automated site to site vpn recommendations

Wed Jun 29 18:40:06 UTC 2016

Guys, thanks for all the responses. Thanks to everyone's feedback, we have a number of options that were not on the original list and that is what I was hoping for. Now it's a matter of comparing cost/learning-curve/support-challenge/compatibility with tools/monitoring, etc...
Thanks again.

> From: rich at tehorange.com
> Date: Wed, 29 Jun 2016 09:03:06 -0400
> Subject: Re: automated site to site vpn recommendations
> To: paul at nashnetworks.ca
> CC: nanog at nanog.org
> 
> For several of our clients, we use Sophos UTMs coupled with their RED
> units.  Once registered with the UTM, the RED unit auto creates an SSL
> based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
> it's config when it boots. It's similar to the function of Meraki without
> the direct cloud management portion, though the config profile does get
> pushed to a section of Sophos' cloud.
> 
> -Rich
> 
> On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash <paul at nashnetworks.ca> wrote:
> 
> > My biggest issue with Meraki is that their tech staff can run tcpdump on
> > the wired or wireless interface of your Meraki box without having to leave
> > their desk.  I have no reason to believe that they are malicious, or in the
> > pay of the NSA, but I am too paranoid to allow their equipment anywhere
> > near me.
> >
> > Yes, they work well and the cloud control panel makes remote support a
> > breeze; you have to decide how you feel about the insecurity.
> >
> >         paul
> >
> > > On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin at gmail.com> wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel that
> > > they are the most capable platform, they're expensive, and don't always
> > > present you with all the information you'd need for troubleshooting.
> > > However, the VPN offers great dynamic tunneling, instant-on performance,
> > > and are by far the simplest platform to offer a field person.  They're
> > also
> > > tenacious - I've had them connect to the cloud management platform and
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint, they will offer features that will impress
> > for
> > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > > tunnel control), and we've found they punch above their weight and their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases,
> > > sometimes with 150 users on the LAN. If your routing is simple, you can
> > > define your security policies, and don't need crazy throughput on your
> > VPN,
> > > Meraki is the way to go.  Be careful though: they have to be continually
> > > licensed to work and can get pretty expensive if you go for the higher
> > end
> > > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer at biplane.com.au> wrote:
> > >
> > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on, it calls home, and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort,
> > >> right? Otherwise you have a device wandering about that provides look
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > >> for a wireless dongle or storage, and has a highly-scriptable operating
> > >> system. Not a bad platform.
> > >>
> > >> Regards, K.
> > >>
> > >> --
> > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >> Karl Auer (kauer at biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >