Re: VPN recommendations?

[Mark Wiater]

I don't know of a specific document speaking to this, but this doc i 
think describes it right.


https://securitynetworkinglinux.wordpress.com/2019/04/19/how-create-a-site-to-site-ipsec-vpn-from-an-opnsense-to-a-fortigate-behind-a-nat-router/

in section 2.3 is where you change My Identifer to be the natted non 
RFC1918 ip that the right side will see.


On 2/10/2022 1:55 PM, William Herrin wrote:

On Thu, Feb 10, 2022 at 10:47 AM Juri Grabowski  wrote:

Or buy official supported hardware from https://shop.opnsense.com/

Howdy,

Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any documentation which describes:

LAN - OPNSense Appliance - (rfc1918) NAT Appliance (dynamic IP) -
Internet - (static IP) OPNSense appliance - LAN

Where the left-side OPNSense is responsible for establishing and
keeping the NAT translations alive without any special configuration
on the NAT?

Thanks,
Bill

Re: VPN recommendations?

[Mark Wiater]

pfsense and opnsense both do fine with natted ipsec in the environmnets 
i've tested.


Isn't there an openvpn appliance too?

On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:


Meraki MX series?

I don't like the way they do their licensing (your license runs out, 
the box is a paper-weight) but they do really well at establishing 
site-to-site VPNs in some pretty challenging scenarios. Dynamic IPs 
and NATs don't really cause them a problem.  Some CGNats do (AT I'm 
looking at you).


Shawn

-Original Message-
From: "Keith Stokes" 
Sent: Thursday, February 10, 2022 1:11pm
To: "William Herrin" 
Cc: "nanog@nanog.org" 
Subject: Re: VPN recommendations?

Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have 
done the roles but maybe not the amount of VPN traffic.


--
Keith Stokes
SalonBiz, Inc

On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:

Hi folks,
Do you have any recommendations for VPN appliances? Specifically:
I need to build a site to site VPNs at speeds between 100mpbs and
1 gbit where all but one of the sites are behind an IPv4 NAT
gateway with dynamic public IP addresses.
Normally I'd throw OpenVPN on a couple of Linux boxes and be happy
but my customer insists on a network appliance. Site to site VPNs
using IPSec and static IP addresses on the plaintext side are a
dime a dozen but traversing NAT and dynamic IP addresses (and
automatically re-establishing when the service goes out and comes
back up with different addresses) is a hard requirement.
Thanks in advance,
Bill Herrin

-- 
William Herrin

b...@herrin.us

https://bill.herrin.us/

Re: Consumer networking head scratcher

[Mark Wiater]

On 3/1/2017 11:28 AM, Ryan Pugatch wrote:

At random times, my Windows machines (Win 7 and Win 10, attached to the
network via WiFi, 5GHz) lose connectivity to the Internet.  They can
continue to access internal resources, such as the router's admin
interface.
To the point of Windows reporting no internet access, MS does two things 
to determine if the machine has internet access, as outlined here. 
https://technet.microsoft.com/en-us/library/cc766017(v=ws.10).aspx (I 
think that's still valid)


From a console, can these two machines do the http request and the dns 
lookup when they tell you they're offline?  Can the other machines do 
these two things when the Windows machines can't or when the windows 
machines report offline?