog-bounces@lists.ausnog.net" style="text-decoration:underline; color:blue"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">mailto:ausnog-bounces@lists.ausnog.net</span></span></a><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">]

<b>On Behalf Of </b>Ben Trigger<br>

<b>Sent:</b> Tuesday, 3 November 2015 10:51 AM<br>

<b>To:</b></span></span><a href="mailto:ausnog@lists.ausnog.net" style="text-decoration:underline; color:blue"><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt">ausnog@lists.ausnog.net</span></span></a><span class="font" style="font-family:Calibri,sans-serif"><span class="size" style="font-size:11pt"><br>

<b>Subject:</b> [AusNOG] VPN Virtual appliance recommendations</span></span></p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<br>

</p>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

Hi All,<br>

</p>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<br>

</p>

</div>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

Just wondering if anyone has recommendations on a virtual appliance (VMWARE / Xen compatible) which can terminate xx000's of roaming clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at Vyatta, strongswan & openVPN server. Wondering if anyone

 has experience good or bad to share on these platforms? Or other recommendations?<br>

</p>

</div>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<br>

</p>

</div>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<br>

</p>

</div>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

Many Thanks, <br>

</p>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<br>

</p>

</div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

--<br>

</p>

<div>

<div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin-left:0cm; margin-right:0cm">

<b><span class="colour" style="color:rgb(55,96,146)"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt">Ben</span></span></span></b><b><span class="colour" style="color:rgb(23,55,94)"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt"></span></span></span></b><b><span class="colour" style="color:rgb(55,96,146)"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt">Trigger </span></span></span></b><b><span class="colour" style="color:rgb(23,55,94)"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt">| Living</span></span></span></b><span class="colour" style="color:rgb(23,55,94)"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt">Networks</span></span></span><br>

</p>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin-left:0cm; margin-right:0cm">

<span class="colour" style="color:rgb(55,96,146)"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt">E: </span></span></span><a href="mailto:btrigger@livingnetworks.com.au" style="text-decoration:underline; color:blue"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt">btrigger@livingnetworks.com.au</span></span></a><span class="colour" style="color:rgb(55,96,146)"><span class="font" style="font-family:Arial,sans-serif"><span class="size" style="font-size:10pt"></span></span></span><br>

</p>

</div>

</div>

</div>

</div>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

</p>

<div> </div>

<div> </div>

<div> </div>

<p></p>

<pre style="color:black; font-family:'Courier New'; font-size:10pt; margin:0cm 0cm 0.0001pt">_______________________________________________<br></pre>

<pre style="color:black; font-family:'Courier New'; font-size:10pt; margin:0cm 0cm 0.0001pt">AusNOG mailing list<br></pre>

<pre style="color:black; font-family:'Courier New'; font-size:10pt; margin:0cm 0cm 0.0001pt"><a href="mailto:AusNOG@lists.ausnog.net" style="text-decoration:underline; color:blue">AusNOG@lists.ausnog.net</a><br></pre>

<pre style="color:black; font-family:'Courier New'; font-size:10pt; margin:0cm 0cm 0.0001pt"><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" style="text-decoration:underline; color:blue">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br></pre>

</blockquote>

<p style="color:black; font-family:'Times New Roman',serif; font-size:12pt; margin:0cm 0cm 0.0001pt">

<br>

</p>

</div>

<div><u>_______________________________________________</u><br>

</div>

<div>AusNOG mailing list<br>

</div>

<div><a href="mailto:AusNOG@lists.ausnog.net" style="text-decoration:underline; color:blue">AusNOG@lists.ausnog.net</a><br>

</div>

<div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" style="text-decoration:underline; color:blue">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>

</div>

</blockquote>

<div> </div>

</div>

</body>

</html>