t. When they added tunnel mode, the inner layer 3 had to go somewhere.
>
> My understanding is that /Transport/ mode applies AH (no encryption) and
> / or ESP (encryption) to L4 datagrams and that /Tunnel/ mode does the
> same to L3 packets.
>
> P.S. I'm sending this reply to NANOG in case anyone else has any
> contribution / comments. I suspect any future reply will be directly to
> Bill as this is getting further off topic, both for NANOG in general and
> for this VPN recommendations thread.
>
>
>
> --
> Grant. . . .
> unix || die
>
>
or ESP (encryption) to L4 datagrams and that /Tunnel/ mode does the
same to L3 packets.
P.S. I'm sending this reply to NANOG in case anyone else has any
contribution / comments. I suspect any future reply will be directly to
Bill as this is getting further off topic, both for NANOG in g
On Sat, Feb 12, 2022 at 12:26 PM Grant Taylor via NANOG wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and
> > but you can deconstruct it: it's built up from transport mode +
> > a tunnel protocol (gre or ipip I don't remember
On Sat, 2022-02-12 at 13:24 -0700, Grant Taylor via NANOG wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and
> > tunnel. Transport is between exactly two IP addresses while tunnel
> > expects a broader network to exist on at
On 2/11/22 12:35 PM, William Herrin wrote:
The thing to understand is that IPSec has two modes: transport and
tunnel. Transport is between exactly two IP addresses while tunnel
expects a broader network to exist on at least one end.
That is (syntactically) correct. However, it is possible to
Intriguing. This week I started to look around for new wireguard
implementation tools and appliances. I've used openvpn and ipsec
in the main although last month put together a 10x and IPv6
wireguard net in my home and out to two vps hosts which is
handy. For my own use this is ok -ish, but
e IPv6 realm so if that is a requirement, they won't
work right now.
--Rich
> -- Forwarded message --
> From: William Herrin
> To: Shawn L
> Cc: "nanog@nanog.org"
> Bcc:
> Date: Thu, 10 Feb 2022 10:54:39 -0800
> Subject: Re: VPN recommen
On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon wrote:
> 1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It
> is very much a static set-it-and-forget-it technology, but that doesn’t work
> in a dynamically changing environment.
Hi Dan,
Depending on how you configure it,
Guard and use ddns
From: NANOG
mailto:nanog-bounces+david=xtom@nanog.org>>
On Behalf Of
William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: VPN recommendations?
Hi folks,
Do you have any recommendations for VPN appliances? Spe
>> On 2022-02-10 10:12, Mike Lyon wrote:
>> How about running ZeroTier on those Linux boxes and call it a day?
>> https://www.zerotier.com/
>> -Mike
>>> On Feb 10, 2022, at 10:07, David Guo via NANOG
>>> wrote:
>>>
>>> You may try Wire
The Brothers WISP
- Original Message -
From: "Ander Punnar"
Cc: nanog@nanog.org
Sent: Thursday, February 10, 2022 2:04:57 PM
Subject: Re: VPN recommendations?
On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin wrote:
> My understanding is that Wireguard is software ava
Sabri Berisha writes:
> I read on some mailing list that Meraki likes to ping 8.8.8.8 every
> second... :)
That's probably to be fair with the quad-x dns providers since they
alrady were abusing 1.1.1.1.
Makes me wonder what Meraki uses 9.9.9.9 for :-)
Bjørn
On 2/11/22 06:49, David Andrzejewski wrote:
I don't know how people around here feel about Mikrotik, but they have included
Wireguard support in their latest operating system.
I know some Tik heads here that are happy about this.
I am running ROS 7.1.2 on my home router, but I don't use i
2022 13:56
> Cc: nanog@nanog.org
> Subject: Re: VPN recommendations?
>
> On Thu, Feb 10, 2022 at 10:04 AM David Guo wrote:
> > You may try WireGuard and use ddns
>
> Hi David,
>
> My understanding is that Wireguard is software available for general purpose
> operat
I don't know how people around here feel about Mikrotik, but they have included
Wireguard support in their latest operating system.
dave
-Original Message-
From: NANOG On Behalf Of
William Herrin
Sent: Thursday, February 10, 2022 13:56
Cc: nanog@nanog.org
Subject: Re
On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin said:
> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances.
Take a general purpose OS, strip down the userspace a bit,
stick the whole thin
On 2/10/22 20:02, William Herrin wrote:
Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I
need to build a site to site VPNs at speeds between 100mpbs and 1 gbit
where all but one of the sites are behind an IPv4 NAT gateway with
dynamic public IP addresses.
No
Howdy,
I just want to say thank you to everyone who responded. It was very
helpful and I now have a bunch of leads to chase. I'll let you know
what I end up doing. Given the lead times on some of the equipment it
may be a while...
Warm regards,
Bill Herrin
On Thu, Feb 10, 2022 at 10:02 AM Willi
I work in a large oil company and we have S2S VPNs every where. Any modern
Cisco or Juniper router will meet your requirements. An off the shelf security
appliance will do the job to i.e ASA, Palo Alto, Fortinet or Juniper. Meraki is
great if you want to manage from the cloud or vpn as a service
tailscale is 3-clause BSD.
there is a reverse engineered version of the rendezvous protocol also.
On Thu, Feb 10, 2022 at 3:41 PM John Gilmore wrote:
>
> Mike Lyon wrote:
> > How about running ZeroTier on those Linux boxes and call it a day?
> > https://www.zerotier.com/
>
> ZeroTier is not a
Mike Lyon wrote:
> How about running ZeroTier on those Linux boxes and call it a day?
> https://www.zerotier.com/
ZeroTier is not a free-as-in-freedom project. Running it in Linux boxes
or network appliances to provide a VPN to paying customers may be
prohibited (at least for some customers, and
behalf of
Brandon Svec via NANOG
Sent: Thursday, February 10, 2022 3:50:49 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: Re: VPN recommendations?
Meraki may be considered expensive, requires perpetual license to operate and
is difficult to get currently (very long lead times) but is
Meraki may be considered expensive, requires perpetual license to operate
and is difficult to get currently (very long lead times) but is
dead.stupid.simple to install and maintain. I have yet to find a business
or home network that it does not work on out of the box, but if you find
one it would
We use SonicWall TZ series for just this purpose. The IPSec VPN endpoints can
be behind NAT, and we just use DYNDNS to map whatever is current to a FQDN.
Each side thus has the public IP of the other side and can connect as long as
you pass through GRE.
-mel via cell
On Feb 10, 2022, at 1:05 P
Matt Harris|Infrastructure Lead
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
On Thu, Feb 10, 2022 at 12:03 PM William Herrin wrote:
> Hi folks,
>
> Do you have any recommendations for VPN appliances? Sp
- On Feb 10, 2022, at 10:17 AM, nanog nanog@nanog.org wrote:
Hi,
> Meraki MX series?
I read on some mailing list that Meraki likes to ping 8.8.8.8 every
second... :)
Thanks,
Sabri
.
>
>
>
>
>
> Shawn
>
>
>
> -Original Message-
> From: "Keith Stokes"
> Sent: Thursday, February 10, 2022 1:11pm
> To: "William Herrin"
> Cc: "nanog@nanog.org"
> Subject: Re: VPN recommendations?
>
> Pfsense on Net
On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin wrote:
> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances.
MikroTik (hardware) RouterOS (software) version 7 has WireGuard:
https://help.m
I don't know of a specific document speaking to this, but this doc i
think describes it right.
https://securitynetworkinglinux.wordpress.com/2019/04/19/how-create-a-site-to-site-ipsec-vpn-from-an-opnsense-to-a-fortigate-behind-a-nat-router/
in section 2.3 is where you change My Identifer to be
: nanog@nanog.org
Subject: VPN recommendations?
Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I need to
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but
one of the sites are behind an IPv4 NAT gateway with dynamic public IP
addresses
On Thu, Feb 10, 2022 at 10:55 AM William Herrin wrote:
> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances. I don't overly care which protocol they're running
> as long as an initiator stuck
On Thu, Feb 10, 2022 at 10:04 AM David Guo wrote:
> You may try WireGuard and use ddns
Hi David,
My understanding is that Wireguard is software available for general
purpose operating systems. I specifically need a set of hardware
network appliances. I don't overly care which protocol they're ru
On Thu, Feb 10, 2022 at 10:47 AM Juri Grabowski wrote:
> Or buy official supported hardware from https://shop.opnsense.com/
Howdy,
Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any document
On Thu, Feb 10, 2022 at 10:18 AM Shawn L wrote:
> Meraki MX series? Dynamic IPs and NATs don't really cause them a problem.
> Some CGNats do (AT&T I'm looking at you).
Thanks Shawn,
The documentation I found at
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
sugg
On Thu, Feb 10, 2022 at 10:06 AM Guillaume Tournat wrote:
> Fortinet firewalls (FortiGate) are a great deal
Thanks Guillaume,
I found this
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-VPN-between-static-and-dynamic-IP-FQDN/ta-p/191815
but it suggests that the dynamic IP forti
ry WireGuard and use ddns
From: NANOG On Behalf Of
William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org
Subject: VPN recommendations?
Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I
need to build a site to site VPNs at speeds between 100mpbs and
If you want something gui driven I’d do something like Meraki…you can do
the same with just regular old Cisco routers using DMVPN as well. It’s a
pretty common use case and well established.
On Thu, Feb 10, 2022 at 1:03 PM William Herrin wrote:
> Hi folks,
>
> Do you have any recommendations fo
ell at establishing site-to-site
> VPNs in some pretty challenging scenarios. Dynamic IPs and NATs don't
> really cause them a problem. Some CGNats do (AT&T I'm looking at you).
> >
> >
> >
> >
> >
> > Shawn
> >
> >
> &
roblem. Some CGNats do (AT&T I'm looking at you).
>
>
>
>
>
> Shawn
>
>
>
> -Original Message-
> From: "Keith Stokes"
> Sent: Thursday, February 10, 2022 1:11pm
> To: "William Herrin"
> Cc: "nanog@nanog.org"
: Thursday, February 10, 2022 1:11pm
To: "William Herrin"
Cc: "nanog@nanog.org"
Subject: Re: VPN recommendations?
Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have
done the roles but maybe not the amount of VPN traffic.
--
Keith
(AT&T I'm looking at you).
Shawn
-Original Message-
From: "Keith Stokes"
Sent: Thursday, February 10, 2022 1:11pm
To: "William Herrin"
Cc: "nanog@nanog.org"
Subject: Re: VPN recommendations?
Pfsense on Netgate appliances?
I’ve used sever
ebruary 11, 2022 2:02 AM
> To: nanog@nanog.org
> Subject: VPN recommendations?
>
> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need to
> build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but
> one of the sites ar
Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have done the
roles but maybe not the amount of VPN traffic.
--
Keith Stokes
SalonBiz, Inc
On Feb 10, 2022, at 12:02 PM, William Herrin
mailto:b...@herrin.us>> wrote:
Hi folks,
Do you have any
You may try WireGuard and use ddns
From: NANOG On Behalf Of William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org
Subject: VPN recommendations?
Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I need to
build a site to site VPNs at speeds
Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I need to
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
addresses.
Normally I'd throw OpenVPN on a couple of Linux boxe
I have a feeling that most if not all of the requirements you have could be
achieved with a Cisco ISR router running some kind of FlexVPN/DMVPN setup
back to a network VPN hub. The ISR G3 series has the option of enabling a
built in firewall/IPS. You'd need a RADIUS solution to authenticate the VPN
There is a downside to subscription pricing for the vendor: they don't get the
instant cashflow they're used to. I know Cisco seems to be taking a tactic
where only some product lines use subscriptions and the others are on a typical
enterprise 3-5 year replacements cycle to provide Cisco with t
On Wed, 2016-06-29 at 16:00 -0700, Seth Mattinen wrote:
> I often wonder if Microsoft will someday make Office365 the only way
> to get Office, which if you don't maintain a subscription your
> locally installed copy of Word will cease to function.
I live for that day.
Regards, K.
--
~
On 6/29/16 15:33, Eric Kuhnke wrote:
My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.
You should not have to pay a yearly subscription fe
I treat Meraki like SmartNET. The subscription comes with lifetime support
(TAC + Warranty), you do have support on your production network gear don't
you? It's not like they trick you going into it either. I for one am a huge
fan of the simplicity, it just works.
Disclaimer: We use them. ~35 acce
My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.
You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac)
2016 6:28 PM
> To: Karl Auer
> Cc: nanog@nanog.org
> Subject: Re: automated site to site vpn recommendations
>
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present
anks again.
> From: r...@tehorange.com
> Date: Wed, 29 Jun 2016 09:03:06 -0400
> Subject: Re: automated site to site vpn recommendations
> To: p...@nashnetworks.ca
> CC: nanog@nanog.org
>
> For several of our clients, we use Sophos UTMs coupled with their RED
> units. Once reg
For several of our clients, we use Sophos UTMs coupled with their RED
units. Once registered with the UTM, the RED unit auto creates an SSL
based VPN back to the UTM. The RED unit is managed from the UTM and pulls
it's config when it boots. It's similar to the function of Meraki without
the direc
tled 3"
Subject: Re: automated site to site vpn recommendations
My biggest issue with Meraki is that their tech staff can run tcpdump on the
wired or wireless interface of your Meraki box without having to leave their
desk. I have no reason to believe that they are malicious, or in the pay
My biggest issue with Meraki is that their tech staff can run tcpdump on the
wired or wireless interface of your Meraki box without having to leave their
desk. I have no reason to believe that they are malicious, or in the pay of
the NSA, but I am too paranoid to allow their equipment anywhere
t the cheapest solution, but for sure they get the job done.
Regards,
Richard.
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dan Stralka
Sent: Monday, June 27, 2016 6:28 PM
To: Karl Auer
Cc: nanog@nanog.org
Subject: Re: automated site to site vpn recommendatio
I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by fa
Fortinet has stuff that does this that is non-IT friendly.
On Mon, Jun 27, 2016 at 4:59 PM, Karl Auer wrote:
> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> In some cases...
The words "in some cases" are a problem with any supposedly plug and
play solution.
> We really could use a simple solution that you
> just flip on, it calls home, and works...
...but still requiring someone to enter credentials of
a couple of Z1s
the cost isn't too bad.
Shawn
-Original Message-
From: "c b"
Sent: Monday, June 27, 2016 4:08pm
To: "nanog@nanog.org"
Subject: automated site to site vpn recommendations
Situation: We have salespeople/engineers holding temporary
semin
Situation: We have salespeople/engineers holding temporary
seminars/training/demonstrations in hotel meeting rooms.
Requirements:
field people need a very plug-n-play, simple, reliable vpn back to corporate
offices to present videos/slides/demonstrations. The materials are not
accessible via th
62 matches
Mail list logo