[strongSwan] local roadwarrior endpoint in highly virtualized environment

[Christ Schlacta]

Since noone has replied yet, I'll just let you all know what the plan 
is, and update you on any issues that arise.  the initial deployment was 
having the VPN endpoint on the same machine as the router.  I'm simply 
going to reimplement it identically.  The only change I forsee needing 
are some new certificates for the new hosts.

On 1/12/2012 16:50, Christ Schlacta wrote:
> I'm hosting a vpn endpoint for a few roadwarrior clients (our laptops 
> and phones mostly), and I'm now at the point where I must decide..  do 
> I place the roadwarrior endpoints on the virtualized router (right now 
> they're on the physical router), on their own Virtual machine (CPU 
> pinning anyone?) or on one of the VPN physical host machines ?
> Some of the things I've come up with to consider and could use answers 
> to:
> 1) The routers will be configured for failover.  can the VPN endpoint 
> fail over with the router?
> 2) Does the VPN endpoint use any characteristics of the CPU such that 
> vt-x instructions are insufficient (KVM/QEMU Virtual machines)?  I 
> don't have VT-D available.
> 3) placing the endpoint on the VM hosts will certainly lead to 
> complications in the firewall and routing tables.  Is the benefit of 
> placing the endpoint on that physical machine worth the extra hassle?
> 4) What am I missing here?  I know it's kinda obvious, but it always 
> worries me in situations like this.
>
> I'm using charon, ikev2, and insofar as I remember, clients are 
> identified by a certificate file.