It depends on how much performance you are looking for. I actually ran a few benchmarks that I have yet to find time to publish to the IPSec VPN wiki page, but you can even put Debian in an LDOM and get 40 Mbps performance out of that (although there was a little bug with racoon on Debian SPARC in that your group ID can't be longer than 16 characters or the racoon daemon just drops dead). Note that I've found adding multiple cores (on the LDOM and on x86 bare metal) doesn't really increase performance for racoon.
We also have a paravirtualized Debian instance running racoon just fine. It's a lenny kernel though; the etch Xen kernel seems to be missing the IPSec bits back from when we tried it. I don't have any benchmark data for that though. However I would suspect Xen/xVM and VirtualBox are both good enough for at least a POC or small setup, if not something larger. I've had the same problem with multiple VPN tunnels from the same IP. I suspect it has to do with how IPSec NAT tunnelling works. The OpenSolaris Google Summer of Code page lists porting racoon to Solaris as a suggested project, but it seems the page hasn't been updated since March 2008. William From: [email protected] [mailto:[email protected]] On Behalf Of Stuart Sent: Sunday, April 26, 2009 8:16 AM To: Jim Klimov; SunRay-Users mailing list Subject: Re: [SunRay-Users] Solaris-based VPN server for Sun Rays? Hi Jim, I have a couple of V20z's running VMWare. I have a Solaris VM for the Sun Ray server and a Red Hat VM for the VPN service. (Racoon). I have no performance issues, but I only have 5 sun rays connecting remotely. The only issue (big issue) I've had is that I wasn't able to configure raccon to accept multiple VPN tunnels from the same IP address. I've even tried using ipfilter on a separate Solaris VM, but I couldn't get it to allocate a dynamic IP pool to map the tunnels to so racoon could accept them as tunnels from different IP addresses. (I'm not sure if I've miss-configured racoon or ipfilter, but I couldn't find any info on the net to solve the problem). In the end I just created virtual interfaces on the Red Hat VM and exposed them to the web. Each Sun Ray unit connects to a different IP. (So at the moment I can handle 5 sun rays per single IP.) Hope all that makes sense. Stuart. ------ Stuart Robinson Collective Systems Ltd M: +44 (0)7866 433 911 E: [email protected] www.collectivesystems.com ClearPath Broker: http://www.collectivesystems.com/clearpath Jim Klimov wrote: Hello SunRay-Users, I've read with great interest a post a few months back, about using Linux-based raccoon VPN service to emulate Cisco EasyVPN to allow for SunRay connections. The choice of Raccoon and Linux was because no Solaris-based software stack allowed for adequate VPN server. Did anything change over the past months? Is it possible to build a pure Solaris-based VPN server which can accept SunRay2 connections? We want our Solaris 10u6 firewall/gateway server to do VPNs as well. We currently started to play around with OpenVPN 2.1rc15 - after looking around a bit we concluded that it seems to be the only VPN service capable of running on Solaris - and even that requires third-party TUN/TAP drivers. However it seems to run over IP (tcp/udp port 1194 by default) and does not use IP GRE (IP type 47) packets. Which kind of VPN is used by SunRays? Perhaps we didn't search long enough and there are some other free/open VPN software solutions on Solaris? If not, would a virtual machine running on top of the gateway machine (in VirtualBox or Xen xVM's) with a Linux Raccoon provide any sort of performance for this task (if only a POC or to connect a handful of SunRay at home DTUs to the office)? Kind of offtopic maybe, but perhaps someone knows: does the Xen or VirtualBox xVM's networking stack emulate the lowlevel network well enough to make these VPN servers runnable at all?
_______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
