I’ll second PFsense, done quite a bit of this in hub and spoke topologies, spokes being behind NAT (permitted the upstream fw allows udp 500,4500), on a dynamic. The hub or hubs are ideally on a static. Set the hub site up as responder only, the remotes initiate the tunnel. Peers are validated either by dynamic name or you simply allow peers sourcing from 0.0.0.0 at the hub site.
This is not limited to PF, I’ve gotten this to work on Cisco firewalls, routers, and other Linux based firewalls. From: NANOG <nanog-bounces+james=digitalciti....@nanog.org> On Behalf Of William Herrin Sent: Thursday, February 10, 2022 12:02 PM To: nanog@nanog.org Subject: VPN recommendations? Hi folks, Do you have any recommendations for VPN appliances? Specifically: I need to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but one of the sites are behind an IPv4 NAT gateway with dynamic public IP addresses. Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my customer insists on a network appliance. Site to site VPNs using IPSec and static IP addresses on the plaintext side are a dime a dozen but traversing NAT and dynamic IP addresses (and automatically re-establishing when the service goes out and comes back up with different addresses) is a hard requirement. Thanks in advance, Bill Herrin -- William Herrin b...@herrin.us<mailto:b...@herrin.us> <https://bill.herrin.us/> https://bill.herrin.us/
