Need VPN site to site solution

[Oyeve]

I need a cheap site to site vpn solution for work. We currently have 2 sites talking to each other with 2 old, i mean OLD, sonicwall SOHO3 devices. I have 2 more sites going up and the current sonicwall devices only allow 1 direct connection each. I need to have 3 remote sites connecting to my main site (where I work now). Please, I need to know what VPN devices can do this. Cheap is the key word here. The Sonicwalls are pretty easy as they are basically what I have been working with. Any reccomendations? I have up to 5k to work with.

 

[Jamsan]

Juniper SRX devices - good performance, cheap - Junos might be a bit of a learning curve, but not sure how good/bad their GUI is. The low-end devices start at about $400 or so and offer 65Mbps of VPN tunnel performance. Good to get those at branches and slightly larger model at HQ (220/240).

Should be able to get 1x 220/240 and 5x SRX100s for about 5k.

 

[drebo]

Yeah, SRXs would be good.

Or, perhaps some Cisco 1841s and set up DMVPN or something. Lots of options.

 

[freegeeks]

Yeah, SRXs would be good.

Or, perhaps some Cisco 1841s and set up DMVPN or something. Lots of options.

1841 is EOL, Cisco 1921 is the replacement
5K is more then enough to get 1921

 

[RadiclDreamer]

ASA 5505, make sure you pay attention to the license model on each, they come standard allowing 10 devices behind it for around $500, they also sell 50 and unlimited. With unlimited being around $800

 

[kevnich2]

Sonicwall tz200 at main site and tz100 at remote sites

 

[theevilsharpie]

I need a cheap site to site vpn solution for work. We currently have 2 sites talking to each other with 2 old, i mean OLD, sonicwall SOHO3 devices. I have 2 more sites going up and the current sonicwall devices only allow 1 direct connection each. I need to have 3 remote sites connecting to my main site (where I work now). Please, I need to know what VPN devices can do this. Cheap is the key word here. The Sonicwalls are pretty easy as they are basically what I have been working with. Any reccomendations? I have up to 5k to work with.

Most vendors' IPSec implementations are reasonably mature, so pretty much anything will work properly. You already know Sonicwall, so if they can provide the firewalls you need while keeping you within your budget, you may as well go that route. I'm partial to Fortinet, but I don't think they can meet your budget constraints. If you need something really cheap, you may want to take a look at Zyxel or Netgear.

Regardless of which vendor you go with, check their IPSec throughput to ensure that you'll get the speeds you need with the cipher you decide to use.

Also, avoid the Cisco ASA line. It's difficult to work with, generally outclassed by the competition in pretty much every metric I can think of, and to top it off, they're pretty expensive for what you get.

 

[RadiclDreamer]

Also, avoid the Cisco ASA line. It's difficult to work with, generally outclassed by the competition in pretty much every metric I can think of, and to top it off, they're pretty expensive for what you get.

I dont find it at all difficult to work with, when was the last time you used it? ASDM has come a long way. Im typically not one for a gui when it comes to network operations, but the ASDM is a fine example of a gui done right in my book. Clean and easy to work with.

 

[theevilsharpie]

I dont find it at all difficult to work with, when was the last time you used it? ASDM has come a long way. Im typically not one for a gui when it comes to network operations, but the ASDM is a fine example of a gui done right in my book. Clean and easy to work with.

ASDM has come a long way. The interface is now merely mediocre. I remember when simply browsing around the configuration tabs in ASDM would hard-lock the ASA

While ASDM has gotten slightly better, the ASA's usability issues extend beyond its user interface.

 

[RadiclDreamer]

ASDM has come a long way. The interface is now merely mediocre. I remember when simply browsing around the configuration tabs in ASDM would hard-lock the ASA

While ASDM has gotten slightly better, the ASA's usability issues extend beyond its user interface.

Its no more cumbersome than anything else cisco puts out, once you learn it, you can zip around very fast. That goes for ASDM and command line.

 

[Oyeve]

Thanks for the sugesstion guys. Lots of products to research. One more thing. When I started here there was only one ISP connection at each location. I have since added a back up circuit to the 2 locations but the sonicwall soho 3 devices we use allow only 1 wan per device. it would be nice to actually use the secondary circuits to 1, boost speed and 2, seamless connectivity if primary circuit goes down. Do any of the devices above have dual-wan options? I will do more in depth reasearch this week but I appreciate the suggestions and it helps narrow down my searching, thanks guys!

 

[theevilsharpie]

I have used FortiGate firewalls with multi-WAN links without issues. I imagine SonicWALL has a similar capability, although you'll want to see if such functionality requires a license. The Juniper folks will have to chime in on their device support.

Be advised that the ASA line can handle multiple WAN links for failover purposes only. The ASA cannot actively load balance multiple between multiple WAN links. According the Cisco, this is because the "ASA Is Not A Router," even though anyone with two firing neurons can see right through that excuse. This is one of the numerous limitations of the ASA line, and why I steer clear on them.

 

[drebo]

Thanks for the sugesstion guys. Lots of products to research. One more thing. When I started here there was only one ISP connection at each location. I have since added a back up circuit to the 2 locations but the sonicwall soho 3 devices we use allow only 1 wan per device. it would be nice to actually use the secondary circuits to 1, boost speed and 2, seamless connectivity if primary circuit goes down. Do any of the devices above have dual-wan options? I will do more in depth reasearch this week but I appreciate the suggestions and it helps narrow down my searching, thanks guys!

Honestly, if you've got multi-WAN environments, you're going to need something more robust.

Seriously, if money is the primary concern, buy a 2811 used at the main site and some 891s (or 1841s) at the remote sites and run DMVPN.

 

[Oyeve]

Sonicwall tz200 at main site and tz100 at remote sites

Why the TZ200 at main and not just TZ100 at all sites? My research on these say they each have 5 built-in site to site conections. For my set up, main site (on a soho3 now), second site (On a soho3 connecting to main site) and 2 other site not connected yet. I was thinking that each site would connect to the main site and I would still have 1 vpn site to site connection at the ready. These devices look like they would do the job and are pretty cheap. The other site have at the most, 8 people so the traffic would be pretty lite.

 

[kevnich2]

Both the tz100 and 200 offer dual wan in both. The main difference is through put. If your main Site doesn't need a lot of speed for your Internet go with it. We have high bandwidth pipes and needed additional speed at our main Site. The 100 can put thru about 30mbs or so.

 

[RadiclDreamer]

I have used FortiGate firewalls with multi-WAN links without issues. I imagine SonicWALL has a similar capability, although you'll want to see if such functionality requires a license. The Juniper folks will have to chime in on their device support.

Be advised that the ASA line can handle multiple WAN links for failover purposes only. The ASA cannot actively load balance multiple between multiple WAN links. According the Cisco, this is because the "ASA Is Not A Router," even though anyone with two firing neurons can see right through that excuse. This is one of the numerous limitations of the ASA line, and why I steer clear on them.

Yeah it would be nice to support this via the ASA, but multi links are higher end business features, you should be running BGP with your ISP for most cases where failover is a priority. Wouldnt mind seeing it still

 

[dawks]

You could use something like Untangle, which has OpenVPN or IPSec VPN, WAN balancing, and WAN failover. Just install it on some stable hardware, and you're good to go. You can toss in extra network cards for multiple networks. And it will do firewall, e-mail, web, protocol filtering as well. It can scale pretty nicely with powerful hardware too.

You'll have to pay for the WAN balancing and WAN failover features...

http://demo.untangle.com/
http://www.untangle.com/store/ipsec-conf.html

 

[Oyeve]

So, I ordered 2 Sonicwall TZ-100. I already uploaded the latest FWon one and did a quick config on my secondary circuit just to get it live on the web. I am going to the NJ site in a couple of days and will do the same then set up and config the VPN SA. So far i like these little devices. I wish I could just export the config from my sonicwal soho3 into these babys and be done with it. But the set ups are pretty straight forward.

 

[Broheim]

we use sociwall firewalls at work and generally speaking they're good, BUT! Their support is not that good and we've been burned twice by bugs in firmware updates.
so don't update right away and wait for some other schmuck (e.g. me) to be your guinea pig.