<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>Personally I'd recommend against it, I've tried using it a few different ways and it's got issues with iOS/OSX clients, and even the people in the forums/IRC recommend against using it in general for anything but router-to-router links.<br></div>
<div> </div>
<div>James</div>
<div> </div>
<div> </div>
<div>On Tue, 3 Nov 2015, at 10:50, Jonathan Thorpe wrote:<br></div>
<blockquote type="cite"><div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Hi Joseph,</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">RouterOS is pretty good with OpenVPN, but there’s a major limitation with it – at last check, it only supports TCP based connections
and not (what I would have thought were) the more common UDP. It works, but TCP in TCP is bad for performance.</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">There might be a way to do part of the auth on RouterOS with RADIUS, but it still needs a Client Certificate installed on each instance
of the machine. These can of course be transferred over SSH, but that’s a lot to sync.</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Kind Regards,</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Jonathan
</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><div><div style="border-right-style:none;border-bottom-style:none;border-left-style:none;border-right-width:initial;border-bottom-width:initial;border-left-width:initial;border-right-color:initial;border-bottom-color:initial;border-left-color:initial;border-image-source:initial;border-image-slice:initial;border-image-width:initial;border-image-outset:initial;border-image-repeat:initial;border-top-style:solid;border-top-color:rgb(225, 225, 225);border-top-width:1pt;padding-top:3pt;padding-right:0cm;padding-bottom:0cm;padding-left:0cm;"><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><b><span class="colour" style="color:windowtext"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">From:</span></span></span></b><span class="colour" style="color:windowtext"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"> AusNOG [mailto:ausnog-bounces@lists.ausnog.net]
<b>On Behalf Of </b>Joseph Goldman<br> <b>Sent:</b> Tuesday, 3 November 2015 11:39 AM<br> <b>To:</b> ausnog@lists.ausnog.net<br> <b>Subject:</b> Re: [AusNOG] VPN Virtual appliance recommendations</span></span></span></p></div>
</div>
<p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><br></p><p style="margin: 0cm 0cm 12pt; color: black; font-family: 'Times New Roman', serif; font-size: 12pt;">RouterOS (on Routerboard hardware, or on x86 hardware) is pretty flexible with config - although I have never read or seen experiences of it with VPN clients in that number of connections.<br></p><div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;">On 03/11/15 11:27, Jonathan Thorpe wrote:<br></p></div>
<blockquote style="margin-top:5pt;margin-bottom:5pt;"><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Hi Ben,</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a good idea, however given the number of subscribers, there are
a few challenges with authentication/authorisation (and probably throughput of a single machine).</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="text-indent: -18pt; color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt 36pt;"><span style="">1.<span class="font" style="font-family:'Times New Roman'"><span class="size" style="font-size:7pt"></span></span></span><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Vyatta will allow you to do RADIUS with IKEv2 over L2TP.</span></span></span><br></p><p style="text-indent: -18pt; color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt 36pt;"><span style="">2.<span class="font" style="font-family:'Times New Roman'"><span class="size" style="font-size:7pt"></span></span></span><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">While Vyatta does OpenVPN, in my experience, it doesn’t provide any meaningful way to centrally manage authentication for large
number of distinct clients.</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Given the scale, you probably want to be able to load balance across multiple servers which means you really need a single source of
truth for each one.</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">With OpenVPN’s small footprint and the likely need to load balance connections, it might be worth rolling your own. This would enable
you to maintain a single store that contains your client certificates (and if necessary, client-specific config in the client-config-dir).</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">You may also be able to use OpenVPN with RADIUS, allowing you to keep the IPSEC/OpenVPN authentication/authorisation data together.</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">With this in mind, I believe pfSense provides this functionality as well, but have not tried it in this scenario myself.</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Kind Regards,</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">Jonathan</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><span class="colour" style="color:rgb(31, 73, 125)"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"></span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><b><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">From:</span></span></b><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"> AusNOG [</span></span><a href="mailto:ausnog-bounces@lists.ausnog.net" style="text-decoration: underline; color: blue;"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">mailto:ausnog-bounces@lists.ausnog.net</span></span></a><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">]
<b>On Behalf Of </b>Ben Trigger<br> <b>Sent:</b> Tuesday, 3 November 2015 10:51 AM<br> <b>To:</b></span></span><a href="mailto:ausnog@lists.ausnog.net" style="text-decoration: underline; color: blue;"><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt">ausnog@lists.ausnog.net</span></span></a><span class="font" style="font-family:Calibri, sans-serif"><span class="size" style="font-size:11pt"><br> <b>Subject:</b> [AusNOG] VPN Virtual appliance recommendations</span></span></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><br></p><div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;">Hi All,<br></p><div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><br></p></div>
<div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;">Just wondering if anyone has recommendations on a virtual appliance (VMWARE / Xen compatible) which can terminate xx000's of roaming clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at Vyatta, strongswan & openVPN server.
Wondering if anyone has experience good or bad to share on these platforms? Or other recommendations?<br></p></div>
<div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><br></p></div>
<div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><br></p></div>
<div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;">Many Thanks, <br></p><div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><br></p></div>
<p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;">--<br></p><div><div><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin-left: 0cm; margin-right: 0cm;"><b><span class="colour" style="color:rgb(55, 96, 146)"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt">Ben</span></span></span></b><b><span class="colour" style="color:rgb(23, 55, 94)"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt"></span></span></span></b><b><span class="colour" style="color:rgb(55, 96, 146)"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt">Trigger </span></span></span></b><b><span class="colour" style="color:rgb(23, 55, 94)"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt">| Living</span></span></span></b><span class="colour" style="color:rgb(23, 55, 94)"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt">Networks</span></span></span><br></p><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin-left: 0cm; margin-right: 0cm;"><span class="colour" style="color:rgb(55, 96, 146)"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt">E: </span></span></span><a href="mailto:btrigger@livingnetworks.com.au" style="text-decoration: underline; color: blue;"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt">btrigger@livingnetworks.com.au</span></span></a><span class="colour" style="color:rgb(55, 96, 146)"><span class="font" style="font-family:Arial, sans-serif"><span class="size" style="font-size:10pt"></span></span></span><br></p></div>
</div>
</div>
</div>
<p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><div> </div>
<div> </div>
<div> </div>
</p><pre style="color: black; font-family: 'Courier New'; font-size: 10pt; margin: 0cm 0cm 0.0001pt;">_______________________________________________<br></pre><pre style="color: black; font-family: 'Courier New'; font-size: 10pt; margin: 0cm 0cm 0.0001pt;">AusNOG mailing list<br></pre><pre style="color: black; font-family: 'Courier New'; font-size: 10pt; margin: 0cm 0cm 0.0001pt;"><a href="mailto:AusNOG@lists.ausnog.net" style="text-decoration: underline; color: blue;">AusNOG@lists.ausnog.net</a><br></pre><pre style="color: black; font-family: 'Courier New'; font-size: 10pt; margin: 0cm 0cm 0.0001pt;"><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" style="text-decoration: underline; color: blue;">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br></pre></blockquote><p style="color: black; font-family: 'Times New Roman', serif; font-size: 12pt; margin: 0cm 0cm 0.0001pt;"><br></p></div>
<div><u>_______________________________________________</u><br></div>
<div>AusNOG mailing list<br></div>
<div><a href="mailto:AusNOG@lists.ausnog.net" style="text-decoration: underline; color: blue;">AusNOG@lists.ausnog.net</a><br></div>
<div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" style="text-decoration: underline; color: blue;">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br></div>
</blockquote><div> </div>
</body>
</html>