[190355] in North American Network Operators' Group
RE: automated site to site vpn recommendations
daemon@ATHENA.MIT.EDU (Richard Greasley)
Tue Jun 28 13:14:04 2016
X-Original-To: nanog@nanog.org
From: "Richard Greasley" <greasley@superfund.net>
To: "'Dan Stralka'" <mrsyeltzin@gmail.com>,
"'Karl Auer'" <kauer@biplane.com.au>
In-Reply-To: <CAJk2XQcLH=57as+beEjOi784WtnB9XquQ5hVdbWEZVX74s1Oig@mail.gmail.com>
Date: Tue, 28 Jun 2016 12:21:50 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Another option is Checkpoint Edge devices.
We use them worldwide with little to no problems.
They're centrally managed and support central logging which is a plus =
when trying to diagnose issues.
They support dynamic IP addresses as well, so just plug it in and you =
should be good to go.
Not the cheapest solution, but for sure they get the job done.
Regards,
Richard.
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Dan Stralka
Sent: Monday, June 27, 2016 6:28 PM
To: Karl Auer
Cc: nanog@nanog.org
Subject: Re: automated site to site vpn recommendations
I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by far the simplest platform to offer a field person. They're =
also
tenacious - I've had them connect to the cloud management platform and
build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress =
for
the price (Sourcefire, inability to use if stolen, 802.1x, and remote =
VPN
tunnel control), and we've found they punch above their weight and their
APs perform fantastically.
We deploy them worldwide many times per year in similar use cases,
sometimes with 150 users on the LAN. If your routing is simple, you can
define your security policies, and don't need crazy throughput on your =
VPN,
Meraki is the way to go. Be careful though: they have to be continually
licensed to work and can get pretty expensive if you go for the higher =
end
gear. Thus far, we've been able to stick to the cheaper stuff and
accomplish our goals.
Dan
(end)
On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, =
USB
> for a wireless dongle or storage, and has a highly-scriptable =
operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer (kauer@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
