Then, the question becomes :
- Is it better to keep full mesh / standalone endpoints (such as current
IP-IP) ? But if so, how to handle Plug and Play and NAT traversal ?
- Or is it better to have small local gateways managed by skilled teams,
and end-users connecting to those gateways with simpler PnP VPN systems ?
We choosed the second option, with fully home-made design (OpenWRT, OpenVPN, OSPF), because it best suited our needs, and because we are an island, with few inter-connects with the rest of the world.
Same thing here. We are not an island but still we feel that we need to use a local gateway where everyone is connected using modern technologies compatible with today's internet connections and equipment. Our gateway is still connected to the IPIP mesh but the individual stations are connected using another VPN type.
It seems lots of people in the world are using similar designs, with a central gateway and enpoints connecting to it via VPNs. Maybe we just have to share our experiences, and adopt some kind of "standardized" rules for our gateways ?
That is what I am trying to do... and reduce their compexity by dropping the old IPIP mesh and use some newer technologies that are available in standard routers, so it will become easier to setup a gateway.
Rob