VPN hardware suggestions.

scottalanmiller

@Dashrender said in VPN hardware suggestions.:

@siringo said in VPN hardware suggestions.:

Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.

I'll take a look at the Unifi stuff.

If there is no staff, why does it matter if it's up?
That said you could use other things to test the VPN status - like a ping test.

Which is a better test, anyway.

scottalanmiller

@siringo said in VPN hardware suggestions.:

Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.

I'll take a look at the Unifi stuff.

You'll want pings for that. A VPN GUI isn't as reliable as monitoring at the network level. You don't want a GUI that shows things up, you want monitoring that alerts when things go down. A GUI that shows up would only be beneficial if you had excess IT staff with nothing to do with their time and you were trying to keep them busy. Since you have less staff than you'd like, it's monitoring that you need so that you don't have to worry about it until an alarm goes off.

hobbit666

@Dashrender said in VPN hardware suggestions.:

That said you could use other things to test the VPN status - like a ping test.

That's what we do with our MPLS sites just use zabbix to ping all endpoints see if they are "up" and notify when down

scottalanmiller

@hobbit666 said in VPN hardware suggestions.:

@Dashrender said in VPN hardware suggestions.:

That said you could use other things to test the VPN status - like a ping test.

That's what we do with our MPLS sites just use zabbix to ping all endpoints see if they are "up" and notify when down

Yup, just keep doing that with a VPN. A point to point VPN system should require you to change nothing from the MPLS setup. MPLS is built to mimic standard VPN setups. It's all the same to the network user level of things.

iroal

I like Pfsense, I use it with Openvpn with good results.

Last version includes Wireguard support.

siringo

Thanks everyone for the help. I'll look into everything mentioned.

JasGot

@siringo said in VPN hardware suggestions.:

Thanks everyone for the help. I'll look into everything mentioned.

Some of the comments would lead you to believe Sonicwall is not a good solution, either from central management issues or license fees.

I can't speak to the central management issues because we've chosen to not bother with it.

We have about 350 Sonicwalls in the field and nearly all of them have S2S VPNs setup among branches, as well as Global VPN setup for remote users (there is a fee for the Global VPN license).

Every one of them has a VPN into our lab for end user support. I fired up #7 to get this screenshot.

As far as your main question about reliable VPN end points, I have been happy with the Sonicwall devices. I like their "Wizard" setups for staff that are new to Sonicwall. It makes a S2S VPN about a 5 minute task (for both sides, not each side, but then, that would still only be 10 minutes!)

We also use the IP Tunnel connections in the Sonicwall when we need to control routing, ie not hub and spoke type routing.

The appliances can be pricey if you want to take full advantage of todays high speed broadband, but overall, we have been very satisfied with the products, especially the VPN stability.

Here's a SS of one:
No special/Add-on licensing; note the 1000 S2S VPNs allowed and the 12 Global VPNs allowed.
This Sonicwall does have 60 VPN Clients licensed to it, about 45 are in use daily.

siringo

@JasGot Thanks for the help, there's some real world product experience there, which I can use. I appreciate the effort. Thanks.

1337

@JasGot said in VPN hardware suggestions.:

@JasGot On a side note aren't you running insecure cryptos?
I thought 3DES-HMAC-SHA1 was considered obsolete and insecure.

Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.

JasGot

@Pete-S said in VPN hardware suggestions.:

thought 3DES-HMAC-SHA1 was considered obsolete and insecure.
Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.

It is. I had it changed right after I took the screen shot. It's an HR problem.

Dashrender

@JasGot said in VPN hardware suggestions.:

@Pete-S said in VPN hardware suggestions.:

thought 3DES-HMAC-SHA1 was considered obsolete and insecure.
Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.

It is. I had it changed right after I took the screen shot. It's an HR problem.

I'm curious - how is that an HR problem?

JasGot

@Dashrender said in VPN hardware suggestions.:

I'm curious - how is that an HR problem?

Employee didn't complete assigned duties.