Site-to-Site VPNs (transparent to endpoint)

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
antean
Posts: 1
Joined: Fri Jun 01, 2018 3:23 pm

Site-to-Site VPNs (transparent to endpoint)

Post by antean » Fri Jun 01, 2018 3:37 pm

Hi everyone,

I'm a network engineer though I'm pretty new to SoftEther and wanted to discuss a scenario I'm trying to build in my lab.

What I'm trying to accomplish is a multisite to multisite VPN connections.
Site 1 to Site 2-3
Site 2 to Site 1-3
Site 3 to Site 1-2
Where Site 1 is also the HQ and all sites need to send all traffic to Site 1 as a default route.
Optional ; Site 2 should be the backup HQ for Site 3... So if S1 connection fails, S3 should send all traffic to S2.

Also; No endpoint configuration should be changed... So, the default gateway needs to remain the same.
I'm trying to use the instructions in this link.
https://www.softether.org/4-docs/1-manu ... P_Routing)

Is it doable? am I on the right path? Should I use the SoftEther Bridge package or the server package or both for this?

In terms of scalability and performance, the docs say 4096 connections can be supported per server... Does a single site-to-site VPN count as a single connection? What type of performance metrics should be considered for such site-to-site scenarios?

Also, does SoftEther has support for encryption hardware (such as the ones in enterprise grade hardware based solutions.. Cisco's encryption card on ISR series for instance) to minimize the load on CPU and memory?

I know I asked a lot though there's one more :) Is there a tested docker version of SoftEther server?

Thanks a lot to whoever decides to respond to so many questions in advance.
Ant

thisjun
Posts: 2789
Joined: Mon Feb 24, 2014 11:03 am

Re: Site-to-Site VPNs (transparent to endpoint)

Post by thisjun » Thu Jun 14, 2018 8:07 am

I think changing default gateway is impossible without changing configuration of these endpoints.
What do you think about it?

jvanegmond
Posts: 4
Joined: Tue Jun 19, 2018 7:53 am

Re: Site-to-Site VPNs (transparent to endpoint)

Post by jvanegmond » Tue Jun 19, 2018 8:14 am

Hi,

It sounds like you are on the right path, though it might be easier to use any routers with a built-in VPN capability as is customary in such scenarios. Though for the purposes of building a lab, you might not have the funds available.

As per your questions, to leave the default gateway the same (being: your router), and then route the IP traffic to another site, you need some way to instruct your router to treat this site-to-site traffic in a different way. So at the least you need to be able to change its routing rules. If you can't do that, I recommend the virtual router m0n0wall creating a topology like:

- shared lab connection
-- m0n0wall router
--- SoftEther server
--- all your other systems

SoftEther has the concept of virtual gateways, where the SoftEther server is emulating a gateway and applying its own routing rules to that traffic. If you can create routing rules on your router to send traffic for another site to the SoftEther virtual gateway, the traffic should end up on the other site.

However, this is to the best of my understanding and I've not built such a setup. This would be my approach and there would be learning points along the way.

Kind regards,
jvanegmond

Post Reply