VPN hardware suggestions.

hobbit666

@Dashrender said in VPN hardware suggestions.:

That said you could use other things to test the VPN status - like a ping test.

That's what we do with our MPLS sites just use zabbix to ping all endpoints see if they are "up" and notify when down

scottalanmiller

@hobbit666 said in VPN hardware suggestions.:

@Dashrender said in VPN hardware suggestions.:

That said you could use other things to test the VPN status - like a ping test.

That's what we do with our MPLS sites just use zabbix to ping all endpoints see if they are "up" and notify when down

Yup, just keep doing that with a VPN. A point to point VPN system should require you to change nothing from the MPLS setup. MPLS is built to mimic standard VPN setups. It's all the same to the network user level of things.

iroal

I like Pfsense, I use it with Openvpn with good results.

Last version includes Wireguard support.

siringo

Thanks everyone for the help. I'll look into everything mentioned.

JasGot

@siringo said in VPN hardware suggestions.:

Thanks everyone for the help. I'll look into everything mentioned.

Some of the comments would lead you to believe Sonicwall is not a good solution, either from central management issues or license fees.

I can't speak to the central management issues because we've chosen to not bother with it.

We have about 350 Sonicwalls in the field and nearly all of them have S2S VPNs setup among branches, as well as Global VPN setup for remote users (there is a fee for the Global VPN license).

Every one of them has a VPN into our lab for end user support. I fired up #7 to get this screenshot.

As far as your main question about reliable VPN end points, I have been happy with the Sonicwall devices. I like their "Wizard" setups for staff that are new to Sonicwall. It makes a S2S VPN about a 5 minute task (for both sides, not each side, but then, that would still only be 10 minutes!)

We also use the IP Tunnel connections in the Sonicwall when we need to control routing, ie not hub and spoke type routing.

The appliances can be pricey if you want to take full advantage of todays high speed broadband, but overall, we have been very satisfied with the products, especially the VPN stability.

Here's a SS of one:
No special/Add-on licensing; note the 1000 S2S VPNs allowed and the 12 Global VPNs allowed.
This Sonicwall does have 60 VPN Clients licensed to it, about 45 are in use daily.

siringo

@JasGot Thanks for the help, there's some real world product experience there, which I can use. I appreciate the effort. Thanks.

1337

@JasGot said in VPN hardware suggestions.:

@JasGot On a side note aren't you running insecure cryptos?
I thought 3DES-HMAC-SHA1 was considered obsolete and insecure.

Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.

JasGot

@Pete-S said in VPN hardware suggestions.:

thought 3DES-HMAC-SHA1 was considered obsolete and insecure.
Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.

It is. I had it changed right after I took the screen shot. It's an HR problem.

Dashrender

@JasGot said in VPN hardware suggestions.:

@Pete-S said in VPN hardware suggestions.:

thought 3DES-HMAC-SHA1 was considered obsolete and insecure.
Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.

It is. I had it changed right after I took the screen shot. It's an HR problem.

I'm curious - how is that an HR problem?

JasGot

@Dashrender said in VPN hardware suggestions.:

I'm curious - how is that an HR problem?

Employee didn't complete assigned duties.