Virtual VPN routers

D

Digital-Vortex

Gawd
Joined
Dec 11, 2001
Messages
961
Heres one for you guys.
Im wanting to setup a "virtual sites" lab. I got my VMWare server running happily but willing to change to citrix if needed for this.

My plan is to have a few linux distro routers like untangle running as virtual machines with my branch office networks of servers/desktops behind them. then using my main LAN to run the VPN's between them.

So lets say its three sites. I would have three Router VM's running connected to the main network. I would then have the second port connected to a seperate virtual network that connects all the branches servers etc. And then I run VPN's beween the router VM's.

Problem is I cant see how to do that in a virtual server?
Any ideas?
 
Depending on your networking setup, you might prefer some ssl-based VPN to IPSEC, which is not that NAT friendly.
 
Think your missing the idea.
Its not for a full install its just for a home lab.

So I would have 2 virtual routers (lets say untangle) than are on the same ESXi server and connected to the same LAN these then have a VPN to talk to each other. Then I have 2 virtual servers behind these untangle boxes that are seperated and use one of the untangle boxes as the top of the network.

So Im createing 2 networks. both using untangle as the gateway hat cant talk to each other till I have the VPN turned on. all on one box.

that help?
 
Digital-Vortex said:
Think your missing the idea.
Its not for a full install its just for a home lab.

So I would have 2 virtual routers (lets say untangle) than are on the same ESXi server and connected to the same LAN these then have a VPN to talk to each other. Then I have 2 virtual servers behind these untangle boxes that are seperated and use one of the untangle boxes as the top of the network.

So Im createing 2 networks. both using untangle as the gateway hat cant talk to each other till I have the VPN turned on. all on one box.

that help?
Click to expand...

Sure. Put a vswitch with no network cards in it for the internal networks.
 
danswartz said:
Depending on your networking setup, you might prefer some ssl-based VPN to IPSEC, which is not that NAT friendly.
Click to expand...

Never had any problems with NAT for IPSEC? Punch it through on the port you choose to tunnel over. :confused:
 
I think we have a terminology issue here. Classic IPSEC can't have ports punched, since it is not an IP protocol. That is why standard IPSEC is not NAT friendly - the NAT gateway can have difficulty telling where to send the return packets. Most modern IPSEC packages allow you to tunnel using UDP - sorry, just being pedantic here :)
 
danswartz said:
I think we have a terminology issue here. Classic IPSEC can't have ports punched, since it is not an IP protocol. That is why standard IPSEC is not NAT friendly - the NAT gateway can have difficulty telling where to send the return packets. Most modern IPSEC packages allow you to tunnel using UDP - sorry, just being pedantic here :)
Click to expand...

Fair enough :) I learned something today!

OpenSwan never had any trouble with it, which is where all my experience is :D
 
I've moved from ipsec to openvpn as much as I can for persistent tunnels to clients sites. It's just as easy to configure, and seems a bit more reliable. ipsec sometimes takes a while to reconnect after a tunnel breaks down (either from connection dropping, or during the normal time based re-key) when using different brands of gear. my pfsense to fortinet seems to be the worst.
 
my virtual pfSense runs several site to site IPSec tunnels (endpoints are Mikrotik and their OpenVPN implementation is over TCP :() and remote access OpenVPN for my laptop and phone. Works great.

Once I add another ESXi host I may add another pfSense instance for CARP, or I may just use fault tolerance, we'll see.
 
You must log in or register to reply here.
Back
Top