VPN recommendations?

[William Herrin]

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
customer insists on a network appliance. Site to site VPNs using IPSec and
static IP addresses on the plaintext side are a dime a dozen but traversing
NAT and dynamic IP addresses (and automatically re-establishing when the
service goes out and comes back up with different addresses) is a hard
requirement.

Thanks in advance,
Bill Herrin

-- 
William Herrin
b...@herrin.us

https://bill.herrin.us/

RE: VPN recommendations?

[David Guo via NANOG]

You may try WireGuard and use ddns

From: NANOG  On Behalf Of William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us<mailto:b...@herrin.us>
<https://bill.herrin.us/>
https://bill.herrin.us/

Re: VPN recommendations?

[Keith Stokes]

Pfsense on Netgate appliances?

I’ve used several of them, while not for this exact purpose they have done the 
roles but maybe not the amount of VPN traffic.


--

Keith Stokes
SalonBiz, Inc



On Feb 10, 2022, at 12:02 PM, William Herrin 
mailto:b...@herrin.us>> wrote:

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us

https://bill.herrin.us/

Re: VPN recommendations?

[Mike Lyon]

How about running ZeroTier on those Linux boxes and call it a day?

https://www.zerotier.com/

-Mike


> On Feb 10, 2022, at 10:07, David Guo via NANOG  wrote:
> 
> 
> You may try WireGuard and use ddns
>  
> From: NANOG  On Behalf Of William 
> Herrin
> Sent: Friday, February 11, 2022 2:02 AM
> To: nanog@nanog.org
> Subject: VPN recommendations?
>  
> Hi folks,
>  
> Do you have any recommendations for VPN appliances? Specifically: I need to 
> build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
> one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
> addresses.
>  
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
> customer insists on a network appliance. Site to site VPNs using IPSec and 
> static IP addresses on the plaintext side are a dime a dozen but traversing 
> NAT and dynamic IP addresses (and automatically re-establishing when the 
> service goes out and comes back up with different addresses) is a hard 
> requirement.
>  
> Thanks in advance,
> Bill Herrin
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: VPN recommendations?

[Shawn L via NANOG]

Meraki MX series?
 
I don't like the way they do their licensing (your license runs out, the box is 
a paper-weight) but they do really well at establishing site-to-site VPNs in 
some pretty challenging scenarios.  Dynamic IPs and NATs don't really cause 
them a problem.  Some CGNats do (AT&T I'm looking at you).
 
 
Shawn
 
-Original Message-
From: "Keith Stokes" 
Sent: Thursday, February 10, 2022 1:11pm
To: "William Herrin" 
Cc: "nanog@nanog.org" 
Subject: Re: VPN recommendations?


Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have done the 
roles but maybe not the amount of VPN traffic. 


--
Keith Stokes
SalonBiz, Inc

 On Feb 10, 2022, at 12:02 PM, William Herrin <[ b...@herrin.us ]( 
mailto:b...@herrin.us )> wrote:




Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.
Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.
Thanks in advance,
Bill Herrin
 -- 







William Herrin
[ b...@herrin.us ]( mailto:b...@herrin.us )[ 
 ]( https://bill.herrin.us/ )
[ https://bill.herrin.us/ ]( https://bill.herrin.us/ )

Re: VPN recommendations?

[Mark Wiater]

pfsense and opnsense both do fine with natted ipsec in the environmnets 
i've tested.


Isn't there an openvpn appliance too?

On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:


Meraki MX series?

I don't like the way they do their licensing (your license runs out, 
the box is a paper-weight) but they do really well at establishing 
site-to-site VPNs in some pretty challenging scenarios. Dynamic IPs 
and NATs don't really cause them a problem.  Some CGNats do (AT&T I'm 
looking at you).


Shawn

-Original Message-
From: "Keith Stokes" 
Sent: Thursday, February 10, 2022 1:11pm
To: "William Herrin" 
Cc: "nanog@nanog.org" 
Subject: Re: VPN recommendations?

Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have 
done the roles but maybe not the amount of VPN traffic.


--
Keith Stokes
SalonBiz, Inc

On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:

Hi folks,
Do you have any recommendations for VPN appliances? Specifically:
I need to build a site to site VPNs at speeds between 100mpbs and
1 gbit where all but one of the sites are behind an IPv4 NAT
gateway with dynamic public IP addresses.
Normally I'd throw OpenVPN on a couple of Linux boxes and be happy
but my customer insists on a network appliance. Site to site VPNs
using IPSec and static IP addresses on the plaintext side are a
dime a dozen but traversing NAT and dynamic IP addresses (and
automatically re-establishing when the service goes out and comes
back up with different addresses) is a hard requirement.
Thanks in advance,
Bill Herrin

-- 
William Herrin

b...@herrin.us
<https://bill.herrin.us/>
https://bill.herrin.us/

Re: VPN recommendations?

[Dave Taht]

tailscale

On Thu, Feb 10, 2022 at 10:24 AM Mark Wiater  wrote:
>
> pfsense and opnsense both do fine with natted ipsec in the environmnets i've 
> tested.
>
> Isn't there an openvpn appliance too?
>
> On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:
>
> Meraki MX series?
>
>
>
> I don't like the way they do their licensing (your license runs out, the box 
> is a paper-weight) but they do really well at establishing site-to-site VPNs 
> in some pretty challenging scenarios.  Dynamic IPs and NATs don't really 
> cause them a problem.  Some CGNats do (AT&T I'm looking at you).
>
>
>
>
>
> Shawn
>
>
>
> -Original Message-
> From: "Keith Stokes" 
> Sent: Thursday, February 10, 2022 1:11pm
> To: "William Herrin" 
> Cc: "nanog@nanog.org" 
> Subject: Re: VPN recommendations?
>
> Pfsense on Netgate appliances?
> I’ve used several of them, while not for this exact purpose they have done 
> the roles but maybe not the amount of VPN traffic.
>
> --
> Keith Stokes
> SalonBiz, Inc
>
> On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:
>
> Hi folks,
> Do you have any recommendations for VPN appliances? Specifically: I need to 
> build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
> one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
> addresses.
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
> customer insists on a network appliance. Site to site VPNs using IPSec and 
> static IP addresses on the plaintext side are a dime a dozen but traversing 
> NAT and dynamic IP addresses (and automatically re-establishing when the 
> service goes out and comes back up with different addresses) is a hard 
> requirement.
> Thanks in advance,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/
>
>


-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

Re: VPN recommendations?

[Phineas Walton]

Wireguard is the way to go. No platform lock-in, encrypted, extremely
lightweight and an easy to configure kernel module. Only drawback being
that there’s no implemented mesh topology, but that doesn’t sound like a
requirement for your use case. We actively push 8Gbit through our WG
tunnels with no issues.

Phin

On Thu, Feb 10, 2022 at 6:26 PM Dave Taht  wrote:

> tailscale
>
> On Thu, Feb 10, 2022 at 10:24 AM Mark Wiater 
> wrote:
> >
> > pfsense and opnsense both do fine with natted ipsec in the environmnets
> i've tested.
> >
> > Isn't there an openvpn appliance too?
> >
> > On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:
> >
> > Meraki MX series?
> >
> >
> >
> > I don't like the way they do their licensing (your license runs out, the
> box is a paper-weight) but they do really well at establishing site-to-site
> VPNs in some pretty challenging scenarios.  Dynamic IPs and NATs don't
> really cause them a problem.  Some CGNats do (AT&T I'm looking at you).
> >
> >
> >
> >
> >
> > Shawn
> >
> >
> >
> > -----Original Message-
> > From: "Keith Stokes" 
> > Sent: Thursday, February 10, 2022 1:11pm
> > To: "William Herrin" 
> > Cc: "nanog@nanog.org" 
> > Subject: Re: VPN recommendations?
> >
> > Pfsense on Netgate appliances?
> > I’ve used several of them, while not for this exact purpose they have
> done the roles but maybe not the amount of VPN traffic.
> >
> > --
> > Keith Stokes
> > SalonBiz, Inc
> >
> > On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:
> >
> > Hi folks,
> > Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
> > Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but
> my customer insists on a network appliance. Site to site VPNs using IPSec
> and static IP addresses on the plaintext side are a dime a dozen but
> traversing NAT and dynamic IP addresses (and automatically re-establishing
> when the service goes out and comes back up with different addresses) is a
> hard requirement.
> > Thanks in advance,
> > Bill Herrin
> >
> > --
> > William Herrin
> > b...@herrin.us
> > https://bill.herrin.us/
> >
> >
>
>
> --
> I tried to build a better future, a few times:
> https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org
>
> Dave Täht CEO, TekLibre, LLC
>

Re: VPN recommendations?

[David Bass]

If you want something gui driven I’d do something like Meraki…you can do
the same with just regular old Cisco routers using DMVPN as well.  It’s a
pretty common use case and well established.

On Thu, Feb 10, 2022 at 1:03 PM William Herrin  wrote:

> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
>
> Thanks in advance,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> 
> https://bill.herrin.us/
>

Re: VPN recommendations?

[joy]

Hello NANOG,

My name is Joy Larkin and I'm actually a long-time years-long lurker on 
the NANOG list (I have v odd hobbies) and I am also ZeroTier's Head of 
Marketing. I know I'm not supposed to be too promotional on here, but 
I'd love to see some of you pick up ZT.


Our founder, Adam Ierymenko just did a talk at Networking Field Day 27, 
here are two of the recordings from that session:


* ZeroTier The Planetary Data Center
* https://www.youtube.com/watch?v=T2BbrqpnMAE

* ZeroTier Technical Deep Dive
* https://www.youtube.com/watch?v=VhQ30bVF3_s

If you have questions, let me know - you can reach me at 
joy.lar...@zerotier.com


Best,
-Joy

On 2022-02-10 10:12, Mike Lyon wrote:

How about running ZeroTier on those Linux boxes and call it a day?

https://www.zerotier.com/

-Mike


On Feb 10, 2022, at 10:07, David Guo via NANOG 
wrote:





You may try WireGuard and use ddns

From: NANOG  On Behalf Of
William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I
need to build a site to site VPNs at speeds between 100mpbs and 1
gbit where all but one of the sites are behind an IPv4 NAT gateway
with dynamic public IP addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy
but my customer insists on a network appliance. Site to site VPNs
using IPSec and static IP addresses on the plaintext side are a dime
a dozen but traversing NAT and dynamic IP addresses (and
automatically re-establishing when the service goes out and comes
back up with different addresses) is a hard requirement.

Thanks in advance,

Bill Herrin

--

William Herrin

b...@herrin.us

https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:06 AM Guillaume Tournat  wrote:
> Fortinet firewalls (FortiGate) are a great deal

Thanks Guillaume,

I found this 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-VPN-between-static-and-dynamic-IP-FQDN/ta-p/191815
but it suggests that the dynamic IP fortigate expects to have a public
dynamic IP directly on the Fortigate, not be stuck behind a NAT.

Are you aware of any documentation that describes:

LAN - Fortigate - NAT (dynaimic IP) - Internet - (static IP) Fortigate - LAN

Where the Meraki is responsible for keeping the NAT translations alive
without any programming on the NAT?

Regards,
Bill


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:18 AM Shawn L  wrote:
> Meraki MX series? Dynamic IPs and NATs don't really cause them a problem.  
> Some CGNats do (AT&T I'm looking at you).

Thanks Shawn,

The documentation I found at
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
suggests that the NAT firewall has to be explicitly configured to
deliver UDP 500/4500 to the Meraki behind it. Are you aware of any
documentation that describes:

LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN

Where the left-side Meraki is responsible for establishing and keeping
the NAT translations alive without any special configuration on the
NAT?

Regards,
Bill


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:47 AM Juri Grabowski  wrote:
> Or buy official supported hardware from https://shop.opnsense.com/

Howdy,

Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any documentation which describes:

LAN - OPNSense Appliance - (rfc1918) NAT Appliance (dynamic IP) -
Internet - (static IP) OPNSense appliance - LAN

Where the left-side OPNSense is responsible for establishing and
keeping the NAT translations alive without any special configuration
on the NAT?

Thanks,
Bill


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:04 AM David Guo  wrote:
> You may try WireGuard and use ddns

Hi David,

My understanding is that Wireguard is software available for general
purpose operating systems. I specifically need a set of hardware
network appliances. I don't overly care which protocol they're running
as long as an initiator stuck behind a nat box I don't control can
maintain a connection with a hub and handle speeds in the100mbps to
10gbps.

On Thu, Feb 10, 2022 at 10:12 AM Mike Lyon  wrote:
> How about running ZeroTier on those Linux boxes and call it a day?
> https://www.zerotier.com/

I specifically cannot use general purpose Linux machines for this. I
need network appliances.


On Thu, Feb 10, 2022 at 10:26 AM Dave Taht  wrote:
> tailscale

I specifically need an integrated network appliance, not software I
add to something.

I love my Linux-based VPN servers but my customer very specifically
said no. I can't publicly explain why but trust me when I say it's a
"hard no" and it's not a question of persuasion or education. My
customer understands and likes Linux but he simply cannot use it this
time.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:55 AM William Herrin  wrote:
> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances. I don't overly care which protocol they're running
> as long as an initiator stuck behind a nat box I don't control can
> maintain a connection with a hub and handle speeds in the100mbps to
> 10gbps.

That was supposed to be 1gbps. I don't need over 1gbps for this use case.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

RE: VPN recommendations?

[James R. Price]

I’ll second PFsense, done quite a bit of this in hub and spoke topologies, 
spokes being behind NAT (permitted the upstream fw allows udp 500,4500), on a 
dynamic.  The hub or hubs are ideally on a static. Set the hub site up as 
responder only, the remotes initiate the tunnel.  Peers are validated either by 
dynamic name or you simply allow peers sourcing from 0.0.0.0 at the hub site.

This is not limited to PF, I’ve gotten this to work on Cisco firewalls, 
routers, and other Linux based firewalls.

From: NANOG  On Behalf Of 
William Herrin
Sent: Thursday, February 10, 2022 12:02 PM
To: nanog@nanog.org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us<mailto:b...@herrin.us>
<https://bill.herrin.us/>
https://bill.herrin.us/

Re: VPN recommendations?

[Mark Wiater]

I don't know of a specific document speaking to this, but this doc i 
think describes it right.


https://securitynetworkinglinux.wordpress.com/2019/04/19/how-create-a-site-to-site-ipsec-vpn-from-an-opnsense-to-a-fortigate-behind-a-nat-router/

in section 2.3 is where you change My Identifer to be the natted non 
RFC1918 ip that the right side will see.


On 2/10/2022 1:55 PM, William Herrin wrote:

On Thu, Feb 10, 2022 at 10:47 AM Juri Grabowski  wrote:

Or buy official supported hardware from https://shop.opnsense.com/

Howdy,

Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any documentation which describes:

LAN - OPNSense Appliance - (rfc1918) NAT Appliance (dynamic IP) -
Internet - (static IP) OPNSense appliance - LAN

Where the left-side OPNSense is responsible for establishing and
keeping the NAT translations alive without any special configuration
on the NAT?

Thanks,
Bill

Re: VPN recommendations?

[Ander Punnar]

On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin wrote:
> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances.

MikroTik (hardware) RouterOS (software) version 7 has WireGuard:

https://help.mikrotik.com/docs/display/ROS/WireGuard


signature.asc
Description: PGP signature

Re: VPN recommendations?

[Tom Beecher]

>
> (your license runs out, the box is a paper-weight)


Should be a hard no for anyone purchasing network equipment anyways, but
people have reasons I guess.

On Thu, Feb 10, 2022 at 1:19 PM Shawn L via NANOG  wrote:

> Meraki MX series?
>
>
>
> I don't like the way they do their licensing (your license runs out, the
> box is a paper-weight) but they do really well at establishing site-to-site
> VPNs in some pretty challenging scenarios.  Dynamic IPs and NATs don't
> really cause them a problem.  Some CGNats do (AT&T I'm looking at you).
>
>
>
>
>
> Shawn
>
>
>
> -Original Message-
> From: "Keith Stokes" 
> Sent: Thursday, February 10, 2022 1:11pm
> To: "William Herrin" 
> Cc: "nanog@nanog.org" 
> Subject: Re: VPN recommendations?
>
> Pfsense on Netgate appliances?
> I’ve used several of them, while not for this exact purpose they have done
> the roles but maybe not the amount of VPN traffic.
>
> --
> Keith Stokes
> SalonBiz, Inc
>
> On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:
>
> Hi folks,
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
> Thanks in advance,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> <https://bill.herrin.us/>
> https://bill.herrin.us/
>
>

Re: VPN recommendations?

[Sabri Berisha]

- On Feb 10, 2022, at 10:17 AM, nanog nanog@nanog.org wrote:

Hi,

> Meraki MX series?

I read on some mailing list that Meraki likes to ping 8.8.8.8 every
second... :)

Thanks,

Sabri

Re: VPN recommendations?

[Matt Harris]

Matt Harris|Infrastructure Lead
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
On Thu, Feb 10, 2022 at 12:03 PM William Herrin  wrote:

> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
>

For OpenVPN, I like the Netgate boxes running pfsense. Works great, super
easy integrations with stuff like AC/LDAP/radius/etc for auth, frr and
others for your routing, etc. This is probably your best bet.

For IPSec I tend to stick to Juniper SRX boxes.

Good luck!

Re: VPN recommendations?

[Mel Beckman]

We use SonicWall TZ series for just this purpose. The IPSec VPN endpoints can 
be behind NAT, and we just use DYNDNS to map whatever is current to a FQDN. 
Each side thus has the public IP of the other side and can connect as long as 
you pass through GRE.

-mel via cell

On Feb 10, 2022, at 1:05 PM, Matt Harris  wrote:


[cid:image200517.png@6CD88F22.1B50C51A]
Matt Harris​
|
Infrastructure Lead
816‑256‑5446
|
Direct
Looking for help?
Helpdesk
|
Email Support
[https://netfire.net/Flag-United-States-of-America.jpg]
We build customized end‑to‑end technology solutions powered by NetFire Cloud.
On Thu, Feb 10, 2022 at 12:03 PM William Herrin 
mailto:b...@herrin.us>> wrote:
Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

For OpenVPN, I like the Netgate boxes running pfsense. Works great, super easy 
integrations with stuff like AC/LDAP/radius/etc for auth, frr and others for 
your routing, etc. This is probably your best bet.

For IPSec I tend to stick to Juniper SRX boxes.

Good luck!

Re: VPN recommendations?

[Brandon Svec via NANOG]

Meraki may be considered expensive, requires perpetual license to operate
and is difficult to get currently (very long lead times) but is
dead.stupid.simple to install and maintain.  I have yet to find a business
or home network that it does not work on out of the box, but if you find
one it would be an issue to overcome for any solution, right? i.e. open
some ports on the up stream device one time.

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshooting


*Brandon Svec*



On Thu, Feb 10, 2022 at 10:05 AM William Herrin  wrote:

> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
>
> Thanks in advance,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> 
> https://bill.herrin.us/
>

RE: VPN recommendations?

[Ryland Kremeier]

I think my experience is unique, but wanted to put it out there anyway. I’ve 
actually had quite a few problems with Meraki equipment during the one instance 
I worked with them. After a few hours to days, the switches would stop 
functioning. You could still access them through the webgui and issue a reboot 
to resolve the issue, but the problem persisted even after many resets and 
calls with Cisco.

Again, likely some bonk hardware, but in case anyone else has had a similar 
experience I wanted this to be known.

Thank you,
-- Ryland


From: NANOG  on behalf of 
Brandon Svec via NANOG 
Sent: Thursday, February 10, 2022 3:50:49 PM
To: William Herrin 
Cc: nanog@nanog.org 
Subject: Re: VPN recommendations?

Meraki may be considered expensive, requires perpetual license to operate and 
is difficult to get currently (very long lead times) but is dead.stupid.simple 
to install and maintain.  I have yet to find a business or home network that it 
does not work on out of the box, but if you find one it would be an issue to 
overcome for any solution, right? i.e. open some ports on the up stream device 
one time.

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshooting


Brandon Svec



On Thu, Feb 10, 2022 at 10:05 AM William Herrin 
mailto:b...@herrin.us>> wrote:
Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us<mailto:b...@herrin.us>
<https://bill.herrin.us/>
https://bill.herrin.us/

Re: VPN recommendations?

[John Gilmore]

Mike Lyon  wrote:
> How about running ZeroTier on those Linux boxes and call it a day?
> https://www.zerotier.com/

ZeroTier is not a free-as-in-freedom project.  Running it in Linux boxes
or network appliances to provide a VPN to paying customers may be
prohibited (at least for some customers, and before 2025) by its
convoluted license:

  https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt

I recommend using something that doesn't have litigious companies
nitpicking about what you can and can't use it for.

John Gilmore

Re: VPN recommendations?

[Dave Taht]

tailscale is 3-clause BSD.

there is a reverse engineered version of the rendezvous protocol also.



On Thu, Feb 10, 2022 at 3:41 PM John Gilmore  wrote:
>
> Mike Lyon  wrote:
> > How about running ZeroTier on those Linux boxes and call it a day?
> > https://www.zerotier.com/
>
> ZeroTier is not a free-as-in-freedom project.  Running it in Linux boxes
> or network appliances to provide a VPN to paying customers may be
> prohibited (at least for some customers, and before 2025) by its
> convoluted license:
>
>   https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt
>
> I recommend using something that doesn't have litigious companies
> nitpicking about what you can and can't use it for.
>
> John Gilmore



-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

Re: VPN recommendations?

[Sean Kelly]

I work in a large oil company and we have S2S VPNs every where. Any modern 
Cisco or Juniper router will meet your requirements. An off the shelf security 
appliance will do the job to i.e ASA, Palo Alto, Fortinet or Juniper. Meraki is 
great if you want to manage from the cloud or vpn as a service. Good luck.

Sean P Kelly

> On Feb 10, 2022, at 6:51 PM, Dave Taht  wrote:
> 
> tailscale is 3-clause BSD.
> 
> there is a reverse engineered version of the rendezvous protocol also.
> 
> 
> 
>> On Thu, Feb 10, 2022 at 3:41 PM John Gilmore  wrote:
>> 
>> Mike Lyon  wrote:
>>> How about running ZeroTier on those Linux boxes and call it a day?
>>> https://www.zerotier.com/
>> 
>> ZeroTier is not a free-as-in-freedom project.  Running it in Linux boxes
>> or network appliances to provide a VPN to paying customers may be
>> prohibited (at least for some customers, and before 2025) by its
>> convoluted license:
>> 
>>  https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt
>> 
>> I recommend using something that doesn't have litigious companies
>> nitpicking about what you can and can't use it for.
>> 
>>John Gilmore
> 
> 
> 
> -- 
> I tried to build a better future, a few times:
> https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org
> 
> Dave Täht CEO, TekLibre, LLC

Re: VPN recommendations?

[William Herrin]

Howdy,

I just want to say thank you to everyone who responded. It was very
helpful and I now have a bunch of leads to chase. I'll let you know
what I end up doing. Given the lead times on some of the equipment it
may be a while...

Warm regards,
Bill Herrin


On Thu, Feb 10, 2022 at 10:02 AM William Herrin  wrote:
> Do you have any recommendations for VPN appliances? Specifically: I need to 
> build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
> one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
> customer insists on a network appliance. Site to site VPNs using IPSec and 
> static IP addresses on the plaintext side are a dime a dozen but traversing 
> NAT and dynamic IP addresses (and automatically re-establishing when the 
> service goes out and comes back up with different addresses) is a hard 
> requirement.
>
> Thanks in advance,
> Bill Herrin



-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[Mark Tinka]

On 2/10/22 20:02, William Herrin wrote:


Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I 
need to build a site to site VPNs at speeds between 100mpbs and 1 gbit 
where all but one of the sites are behind an IPv4 NAT gateway with 
dynamic public IP addresses.


Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but 
my customer insists on a network appliance. Site to site VPNs using 
IPSec and static IP addresses on the plaintext side are a dime a dozen 
but traversing NAT and dynamic IP addresses (and automatically 
re-establishing when the service goes out and comes back up with 
different addresses) is a hard requirement.


We like pfSense.

I believe they sell Netgate appliances.

Mark.

Re: VPN recommendations?

[Valdis Klētnieks]

On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin said:

> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances. 

Take a general purpose OS, strip down the userspace a bit,
stick the whole thing in a box, and call it an appliance. They'll never
know the difference. :)

RE: VPN recommendations?

[David Andrzejewski]

I don't know how people around here feel about Mikrotik, but they have included 
Wireguard support in their latest operating system.

dave

-Original Message-
From: NANOG  On Behalf Of 
William Herrin
Sent: Thursday, February 10, 2022 13:56
Cc: nanog@nanog.org
Subject: Re: VPN recommendations?

On Thu, Feb 10, 2022 at 10:04 AM David Guo  wrote:
> You may try WireGuard and use ddns

Hi David,

My understanding is that Wireguard is software available for general purpose 
operating systems. I specifically need a set of hardware network appliances. I 
don't overly care which protocol they're running as long as an initiator stuck 
behind a nat box I don't control can maintain a connection with a hub and 
handle speeds in the100mbps to 10gbps.

On Thu, Feb 10, 2022 at 10:12 AM Mike Lyon  wrote:
> How about running ZeroTier on those Linux boxes and call it a day?
> https://www.zerotier.com/

I specifically cannot use general purpose Linux machines for this. I need 
network appliances.


On Thu, Feb 10, 2022 at 10:26 AM Dave Taht  wrote:
> tailscale

I specifically need an integrated network appliance, not software I add to 
something.

I love my Linux-based VPN servers but my customer very specifically said no. I 
can't publicly explain why but trust me when I say it's a "hard no" and it's 
not a question of persuasion or education. My customer understands and likes 
Linux but he simply cannot use it this time.

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[Dave Taht]

On Thu, Feb 10, 2022 at 8:51 PM David Andrzejewski
 wrote:
>
> I don't know how people around here feel about Mikrotik, but they have 
> included Wireguard support in their latest operating system.

They've also included fq_codel and sch_cake:
https://forum.mikrotik.com/viewtopic.php?t=179307

For a site to site, kernel mode vpn such as ipsec or wireguard (but
not openvpn), we successfully FQ+AQM packets entering the tunnel.

If that's the bottleneck link, for a mixture of, say low rate voip and
high rate file transfer traffic, the results are a pretty marvellous
reduction of jitter and latency through the tunnel.

Before: http://www.taht.net/~d/ipsec_fq_codel/oldqos.png
After: http://www.taht.net/~d/ipsec_fq_codel/newqos.png




> dave
>
> -Original Message-
> From: NANOG  On Behalf 
> Of William Herrin
> Sent: Thursday, February 10, 2022 13:56
> Cc: nanog@nanog.org
> Subject: Re: VPN recommendations?
>
> On Thu, Feb 10, 2022 at 10:04 AM David Guo  wrote:
> > You may try WireGuard and use ddns
>
> Hi David,
>
> My understanding is that Wireguard is software available for general purpose 
> operating systems. I specifically need a set of hardware network appliances. 
> I don't overly care which protocol they're running as long as an initiator 
> stuck behind a nat box I don't control can maintain a connection with a hub 
> and handle speeds in the100mbps to 10gbps.
>
> On Thu, Feb 10, 2022 at 10:12 AM Mike Lyon  wrote:
> > How about running ZeroTier on those Linux boxes and call it a day?
> > https://www.zerotier.com/
>
> I specifically cannot use general purpose Linux machines for this. I need 
> network appliances.
>
>
> On Thu, Feb 10, 2022 at 10:26 AM Dave Taht  wrote:
> > tailscale
>
> I specifically need an integrated network appliance, not software I add to 
> something.
>
> I love my Linux-based VPN servers but my customer very specifically said no. 
> I can't publicly explain why but trust me when I say it's a "hard no" and 
> it's not a question of persuasion or education. My customer understands and 
> likes Linux but he simply cannot use it this time.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/



-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

Re: VPN recommendations?

[Mark Tinka]

On 2/11/22 06:49, David Andrzejewski wrote:


I don't know how people around here feel about Mikrotik, but they have included 
Wireguard support in their latest operating system.


I know some Tik heads here that are happy about this.

I am running ROS 7.1.2 on my home router, but I don't use it.

Mark.

Re: VPN recommendations?

[Bjørn Mork]

Sabri Berisha  writes:

> I read on some mailing list that Meraki likes to ping 8.8.8.8 every
> second... :)

That's probably to be fair with the quad-x dns providers since they
alrady were abusing 1.1.1.1.

Makes me wonder what Meraki uses 9.9.9.9 for :-)


Bjørn

Re: VPN recommendations?

[Mike Hammett]

Mikrotik with RouterOS v7 with WireGuard or ZeroTier were the first things I 
thought of, but it might be a a bit premature for a production environment. In 
a year, I'd have no problem recommending that. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Ander Punnar"  
Cc: nanog@nanog.org 
Sent: Thursday, February 10, 2022 2:04:57 PM 
Subject: Re: VPN recommendations? 

On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin wrote: 
> My understanding is that Wireguard is software available for general 
> purpose operating systems. I specifically need a set of hardware 
> network appliances. 

MikroTik (hardware) RouterOS (software) version 7 has WireGuard: 

https://help.mikrotik.com/docs/display/ROS/WireGuard 

Re: VPN recommendations?

[Dan Sneddon]

Thank you Joy for de-lurking. I actually was not familiar with ZeroTier, and 
this is a space that I thought I was quite familiar with, so I’m glad you 
brought it to everyone’s attention. I will look further at ZeroTier, it looks 
very interesting.

I am also a very long-time lurker (although I was a NANOG list admin ~10 years 
ago) who is emerging to join this conversation.

I have recently been doing some work to evaluate and develop VPN solutions for 
connecting multiple data center cloud environments, including low-power small 
edge sites, and I have some thoughts about the current state of the art to 
share.

Until recently a very strong proponent of IPSEC. I liked the way IPSEC was 
placed within the OSI model directly at layer 3, unlike some of the VPN 
technologies which operate above or below layer 3. However I do not believe 
that IPSEC is future-proof, for the following two reasons:

1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It 
is very much a static set-it-and-forget-it technology, but that doesn’t work in 
a dynamically changing environment.

2) IPSEC does not always lend itself to hardware offloading in the way some 
other technologies do. Some NICs do support hardware acceleration for IPSEC, 
but this does not always integrate well with kernel or user space when you are 
integrating virtual network functions (VNFs) like 
routers/firewalls/load-balancers.

Wireguard works well in dynamic environments. TLS using something like OpenSSL 
does as well. Both provide key advantages, particularly on top of Linux.

* Support for hardware offloads such as TCP segmentation provide vast 
improvements in performance on higher-end x86 hardware. Some recent testing I 
have been shown proves that TCP segmentation offload can provide more than a 5X 
speedup compared to other HW offloads without TCP segmentation (from 5Gb/s to 
above 25Gb/s in some tests).

* With the right encryption algorithm CPU acceleration for cryptography reduces 
CPU load and increases performance.

* Integration with kernel routing provides the ability to integrate with 
dynamic routing such as BGP daemons (e.g. FRRouting, etc.).

* In recent Linux kernels eBPF/XDP provide a hardware interface to the kernel 
which accelerates network throughput to near line-rate, while minimizing CPU 
impact.

This may not apply to William Herrin’s (OP) use case of a VPN appliance for 
100mbps to 1gbps speeds, but it is something to keep in mind for building 
higher performance solutions or for planning for increasing bandwidth in the 
future. For the 100mbps+ use case I have had success building appliances using 
OpenVPN on top of certain ARM based platforms like Marvell Armada, or 
single-board computers with Intel CPUs with AES-NI acceleration. I am currently 
looking at implementing Wireguard on the same platforms. For a simple low-power 
ARM router appliance the Turris Omnia has been a great fully open platform 
running a custom LEDE/OpenWRT OS. The Turris Mox provides a modular hardware 
platform for expandability, albeit with slightly less performance. Both of 
these platforms are developed by the engineers at CZ.nic, the TLD registrar for 
the Czech Republic.

https://secure.nic.cz/files/Turris-web/Omnia/Omnia2020_datasheet.pdf

https://www.turris.com/en/mox/overview/

-Dan Sneddon

> On Feb 10, 2022, at 10:51 AM, j...@cleverhack.com wrote:
> 
> Hello NANOG,
> 
> My name is Joy Larkin and I'm actually a long-time years-long lurker on the 
> NANOG list (I have v odd hobbies) and I am also ZeroTier's Head of Marketing. 
> I know I'm not supposed to be too promotional on here, but I'd love to see 
> some of you pick up ZT.
> 
> Our founder, Adam Ierymenko just did a talk at Networking Field Day 27, here 
> are two of the recordings from that session:
> 
> * ZeroTier The Planetary Data Center
>* https://www.youtube.com/watch?v=T2BbrqpnMAE
> 
> * ZeroTier Technical Deep Dive
>* https://www.youtube.com/watch?v=VhQ30bVF3_s
> 
> If you have questions, let me know - you can reach me at 
> joy.lar...@zerotier.com
> 
> Best,
> -Joy
> 
>> On 2022-02-10 10:12, Mike Lyon wrote:
>> How about running ZeroTier on those Linux boxes and call it a day?
>> https://www.zerotier.com/
>> -Mike
>>> On Feb 10, 2022, at 10:07, David Guo via NANOG 
>>> wrote:
>>> 
>>> You may try WireGuard and use ddns
>>> From: NANOG  On Behalf Of
>>> William Herrin
>>> Sent: Friday, February 11, 2022 2:02 AM
>>> To: nanog@nanog.org
>>> Subject: VPN recommendations?
>>> Hi folks,
>>> Do you have any recommendations for VPN appliances? Specifically: I
>>> need to build a site to site VPNs at speeds between 100mpbs and 1
>>> gbit where all but one of the sites are behind an IPv4 NAT gateway
>>> with dynami

Re: VPN recommendations?

[Mel Beckman]

0, 2022, at 10:07, David Guo via NANOG 
mailto:nanog@nanog.org>>
wrote:

You may try WireGuard and use ddns
From: NANOG 
mailto:nanog-bounces+david=xtom@nanog.org>>
 On Behalf Of
William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: VPN recommendations?
Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I
need to build a site to site VPNs at speeds between 100mpbs and 1
gbit where all but one of the sites are behind an IPv4 NAT gateway
with dynamic public IP addresses.
Normally I'd throw OpenVPN on a couple of Linux boxes and be happy
but my customer insists on a network appliance. Site to site VPNs
using IPSec and static IP addresses on the plaintext side are a dime
a dozen but traversing NAT and dynamic IP addresses (and
automatically re-establishing when the service goes out and comes
back up with different addresses) is a hard requirement.
Thanks in advance,
Bill Herrin
--
William Herrin
b...@herrin.us<mailto:b...@herrin.us>
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon  wrote:
> 1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It 
> is very much a static set-it-and-forget-it technology, but that doesn’t work 
> in a dynamically changing environment.

Hi Dan,

Depending on how you configure it, IPSEC can work fine with dynamic
routing. The thing to understand is that IPSec has two modes:
transport and tunnel. Transport is between exactly two IP addresses
while tunnel expects a broader network to exist on at least one end.
"Tunnel" mode is what everyone actually uses but you can deconstruct
it: it's built up from transport mode + a tunnel protocol (gre or ipip
I don't remember which) + implicit routing and firewalling which
wreaks havoc on dynamic routing. Now, it turns out that you can
instead configure IPSec in transport mode, configure the tunnel
separately and leave out the implicit firewalling.

> This may not apply to William Herrin’s (OP) use case of a VPN appliance

It's not relevant to my situation, no. I need the VPN to establish a
statically addressed clean layer 3 on top of dynamically addressed and
natted endpoints to support the next appliance in the chain where
dynamic addressing is not possible. I don't actually care if it adds
security; it just needs to establish that statically addressed layer.
Oh yeah, and it has to be listed under "virtual private network" on
the government NIAP list.
https://www.niap-ccevs.org/product/PCL.cfm?ID624=34

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[Rich Greenwood via NANOG]

The port forwarding only applies to manual NAT traversal.  If you use auto
NAT traversal, it takes care of that.  Because all of the connections are
coordinated through the dashboard, the Auto-VPN will typically work even if
all nodes are behind NAT.  I've used them on the end of Verizon (CG-NAT)
connections and they work fine.  I have had one instance where three of
them were behind the same single IP NAT and the third would fail to
connect.  We had to get one of them moved to a different NAT IP to solve
that.

If you're looking for a simple to use, easy to manage VPN appliance, the MX
(and Z) Meraki products will work.  The config is entirely handled through
the dashboard, so no-touch, drop ship deployments are an option.  You can
provide view only access to users per network, so the customer or a first
level tech could be given the ability to look but not break anything.

All of the MX and Z products will work in a single VPN, so you can pick the
device that best fits the requirements.  For a small office with one or two
people, the Z3 works great, it even has one PoE port for an IP phone.  For
larger sites or the core site, they go up to 6Gb (I think) of throughput
for the MX450, with redundant power and uplinks.

As others have pointed out, they are license based and they don't work
without a license, and they are a Cisco product, so pricing will depend on
how good your relationship is with your Cisco rep. :)  One big caveat: they
are still lacking in the IPv6 realm so if that is a requirement, they won't
work right now.
--Rich


> -- Forwarded message --
> From: William Herrin 
> To: Shawn L 
> Cc: "nanog@nanog.org" 
> Bcc:
> Date: Thu, 10 Feb 2022 10:54:39 -0800
> Subject: Re: VPN recommendations?
> On Thu, Feb 10, 2022 at 10:18 AM Shawn L  wrote:
> > Meraki MX series? Dynamic IPs and NATs don't really cause them a
> problem.  Some CGNats do (AT&T I'm looking at you).
>
> Thanks Shawn,
>
> The documentation I found at
>
> https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
> suggests that the NAT firewall has to be explicitly configured to
> deliver UDP 500/4500 to the Meraki behind it. Are you aware of any
> documentation that describes:
>
> LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN
>
> Where the left-side Meraki is responsible for establishing and keeping
> the NAT translations alive without any special configuration on the
> NAT?
>
> Regards,
> Bill
>


-- 
Rich Greenwood
Network Engineer
Shasta County Office of Education

Information Technology

1644 Magnolia Ave.

Redding, CA 96001

Office: 530-225-0161

Hotline: 530-225-0279

rgreenw...@shastacoe.org


smime.p7s
Description: S/MIME Cryptographic Signature

Re: VPN recommendations?

[Christian de Larrinaga via NANOG]

Intriguing. This week I started to look around for new wireguard 
implementation tools and appliances. I've used openvpn and ipsec 
in the main although last month put together a 10x and IPv6 
wireguard net in my home and out to two vps hosts which is 
handy. For my own use this is ok -ish, but I am not so sure about 
keeping track of the configs, managing users and adding configs as 
a network grows. In other words I want help when scaling wg and 
handling change particularly if I am managing nets for other 
projects or delegating. 

Tailscale, ZeroTier and some others are doing a great job I feel 
and no doubt have a handle on that. I've not tried them as yet. 

Because I do like to have options that are not mediated I have 
kept looking as much for my own curiousity and education as for 
deploying a service in anger. But having a toolset that can 
support the latter capability has to be the aim to work towards.


I've found a few potentially interesting more recent projects and 
am intending to start to test deploy some of these in sequence to 
see how I get on. I think I'll start wth
https://github.com/gravitl/netmaker Please note I've only reviewed 
the documentation. I've not yet played with it.  

This seems to  offer at an early stage in its development a 
webappliance (optionally) with CoreDNS if you want  naming support 
and IPv6 and at least some client management features. It claims 
to be fast but that can be tested. It also is deployable as a 
docker/kubernetes k8 which is intriguing when deploying and 
managing containers between multiple hosts across data centres. 
It uses a mongodb licence which may or may not be a problem.


If one plays with IPSEC then I guess one could run wg through 
IPSEC but is there any point unless you already have an IPSEC 
branch and don't want to take it down whilst adding wg for a new 
class of devices/userbase?   

I'd be interested in sharing experiences and advice (offlist) and 
delighted to learn from  wireguard and vpn's clueful folk. 

thank you for an interesting discussion. 



Christian

William Herrin  writes:

On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon  
wrote:
1) IPSEC does not lend itself to dynamic routing or dynamic 
configuration. It is very much a static set-it-and-forget-it 
technology, but that doesn’t work in a dynamically changing 
environment.


Hi Dan,

Depending on how you configure it, IPSEC can work fine with 
dynamic

routing. The thing to understand is that IPSec has two modes:
transport and tunnel. Transport is between exactly two IP 
addresses
while tunnel expects a broader network to exist on at least one 
end.
"Tunnel" mode is what everyone actually uses but you can 
deconstruct
it: it's built up from transport mode + a tunnel protocol (gre 
or ipip

I don't remember which) + implicit routing and firewalling which
wreaks havoc on dynamic routing. Now, it turns out that you can
instead configure IPSec in transport mode, configure the tunnel
separately and leave out the implicit firewalling.

This may not apply to William Herrin’s (OP) use case of a VPN 
appliance


It's not relevant to my situation, no. I need the VPN to 
establish a
statically addressed clean layer 3 on top of dynamically 
addressed and
natted endpoints to support the next appliance in the chain 
where
dynamic addressing is not possible. I don't actually care if it 
adds
security; it just needs to establish that statically addressed 
layer.
Oh yeah, and it has to be listed under "virtual private network" 
on

the government NIAP list.
https://www.niap-ccevs.org/product/PCL.cfm?ID624=34

Regards,
Bill Herrin



--
Christian de Larrinaga 
https://firsthand.net

Re: VPN recommendations?

[Grant Taylor via NANOG]

On 2/11/22 12:35 PM, William Herrin wrote:
The thing to understand is that IPSec has two modes: transport and 
tunnel. Transport is between exactly two IP addresses while tunnel 
expects a broader network to exist on at least one end.


That is (syntactically) correct.  However, it is possible to NAT many 
LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO ISP) 
and use IPSec /Transport/ Mode to a single remote IP.  The IPSec sees 
exactly two IPs.



"Tunnel" mode is what everyone actually uses


I may be enough of an outlier that I'm a statistical anomaly.  But I'm 
using IPSec /Transport/ Mode between my home router and my VPSs.  I have 
a tiny full mesh of IPSec /Transport/ Mode connections.


Using the aforementioned many-to-one NAT, my home LAN systems access the 
single globally routed IP of each of my VPSs without any problem.


Aside:  I did have to tweak MTU for LAN traffic going out to the VPS IPs.

So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for 
/Transport/ Mode


but you can deconstruct it: it's built up from transport mode + 
a tunnel protocol (gre or ipip I don't remember which) + implicit 
routing and firewalling which wreaks havoc on dynamic routing.


I question the veracity of that statement.  It may be that's what many 
implementations / administration systems do.  But I really thought that 
IPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combined 
with some tunneling protocol.


Now, it turns out that you can instead configure IPSec in transport 
mode, configure the tunnel separately and leave out the implicit 
firewalling.


Agreed.  I feel like this speaks to implementation / management systems 
that are built on top of IPSec.


It's not relevant to my situation, no. I need the VPN to establish 
a statically addressed clean layer 3 on top of dynamically addressed 
and natted endpoints to support the next appliance in the chain where 
dynamic addressing is not possible. I don't actually care if it adds 
security; it just needs to establish that statically addressed layer.


It sounds to me like you don't even actually need encryption of a 
typical VPN and might be able to use something like GRE+key or IPSec 
/Tunnel/ Mode with AH without ESP.


Oh yeah, and it has to be listed under "virtual private network" 
on the government NIAP list.

https://www.niap-ccevs.org/product/PCL.cfm?ID624=34


Oh joy.  Layer 8 - politics



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: VPN recommendations?

[Nathan Angelacos]

On Sat, 2022-02-12 at 13:24 -0700, Grant Taylor via NANOG wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and 
> > tunnel. Transport is between exactly two IP addresses while tunnel 
> > expects a broader network to exist on at least one end.
> 
> That is (syntactically) correct.  However, it is possible to NAT many
> LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO
> ISP) 
> and use IPSec /Transport/ Mode to a single remote IP.  The IPSec sees
> exactly two IPs.
> 
> > "Tunnel" mode is what everyone actually uses
> 
> I may be enough of an outlier that I'm a statistical anomaly.  But
> I'm using IPSec /Transport/ Mode between my home router and my VPSs. 
> I have a tiny full mesh of IPSec /Transport/ Mode connections.
> 

+1 on *cough* enterprise networks.

> Using the aforementioned many-to-one NAT, my home LAN systems access
> the single globally routed IP of each of my VPSs without any problem.
> 

+1

> Aside:  I did have to tweak MTU for LAN traffic going out to the VPS
> IPs.

+1

> 
> So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for 
> /Transport/ Mode 

+1

Re: VPN recommendations?

[William Herrin]

On Sat, Feb 12, 2022 at 12:26 PM Grant Taylor via NANOG  wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and
> > but you can deconstruct it: it's built up from transport mode +
> > a tunnel protocol (gre or ipip I don't remember which) + implicit
> > routing and firewalling which wreaks havoc on dynamic routing.
>
> I question the veracity of that statement.  It may be that's what many
> implementations / administration systems do.  But I really thought that
> IPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combined
> with some tunneling protocol.

It's tunnel mode plus a tunneling protocol plus some implicit routing
and firewalling which gets in the way of dynamic routing.

Try it if you don't believe me. Set up tunnel mode ipsec manually on
two nodes (no IKE) and get them talking to each other. Then change one
to transport mode and add I think it's an IPIP tunnel but I don't
remember for certain. And add the appropriate routes into the tunnel
virtual device. You'll find they talk.

What did you think IPSec was doing? Transport mode encrypts the layer
4 and up of the packet between two machines; it doesn't encapsulate
it. When they added tunnel mode, the inner layer 3 had to go
somewhere.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

automated site to site vpn recommendations

[c b]

Situation: We have salespeople/engineers holding temporary 
seminars/training/demonstrations in hotel meeting rooms.
Requirements: 
field people need a very plug-n-play, simple, reliable vpn back to corporate 
offices to present videos/slides/demonstrations. The materials are not 
accessible via the internet directly, they are in a contained environment at 
corporate HQ locations but not necessarily on the corp network.the solution 
should be able to provide wireless to attendees. In some cases, guest login 
will be fine but in some cases the attendees will have registered and provided 
login creds prior to the event, and these creds will need to be checked before 
providing accessthe solution should have the option to split tunnel internet 
traffic out, but in some cases they need all traffic tunneled and internet will 
be via our corporate offices (NDA/legal, don't ask, it's just a requirement 
provided)
Nice-to-have:
 field person should be able to not only access the presentation materials (in 
their contained network) but also the corporate network. Some early attempts 
required a user-vpn connection by the field person over the S2S VPN, but it 
made it clunky to switch back and forth. This isn't mandatory, but it would be 
nice to provide one solution providing dual-level access: restricted to 
attendees, less-restricted to field people
Tried this in the past with basic router/switch/wireless and captive portals 
because we had some inventory available... it was workable but not quick or 
easy. We really could use a simple solution that you just flip on, it calls 
home, and works... or as close to that as possible.
Have been looking at Meraki and a couple other low-touch solutions and they may 
do the trick, but we are hoping there are lower cost options that people have 
used successfully? We don't mind dealing with some off brands and even some 
custom coding (within reason) as long as the end result is a low-touch, 
reliable solution.
Thanks in advance.

RE: automated site to site vpn recommendations

[Shawn L]

We use the Meraki series -- MX @ the main office, and Z1 for the remote, or 
just 2 Z1 units if it's a small network and they work great.  
 
We've even gone so far as to utilize Avaya ip phones over the link so the 
teleworker's extension works wherever they are.  I have to say, compared to a 
PIX or ASA, etc. they are about the simplest VPN setup you'll ever come across. 
 We've even had cases where the Z1 was behind a fairly restrictive NAT, and it 
was able to establish a session and work great. 
 
Definitely not the cheapest, but if you can get by with just a couple of Z1s 
the cost isn't too bad.

Shawn
 
 
-Original Message-
From: "c b" 
Sent: Monday, June 27, 2016 4:08pm
To: "nanog@nanog.org" 
Subject: automated site to site vpn recommendations



Situation: We have salespeople/engineers holding temporary 
seminars/training/demonstrations in hotel meeting rooms.
Requirements: 
field people need a very plug-n-play, simple, reliable vpn back to corporate 
offices to present videos/slides/demonstrations. The materials are not 
accessible via the internet directly, they are in a contained environment at 
corporate HQ locations but not necessarily on the corp network.the solution 
should be able to provide wireless to attendees. In some cases, guest login 
will be fine but in some cases the attendees will have registered and provided 
login creds prior to the event, and these creds will need to be checked before 
providing accessthe solution should have the option to split tunnel internet 
traffic out, but in some cases they need all traffic tunneled and internet will 
be via our corporate offices (NDA/legal, don't ask, it's just a requirement 
provided)
Nice-to-have:
 field person should be able to not only access the presentation materials (in 
their contained network) but also the corporate network. Some early attempts 
required a user-vpn connection by the field person over the S2S VPN, but it 
made it clunky to switch back and forth. This isn't mandatory, but it would be 
nice to provide one solution providing dual-level access: restricted to 
attendees, less-restricted to field people
Tried this in the past with basic router/switch/wireless and captive portals 
because we had some inventory available... it was workable but not quick or 
easy. We really could use a simple solution that you just flip on, it calls 
home, and works... or as close to that as possible.
Have been looking at Meraki and a couple other low-touch solutions and they may 
do the trick, but we are hoping there are lower cost options that people have 
used successfully? We don't mind dealing with some off brands and even some 
custom coding (within reason) as long as the end result is a low-touch, 
reliable solution.
Thanks in advance.

Re: automated site to site vpn recommendations

[Karl Auer]

On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> In some cases...

The words "in some cases" are a problem with any supposedly plug and
play solution.

> We really could use a simple solution that you
> just flip on, it calls home, and works...

...but still requiring someone to enter credentials of some sort,
right? Otherwise you have a device wandering about that provides look
-mum-no-hands access to your corporate network.

MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
for a wireless dongle or storage, and has a highly-scriptable operating
system. Not a bad platform.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: automated site to site vpn recommendations

[Mikeal Clark]

Fortinet has stuff that does this that is non-IT friendly.

On Mon, Jun 27, 2016 at 4:59 PM, Karl Auer  wrote:

> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> for a wireless dongle or storage, and has a highly-scriptable operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>

Re: automated site to site vpn recommendations

[Dan Stralka]

I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by far the simplest platform to offer a field person.  They're also
tenacious - I've had them connect to the cloud management platform and
build a VPN under some trying circumstances.

>From a security standpoint, they will offer features that will impress for
the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
tunnel control), and we've found they punch above their weight and their
APs perform fantastically.

We deploy them worldwide many times per year in similar use cases,
sometimes with 150 users on the LAN. If your routing is simple, you can
define your security policies, and don't need crazy throughput on your VPN,
Meraki is the way to go.  Be careful though: they have to be continually
licensed to work and can get pretty expensive if you go for the higher end
gear.  Thus far, we've been able to stick to the cheaper stuff and
accomplish our goals.

Dan

(end)
On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:

> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> for a wireless dongle or storage, and has a highly-scriptable operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>

RE: automated site to site vpn recommendations

[Richard Greasley]

Another option is Checkpoint Edge devices.
We use them worldwide with little to no problems.
They're centrally managed and support central logging which is a plus when 
trying to diagnose issues.
They support dynamic IP addresses as well, so just plug it in and you should be 
good to go.
Not the cheapest solution, but for sure they get the job done.

Regards,
Richard.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dan Stralka
Sent: Monday, June 27, 2016 6:28 PM
To: Karl Auer
Cc: nanog@nanog.org
Subject: Re: automated site to site vpn recommendations

I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by far the simplest platform to offer a field person.  They're also
tenacious - I've had them connect to the cloud management platform and
build a VPN under some trying circumstances.

>From a security standpoint, they will offer features that will impress for
the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
tunnel control), and we've found they punch above their weight and their
APs perform fantastically.

We deploy them worldwide many times per year in similar use cases,
sometimes with 150 users on the LAN. If your routing is simple, you can
define your security policies, and don't need crazy throughput on your VPN,
Meraki is the way to go.  Be careful though: they have to be continually
licensed to work and can get pretty expensive if you go for the higher end
gear.  Thus far, we've been able to stick to the cheaper stuff and
accomplish our goals.

Dan

(end)
On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:

> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> for a wireless dongle or storage, and has a highly-scriptable operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: automated site to site vpn recommendations

[Paul Nash]

My biggest issue with Meraki is that their tech staff can run tcpdump on the 
wired or wireless interface of your Meraki box without having to leave their 
desk.  I have no reason to believe that they are malicious, or in the pay of 
the NSA, but I am too paranoid to allow their equipment anywhere near me.

Yes, they work well and the cloud control panel makes remote support a breeze; 
you have to decide how you feel about the insecurity.

paul

> On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> 
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person.  They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
> 
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
> 
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go.  Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear.  Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
> 
> Dan
> 
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> 
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>> 
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>> 
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>> 
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>> 
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
>> for a wireless dongle or storage, and has a highly-scriptable operating
>> system. Not a bad platform.
>> 
>> Regards, K.
>> 
>> --
>> ~~~
>> Karl Auer (ka...@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>> 
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>> 
>> 
>> 
>> 



smime.p7s
Description: S/MIME cryptographic signature

Re: automated site to site vpn recommendations

[Shawn L]

I believe they fixed this -- when I've spoken to tech support recently, I had 
to give them a tech support key so that they could access the devices I had 
questions about.
 


-Original Message-
From: "Paul Nash" 
Sent: Wednesday, June 29, 2016 8:55am
To: "Untitled 3" 
Subject: Re: automated site to site vpn recommendations



My biggest issue with Meraki is that their tech staff can run tcpdump on the 
wired or wireless interface of your Meraki box without having to leave their 
desk. I have no reason to believe that they are malicious, or in the pay of the 
NSA, but I am too paranoid to allow their equipment anywhere near me.

Yes, they work well and the cloud control panel makes remote support a breeze; 
you have to decide how you feel about the insecurity.

 paul

> On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> 
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person. They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
> 
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
> 
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go. Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear. Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
> 
> Dan
> 
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> 
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>> 
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>> 
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>> 
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>> 
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
>> for a wireless dongle or storage, and has a highly-scriptable operating
>> system. Not a bad platform.
>> 
>> Regards, K.
>> 
>> --
>> ~~~
>> Karl Auer (ka...@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>> 
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>> 
>> 
>> 
>> 

Re: automated site to site vpn recommendations

[Rich Testani]

For several of our clients, we use Sophos UTMs coupled with their RED
units.  Once registered with the UTM, the RED unit auto creates an SSL
based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
it's config when it boots. It's similar to the function of Meraki without
the direct cloud management portion, though the config profile does get
pushed to a section of Sophos' cloud.

-Rich

On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash  wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
> paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> >
> >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> >>> In some cases...
> >>
> >> The words "in some cases" are a problem with any supposedly plug and
> >> play solution.
> >>
> >>> We really could use a simple solution that you
> >>> just flip on, it calls home, and works...
> >>
> >> ...but still requiring someone to enter credentials of some sort,
> >> right? Otherwise you have a device wandering about that provides look
> >> -mum-no-hands access to your corporate network.
> >>
> >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> >> for a wireless dongle or storage, and has a highly-scriptable operating
> >> system. Not a bad platform.
> >>
> >> Regards, K.
> >>
> >> --
> >> ~~~
> >> Karl Auer (ka...@biplane.com.au)
> >> http://www.biplane.com.au/kauer
> >> http://twitter.com/kauer389
> >>
> >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> >>
> >>
> >>
> >>
>
>

RE: automated site to site vpn recommendations

[c b]

Guys, thanks for all the responses. Thanks to everyone's feedback, we have a 
number of options that were not on the original list and that is what I was 
hoping for. Now it's a matter of comparing 
cost/learning-curve/support-challenge/compatibility with tools/monitoring, 
etc...
Thanks again.

> From: r...@tehorange.com
> Date: Wed, 29 Jun 2016 09:03:06 -0400
> Subject: Re: automated site to site vpn recommendations
> To: p...@nashnetworks.ca
> CC: nanog@nanog.org
> 
> For several of our clients, we use Sophos UTMs coupled with their RED
> units.  Once registered with the UTM, the RED unit auto creates an SSL
> based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
> it's config when it boots. It's similar to the function of Meraki without
> the direct cloud management portion, though the config profile does get
> pushed to a section of Sophos' cloud.
> 
> -Rich
> 
> On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash  wrote:
> 
> > My biggest issue with Meraki is that their tech staff can run tcpdump on
> > the wired or wireless interface of your Meraki box without having to leave
> > their desk.  I have no reason to believe that they are malicious, or in the
> > pay of the NSA, but I am too paranoid to allow their equipment anywhere
> > near me.
> >
> > Yes, they work well and the cloud control panel makes remote support a
> > breeze; you have to decide how you feel about the insecurity.
> >
> > paul
> >
> > > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel that
> > > they are the most capable platform, they're expensive, and don't always
> > > present you with all the information you'd need for troubleshooting.
> > > However, the VPN offers great dynamic tunneling, instant-on performance,
> > > and are by far the simplest platform to offer a field person.  They're
> > also
> > > tenacious - I've had them connect to the cloud management platform and
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint, they will offer features that will impress
> > for
> > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > > tunnel control), and we've found they punch above their weight and their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases,
> > > sometimes with 150 users on the LAN. If your routing is simple, you can
> > > define your security policies, and don't need crazy throughput on your
> > VPN,
> > > Meraki is the way to go.  Be careful though: they have to be continually
> > > licensed to work and can get pretty expensive if you go for the higher
> > end
> > > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> > >
> > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on, it calls home, and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort,
> > >> right? Otherwise you have a device wandering about that provides look
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > >> for a wireless dongle or storage, and has a highly-scriptable operating
> > >> system. Not a bad platform.
> > >>
> > >> Regards, K.
> > >>
> > >> --
> > >> ~~~
> > >> Karl Auer (ka...@biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >
  

Re: automated site to site vpn recommendations

[Greg Sowell]

Lorenzo did a MUM presentation(https://www.youtube.com/watch?v=VeZetH9uX_Y)
on how road warriors can can connect with a Mikrotik to automatically
configure VPN.  Pretty novel idea using inexpensive hardware.  It may not
be as user friendly as you need, though.

On Tue, Jun 28, 2016 at 11:21 AM, Richard Greasley 
wrote:

> Another option is Checkpoint Edge devices.
> We use them worldwide with little to no problems.
> They're centrally managed and support central logging which is a plus when
> trying to diagnose issues.
> They support dynamic IP addresses as well, so just plug it in and you
> should be good to go.
> Not the cheapest solution, but for sure they get the job done.
>
> Regards,
> Richard.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dan Stralka
> Sent: Monday, June 27, 2016 6:28 PM
> To: Karl Auer
> Cc: nanog@nanog.org
> Subject: Re: automated site to site vpn recommendations
>
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person.  They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
>
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
>
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go.  Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear.  Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
>
> Dan
>
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
>
> > On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > > In some cases...
> >
> > The words "in some cases" are a problem with any supposedly plug and
> > play solution.
> >
> > > We really could use a simple solution that you
> > > just flip on, it calls home, and works...
> >
> > ...but still requiring someone to enter credentials of some sort,
> > right? Otherwise you have a device wandering about that provides look
> > -mum-no-hands access to your corporate network.
> >
> > MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > for a wireless dongle or storage, and has a highly-scriptable operating
> > system. Not a bad platform.
> >
> > Regards, K.
> >
> > --
> > ~~~
> > Karl Auer (ka...@biplane.com.au)
> > http://www.biplane.com.au/kauer
> > http://twitter.com/kauer389
> >
> > GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>


-- 

GregSowell.com
TheBrothersWISP.com

Re: automated site to site vpn recommendations

[Eric Kuhnke]

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...

If you want wifi with a centralized controller there's lots of ways to do
it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
segment as the Unifis, or with its own management vlan), or with Unifi APs
programmed to find a controller by hostname/IP address (L3).



On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash  wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
> paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> >
> >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> >>> In some cases...
> >>
> >> The words "in some cases" are a problem with any supposedly plug and
> >> play solution.
> >>
> >>> We really could use a simple solution that you
> >>> just flip on, it calls home, and works...
> >>
> >> ...but still requiring someone to enter credentials of some sort,
> >> right? Otherwise you have a device wandering about that provides look
> >> -mum-no-hands access to your corporate network.
> >>
> >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> >> for a wireless dongle or storage, and has a highly-scriptable operating
> >> system. Not a bad platform.
> >>
> >> Regards, K.
> >>
> >> --
> >> ~~~
> >> Karl Auer (ka...@biplane.com.au)
> >> http://www.biplane.com.au/kauer
> >> http://twitter.com/kauer389
> >>
> >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> >>
> >>
> >>
> >>
>
>

Re: automated site to site vpn recommendations

[Spencer Ryan]

I treat Meraki like SmartNET. The subscription comes with lifetime support
(TAC + Warranty), you do have support on your production network gear don't
you? It's not like they trick you going into it either. I for one am a huge
fan of the simplicity, it just works.

Disclaimer: We use them. ~35 access points all around the world.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Wed, Jun 29, 2016 at 6:33 PM, Eric Kuhnke  wrote:

> My biggest issue with Meraki is the fundamentally flawed business model,
> biased in favor of vendor lock in and endlessly recurring payments to the
> equipment vendor rather than the ISP or enterprise end user.
>
> You should not have to pay a yearly subscription fee to keep your in-house
> 802.11(abgn/ac) wifi access points operating. The very idea that the
> equipment you purchased which worked flawlessly on day one will stop
> working not because it's broken, or obsolete, but because your
> *subscription* expired...
>
> If you want wifi with a centralized controller there's lots of ways to do
> it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
> segment as the Unifis, or with its own management vlan), or with Unifi APs
> programmed to find a controller by hostname/IP address (L3).
>
>
>
> On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash  wrote:
>
> > My biggest issue with Meraki is that their tech staff can run tcpdump on
> > the wired or wireless interface of your Meraki box without having to
> leave
> > their desk.  I have no reason to believe that they are malicious, or in
> the
> > pay of the NSA, but I am too paranoid to allow their equipment anywhere
> > near me.
> >
> > Yes, they work well and the cloud control panel makes remote support a
> > breeze; you have to decide how you feel about the insecurity.
> >
> > paul
> >
> > > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel that
> > > they are the most capable platform, they're expensive, and don't always
> > > present you with all the information you'd need for troubleshooting.
> > > However, the VPN offers great dynamic tunneling, instant-on
> performance,
> > > and are by far the simplest platform to offer a field person.  They're
> > also
> > > tenacious - I've had them connect to the cloud management platform and
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint, they will offer features that will impress
> > for
> > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote
> VPN
> > > tunnel control), and we've found they punch above their weight and
> their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases,
> > > sometimes with 150 users on the LAN. If your routing is simple, you can
> > > define your security policies, and don't need crazy throughput on your
> > VPN,
> > > Meraki is the way to go.  Be careful though: they have to be
> continually
> > > licensed to work and can get pretty expensive if you go for the higher
> > end
> > > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> > >
> > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on, it calls home, and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort,
> > >> right? Otherwise you have a device wandering about that provides look
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet,
> USB
> > >> for a wireless dongle or storage, and has a highly-scriptable
> operating
> > >> system. Not a bad platform.
> > >>
> > >> Regards, K.
> > >>
> > >> --
> > >>
> ~~~
> > >> Karl Auer (ka...@biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >
>

Re: automated site to site vpn recommendations

[Seth Mattinen]

On 6/29/16 15:33, Eric Kuhnke wrote:

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...



I'm sure most hardware makers would love to lock in a revenue stream of 
"keep me working" subscriptions if they could get away with it. From the 
company's perspective what's not to love about that kind of guaranteed 
revenue?


I often wonder if Microsoft will someday make Office365 the only way to 
get Office, which if you don't maintain a subscription your locally 
installed copy of Word will cease to function.


~Seth

Re: automated site to site vpn recommendations

[Karl Auer]

On Wed, 2016-06-29 at 16:00 -0700, Seth Mattinen wrote:
> I often wonder if Microsoft will someday make Office365 the only way
> to get Office, which if you don't maintain a subscription your 
> locally installed copy of Word will cease to function.

I live for that day.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: automated site to site vpn recommendations

[Tim Raphael]

There is a downside to subscription pricing for the vendor: they don't get the 
instant cashflow they're used to. I know Cisco seems to be taking a tactic 
where only some product lines use subscriptions and the others are on a typical 
enterprise 3-5 year replacements cycle to provide Cisco with the  large cash 
injections upon upgrade.

Tim 

> On 30 Jun 2016, at 7:00 AM, Seth Mattinen  wrote:
> 
>> On 6/29/16 15:33, Eric Kuhnke wrote:
>> My biggest issue with Meraki is the fundamentally flawed business model,
>> biased in favor of vendor lock in and endlessly recurring payments to the
>> equipment vendor rather than the ISP or enterprise end user.
>> 
>> You should not have to pay a yearly subscription fee to keep your in-house
>> 802.11(abgn/ac) wifi access points operating. The very idea that the
>> equipment you purchased which worked flawlessly on day one will stop
>> working not because it's broken, or obsolete, but because your
>> *subscription* expired...
> 
> 
> I'm sure most hardware makers would love to lock in a revenue stream of "keep 
> me working" subscriptions if they could get away with it. From the company's 
> perspective what's not to love about that kind of guaranteed revenue?
> 
> I often wonder if Microsoft will someday make Office365 the only way to get 
> Office, which if you don't maintain a subscription your locally installed 
> copy of Word will cease to function.
> 
> ~Seth

Re: automated site to site vpn recommendations

[Geoff Wolf AB3LS]

I have a feeling that most if not all of the requirements you have could be
achieved with a Cisco ISR router running some kind of FlexVPN/DMVPN setup
back to a network VPN hub. The ISR G3 series has the option of enabling a
built in firewall/IPS. You'd need a RADIUS solution to authenticate the VPN
from the spoke router in the field to the hub and also for 802.1X port
authentication. Depending upon the number of port's you'd need, a
downstream switch may be needed (ISR4331 has optional 4-port PoE switch
module).
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/200031-Zero-Touch-Deployment-ZTD-of-VPN-Remot.html

That said, I think this would be a huge headache compared to what can be
done with Meraki. It would also involve a TON of R&D time (believe me).

On Wed, Jun 29, 2016 at 7:38 PM, Tim Raphael 
wrote:

> There is a downside to subscription pricing for the vendor: they don't get
> the instant cashflow they're used to. I know Cisco seems to be taking a
> tactic where only some product lines use subscriptions and the others are
> on a typical enterprise 3-5 year replacements cycle to provide Cisco with
> the  large cash injections upon upgrade.
>
> Tim
>
> > On 30 Jun 2016, at 7:00 AM, Seth Mattinen  wrote:
> >
> >> On 6/29/16 15:33, Eric Kuhnke wrote:
> >> My biggest issue with Meraki is the fundamentally flawed business model,
> >> biased in favor of vendor lock in and endlessly recurring payments to
> the
> >> equipment vendor rather than the ISP or enterprise end user.
> >>
> >> You should not have to pay a yearly subscription fee to keep your
> in-house
> >> 802.11(abgn/ac) wifi access points operating. The very idea that the
> >> equipment you purchased which worked flawlessly on day one will stop
> >> working not because it's broken, or obsolete, but because your
> >> *subscription* expired...
> >
> >
> > I'm sure most hardware makers would love to lock in a revenue stream of
> "keep me working" subscriptions if they could get away with it. From the
> company's perspective what's not to love about that kind of guaranteed
> revenue?
> >
> > I often wonder if Microsoft will someday make Office365 the only way to
> get Office, which if you don't maintain a subscription your locally
> installed copy of Word will cease to function.
> >
> > ~Seth
>



-- 
Geoffrey Wolf

Re: OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?)

[Grant Taylor via NANOG]

Hi Bill,

On 2/12/22 8:55 PM, William Herrin wrote:
It's tunnel mode plus a tunneling protocol plus some implicit routing 
and firewalling which gets in the way of dynamic routing.


I assume you meant to say that it's /transport/ mode plus a tunneling 
protocol.


I wonder if you are thinking more of an IPSec VPN management suite of 
sorts, e.g. wizard / helper that is included in some devices.  I'm 
thinking at a very low (manual) level.  The "implicit routing" and 
"firewalling" are the strongest indicators of this to me.  The manual 
IPSec that I've done on Linux (via the `ip xfrm` command) doesn't touch 
firewalling and I believe that addresses inside the tunnel would be 
completely separate operations / commands.


Try it if you don't believe me. Set up tunnel mode ipsec manually on 
two nodes (no IKE) and get them talking to each other. Then change 
one to transport mode and add I think it's an IPIP tunnel but I don't 
remember for certain. And add the appropriate routes into the tunnel 
virtual device. You'll find they talk.


Unfortunately I don't have the leisure time to do this experimentation 
currently.  As such I'm going to put this on my to-do pile for future 
investigation ~> follow up.


I do not recall reading about IPSec /Tunnel/ mode re-using an existing 
tunneling protocol; IPIP, etc.  Perhaps I'm misremembering.  Perhaps it 
inherently does so without declaring as such.


What did you think IPSec was doing? Transport mode encrypts the layer 
4 and up of the packet between two machines; it doesn't encapsulate 
it. When they added tunnel mode, the inner layer 3 had to go somewhere.


My understanding is that /Transport/ mode applies AH (no encryption) and 
/ or ESP (encryption) to L4 datagrams and that /Tunnel/ mode does the 
same to L3 packets.


P.S.  I'm sending this reply to NANOG in case anyone else has any 
contribution / comments.  I suspect any future reply will be directly to 
Bill as this is getting further off topic, both for NANOG in general and 
for this VPN recommendations thread.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?)

[Crist Clark]

It's not like IPsec protocols (it's a suite of protocols and concepts, not
one) are proprietary or something. There are pretty ASCII pictures in RFCs
with all about how the packets are put together. See section 3 of RFC 4303
to see how ESP transport and tunnel mode datagrams are put together.

For the tl;dr, in transport mode everything above IP header is the payload.
In tunnel mode, the whole IP datagram is the payload. The contents of the
payload are specified by the "Next Header" field of the ESP header. For an
encapsulated IPv4 packet, it would be protocol 4 (IP-in-IP). For an IPv6
packet, it would be 41. For TCP in transport mode, it would be 6. UDP is
17. Etc.

If you want to see it in action yourself, you can set the encryption algo
to NULL and do a capture.

On Tue, Feb 15, 2022 at 10:16 AM Grant Taylor via NANOG 
wrote:

> Hi Bill,
>
> On 2/12/22 8:55 PM, William Herrin wrote:
> > It's tunnel mode plus a tunneling protocol plus some implicit routing
> > and firewalling which gets in the way of dynamic routing.
>
> I assume you meant to say that it's /transport/ mode plus a tunneling
> protocol.
>
> I wonder if you are thinking more of an IPSec VPN management suite of
> sorts, e.g. wizard / helper that is included in some devices.  I'm
> thinking at a very low (manual) level.  The "implicit routing" and
> "firewalling" are the strongest indicators of this to me.  The manual
> IPSec that I've done on Linux (via the `ip xfrm` command) doesn't touch
> firewalling and I believe that addresses inside the tunnel would be
> completely separate operations / commands.
>
> > Try it if you don't believe me. Set up tunnel mode ipsec manually on
> > two nodes (no IKE) and get them talking to each other. Then change
> > one to transport mode and add I think it's an IPIP tunnel but I don't
> > remember for certain. And add the appropriate routes into the tunnel
> > virtual device. You'll find they talk.
>
> Unfortunately I don't have the leisure time to do this experimentation
> currently.  As such I'm going to put this on my to-do pile for future
> investigation ~> follow up.
>
> I do not recall reading about IPSec /Tunnel/ mode re-using an existing
> tunneling protocol; IPIP, etc.  Perhaps I'm misremembering.  Perhaps it
> inherently does so without declaring as such.
>
> > What did you think IPSec was doing? Transport mode encrypts the layer
> > 4 and up of the packet between two machines; it doesn't encapsulate
> > it. When they added tunnel mode, the inner layer 3 had to go somewhere.
>
> My understanding is that /Transport/ mode applies AH (no encryption) and
> / or ESP (encryption) to L4 datagrams and that /Tunnel/ mode does the
> same to L3 packets.
>
> P.S.  I'm sending this reply to NANOG in case anyone else has any
> contribution / comments.  I suspect any future reply will be directly to
> Bill as this is getting further off topic, both for NANOG in general and
> for this VPN recommendations thread.
>
>
>
> --
> Grant. . . .
> unix || die
>
>