Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: "Mathew, Cherry G." <c%bow.st@localhost>
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Gert Doering <gert%greenie.muc.de@localhost>
Date: Thu, 20 Oct 2022 18:16:45 +0200

Hi,

On Thu, Oct 20, 2022 at 04:02:30PM +0000, Mathew, Cherry G. wrote:
> On October 20, 2022 1:24:36 PM UTC, Gert Doering <gert%greenie.muc.de@localhost> wrote:
> >On Thu, Oct 20, 2022 at 01:19:39PM +0000, Mathew, Cherry G. wrote:
> >> In the end I went with l2tp(4) over OpenVPN over tor.
> >
> >What exactly are you trying to build here?
> >
> >As in, is there anything L2TP provides that OpenVPN can not do?
> 
> One of my goals is to setup a virtual lan across my devices that are physically located at various locations.  OpenVPN doesn't seem to provide this seamlessly, last I checked.

It does :-) - look into --dev tap, which will provide virtual ethernet
interfaces.  These can then be bridge(4)ed together.

Normally you'd not use that for road warrier access type - you'd just
designed a second IP segment for "this is VPN" and setup routing on
all boxes involved to move packets back and forward how you need them.

For "I want access to my home e-mail server" this would be fully
sufficient - no "virtual LAN" needed, just "routing across a 
--dev tun device".

> I'd also like to be able to "dial" into this virtual lan in a "road warrior" setting using standard android/iPhone VPN clients - at the moment all ipsec/l2tp based.

There's OpenVPN clients for Android and iOS.  Which needs "install an App".

Unfortunately, the VPN API used on these platforms is "layer 3 routing"
only, so no "connect into bridged LAN" mode - just routing.

I would be surprised, though, if iOS supported L2TPv3, which is
needed for "virtual LAN" deployments - classic L2TP is "layer 3 routing",
thus, similar to OpenVPN on these platforms.  (Googling seems to claim
that Android does L2TPV3 indeed, while iOS is not, but the masses of
"Cisco IOS" hits might be hidding one for "Apple iOS")

> I'd be interested in recommendations for testing "performance" of virtual LANs 
We do throughput testing with iperf3, and by "plain ftp download".

Do not use samba shares, as the protocol is too much impaired by latency.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert%greenie.muc.de@localhost

Follow-Ups:
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index