VPN recommendations?

• Previous message (by thread): VPN recommendations?
• Next message (by thread): New minimum speed for US broadband connections
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The port forwarding only applies to manual NAT traversal.  If you use auto
NAT traversal, it takes care of that.  Because all of the connections are
coordinated through the dashboard, the Auto-VPN will typically work even if
all nodes are behind NAT.  I've used them on the end of Verizon (CG-NAT)
connections and they work fine.  I have had one instance where three of
them were behind the same single IP NAT and the third would fail to
connect.  We had to get one of them moved to a different NAT IP to solve
that.

If you're looking for a simple to use, easy to manage VPN appliance, the MX
(and Z) Meraki products will work.  The config is entirely handled through
the dashboard, so no-touch, drop ship deployments are an option.  You can
provide view only access to users per network, so the customer or a first
level tech could be given the ability to look but not break anything.

All of the MX and Z products will work in a single VPN, so you can pick the
device that best fits the requirements.  For a small office with one or two
people, the Z3 works great, it even has one PoE port for an IP phone.  For
larger sites or the core site, they go up to 6Gb (I think) of throughput
for the MX450, with redundant power and uplinks.

As others have pointed out, they are license based and they don't work
without a license, and they are a Cisco product, so pricing will depend on
how good your relationship is with your Cisco rep. :)  One big caveat: they
are still lacking in the IPv6 realm so if that is a requirement, they won't
work right now.
--Rich


> ---------- Forwarded message ----------
> From: William Herrin <bill at herrin.us>
> To: Shawn L <shawnl at up.net>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Bcc:
> Date: Thu, 10 Feb 2022 10:54:39 -0800
> Subject: Re: VPN recommendations?
> On Thu, Feb 10, 2022 at 10:18 AM Shawn L <shawnl at up.net> wrote:
> > Meraki MX series? Dynamic IPs and NATs don't really cause them a
> problem.  Some CGNats do (AT&T I'm looking at you).
>
> Thanks Shawn,
>
> The documentation I found at
>
> https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
> suggests that the NAT firewall has to be explicitly configured to
> deliver UDP 500/4500 to the Meraki behind it. Are you aware of any
> documentation that describes:
>
> LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN
>
> Where the left-side Meraki is responsible for establishing and keeping
> the NAT translations alive without any special configuration on the
> NAT?
>
> Regards,
> Bill
>


-- 
Rich Greenwood
Network Engineer
Shasta County Office of Education

Information Technology

1644 Magnolia Ave.

Redding, CA 96001

Office: 530-225-0161

Hotline: 530-225-0279

rgreenwood at shastacoe.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220211/b02b7d5d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5623 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220211/b02b7d5d/attachment.bin>

• Previous message (by thread): VPN recommendations?
• Next message (by thread): New minimum speed for US broadband connections
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]