[190359] in North American Network Operators' Group
Re: automated site to site vpn recommendations
daemon@ATHENA.MIT.EDU (Shawn L)
Wed Jun 29 09:32:12 2016
X-Original-To: nanog@nanog.org
Date: Wed, 29 Jun 2016 09:32:06 -0400 (EDT)
From: "Shawn L" <shawnl@up.net>
To: "Paul Nash" <paul@nashnetworks.ca>
In-Reply-To: <3E963AD5-C2C0-4DD7-A312-A14E57AD4A2A@nashnetworks.ca>
Cc: Untitled 3 <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
=0AI believe they fixed this -- when I've spoken to tech support recently, =
I had to give them a tech support key so that they could access the devices=
I had questions about.=0A =0A=0A=0A-----Original Message-----=0AFrom: "Pau=
l Nash" <paul@nashnetworks.ca>=0ASent: Wednesday, June 29, 2016 8:55am=0ATo=
: "Untitled 3" <nanog@nanog.org>=0ASubject: Re: automated site to site vpn =
recommendations=0A=0A=0A=0AMy biggest issue with Meraki is that their tech =
staff can run tcpdump on the wired or wireless interface of your Meraki box=
without having to leave their desk. I have no reason to believe that they =
are malicious, or in the pay of the NSA, but I am too paranoid to allow the=
ir equipment anywhere near me.=0A=0AYes, they work well and the cloud contr=
ol panel makes remote support a breeze; you have to decide how you feel abo=
ut the insecurity.=0A=0A paul=0A=0A> On Jun 27, 2016, at 6:28 PM, Dan Stral=
ka <mrsyeltzin@gmail.com> wrote:=0A> =0A> I would second Meraki for the sit=
uation you describe. I don't feel that=0A> they are the most capable platfo=
rm, they're expensive, and don't always=0A> present you with all the inform=
ation you'd need for troubleshooting.=0A> However, the VPN offers great dyn=
amic tunneling, instant-on performance,=0A> and are by far the simplest pla=
tform to offer a field person. They're also=0A> tenacious - I've had them c=
onnect to the cloud management platform and=0A> build a VPN under some tryi=
ng circumstances.=0A> =0A> From a security standpoint, they will offer feat=
ures that will impress for=0A> the price (Sourcefire, inability to use if s=
tolen, 802.1x, and remote VPN=0A> tunnel control), and we've found they pun=
ch above their weight and their=0A> APs perform fantastically.=0A> =0A> We =
deploy them worldwide many times per year in similar use cases,=0A> sometim=
es with 150 users on the LAN. If your routing is simple, you can=0A> define=
your security policies, and don't need crazy throughput on your VPN,=0A> M=
eraki is the way to go. Be careful though: they have to be continually=0A> =
licensed to work and can get pretty expensive if you go for the higher end=
=0A> gear. Thus far, we've been able to stick to the cheaper stuff and=0A> =
accomplish our goals.=0A> =0A> Dan=0A> =0A> (end)=0A> On Jun 27, 2016 6:01 =
PM, "Karl Auer" <kauer@biplane.com.au> wrote:=0A> =0A>> On Mon, 2016-06-27 =
at 13:08 -0700, c b wrote:=0A>>> In some cases...=0A>> =0A>> The words "in =
some cases" are a problem with any supposedly plug and=0A>> play solution.=
=0A>> =0A>>> We really could use a simple solution that you=0A>>> just flip=
on, it calls home, and works...=0A>> =0A>> ...but still requiring someone =
to enter credentials of some sort,=0A>> right? Otherwise you have a device =
wandering about that provides look=0A>> -mum-no-hands access to your corpor=
ate network.=0A>> =0A>> MikroTik stuff is cheap as chips, small, comes with=
wifi, ethernet, USB=0A>> for a wireless dongle or storage, and has a highl=
y-scriptable operating=0A>> system. Not a bad platform.=0A>> =0A>> Regards,=
K.=0A>> =0A>> --=0A>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~~~~~~~~~~~~~~~~~=0A>> Karl Auer (kauer@biplane.com.au)=0A>> http://www.b=
iplane.com.au/kauer=0A>> http://twitter.com/kauer389=0A>> =0A>> GPG fingerp=
rint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B=0A>> Old fingerprin=
t: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4=0A>> =0A>> =0A>> =0A>>=
=0A=0A
