Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1597 posts

Uber Geek
+1 received by user: 369


Topic # 204799 18-Oct-2016 10:59
Send private message

Hi Guys

 

Site to site IPSEC VPN's  , all via sonicwall (low end) firewalls
For 2 site to site VPN's connecting to a Head Office , through Fibre Internet
The firewalls are very old , and low end units, but the VPN's arnt passing alot of data.

 

 

 

Just what sort of reliability can be expected ?
Is it unrealistic to expect site 2 site VPNs to be free from occasional dropouts ?
Or are top of the line , expensive firewall needed for reliable droput free VPNs
Is a dedicated line between sites needed ?


 

 

 

 

 

 

 

 


Create new topic
2464 posts

Uber Geek
+1 received by user: 735

Trusted
Lifetime subscriber

  Reply # 1652758 18-Oct-2016 11:04
Send private message

Brief dropouts are not normally an issue as long as the firewall is reconnecting.  Are both sites using the same ISP to minimise routing issues?  Perhaps put some monitoring in place so you have good data about the interruptions.





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

4369 posts

Uber Geek
+1 received by user: 2674

Lifetime subscriber

  Reply # 1652760 18-Oct-2016 11:09
Send private message

" ... The firewalls are very old , and low end units, ..."

 

What are the "low end units"?

 

How old is "very old"?





Sideface


 
 
 
 


18748 posts

Uber Geek
+1 received by user: 5377

Trusted
Lifetime subscriber

  Reply # 1652763 18-Oct-2016 11:18
Send private message

If the Sonicwalls are TZ105 onward I'd expect very good reliability IF your connectivity is reliable (You can't have traffic on a road, if there is a break in the road).

 

 


2985 posts

Uber Geek
+1 received by user: 293


  Reply # 1652768 18-Oct-2016 11:34
Send private message

We've got one client using two Linksys WRT54GL units, running Tomato firmware, for their site-site VPN.

 

It is only passing a few RDP sessions but it has never dropped the connection once, and they have been installed for over 5 years now.

 

They cost less than $100 each at the time.

 

Both sites are on fibre with the same ISP so that could be helping.





3422 posts

Uber Geek
+1 received by user: 410

Trusted

  Reply # 1652886 18-Oct-2016 14:02
Send private message

I Can't speak for Sonicwall but we have used (virtualised) PFsense for years with very high reliability - passing usually 20-30mbps at any time through the network (it's Mesh - probably 30 tunnels or so) with virtually no dropouts. It also supports AES encryption which is CPU accelerated these days... not that it takes a huge amount of CPU anyway....

 

Perhaps the biggest issue with older devices is that if it only supports DES etc. that these are no longer thought of as secure encryption methods.








1597 posts

Uber Geek
+1 received by user: 369


  Reply # 1653409 19-Oct-2016 11:09
Send private message

Any recommendations for an IT company who specialises in site to site VPN's

 

I need a second opinion , the site to site just isnt reliable
Its all sonicwall TZ170's


1508 posts

Uber Geek
+1 received by user: 213


  Reply # 1653428 19-Oct-2016 11:26
Send private message

Is that an IT company to replace the hardware or configure it?

 

If it is new hardware, IFM do Cisco and we have never had a bad experience with them. http://www.ifm.net.nz/

 

 

 

Our experience with site to site VPN's has been fine. We run into Azure, one to CHCH and one to our Aussie office and a couple to client sites. All from the main firewall in AKL. We have had one issue with the Aussie office which was due to the ISP in Aussie breaking a route. Other than that they have all been solid. We run Watchguard hardware and the clients are mostly Cisco and one SonicWall.

 

As others have said, the connection needs to be good to guarantee a good connection. The hardware could (big could as I don't know the hardware) be fine as long as it is not overstressed already or flaky. Just be aware if it is really old, you are not going to have much choice in encryption standards and it might be slow due to no encryption offloading.





Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B




1597 posts

Uber Geek
+1 received by user: 369


  Reply # 1653457 19-Oct-2016 12:14
One person supports this post
Send private message

toyonut:

 

Is that an IT company to replace the hardware or configure it?

 

If it is new hardware, IFM do Cisco and we have never had a bad experience with them. http://www.ifm.net.nz/

 

 

 

Thanks for that, Ive contacted them


What does this tag do
980 posts

Ultimate Geek
+1 received by user: 205

Subscriber

  Reply # 1653474 19-Oct-2016 12:32
Send private message

Also, not sure if you mean all sites are on fibre or just head office

 

Depending on budget, Cisco Meraki does a wonderful job. MX64 in each site office, MX64W if you need wireless; this can be your router and handles site to site VPN automatically.

 

Automatic support for dual internet connections too if you wanted to have 4G backup connections or something

 

 

 

Edit - small offices with only a few devices could use the Z1 too pretty well priced


4369 posts

Uber Geek
+1 received by user: 2674

Lifetime subscriber

  Reply # 1653475 19-Oct-2016 12:37
Send private message

1101:

 

<snip>

 

Its all sonicwall TZ170's

 

 

Released 2004
Discontinued 2009
Support withdrawn 2011





Sideface


886 posts

Ultimate Geek
+1 received by user: 779

Trusted
Chorus

  Reply # 1653485 19-Oct-2016 12:49
Send private message

1101:

 

Any recommendations for an IT company who specialises in site to site VPN's

 

I need a second opinion , the site to site just isnt reliable
Its all sonicwall TZ170's

 

 

[Shameless Plug Alert]

 

You could also consider the SecureME service from Spark Digital. It's very competitively priced and is scaleable to your needs. See http://www.sparkdigital.co.nz/solutions/security/secureme/ for details. It's self managed via an online portal that the customer or their IT company can use from anywhere.

 

  •  

    • Connectivity
    • Connection options include ADSL2+ / VDSL / UFB / 3G/4G (optional)
    • Connect branch sites securely via a Virtual Private Network (VPN) to create a low cost wide area network or connect to your own existing wide area network. Options available are IPSEC, SSL, PPTP and OpenVPN(SSL)
    • Remote user VPN and device connectivity for staff on the move
    • WiFi access point supports guest internet access for staff and customers
    • Cloud-based self-management portal to remotely manage sites and users.

    Security

     

    • ISCA-certified firewall
    • Content filtering, centralised management, real-time alerts and reporting
    • Optional PCI DSS certification at network level.

    Reliability

     

    • 24/7 service desk
    • Optional failover from broadband to Spark mobile 3G network
    • Single point of accountability for device and internet connection
    • SLAs for service recovery
    • Next day replacement of hardware for self-managed install if required




The views expressed by me are not necessarily those of my employer Chorus NZ Ltd


353 posts

Ultimate Geek
+1 received by user: 85


  Reply # 1654537 19-Oct-2016 15:43
Send private message

TZ170s are fairly old and rated to about 30Mbps of IPSEC throughput (they used Cavium Nitrox's for IPSEC acceleration).

 

 

 

You could use them as trade-ins on the SonicWALL Secure Upgrade program. Get yourself a couple of TZ-300s at a decent price under the program, they will handle a 100Mbps fibre circuit with all security services (IPS, GAV/AS, App Control, Web Filtering and SSL Decrypt) enabled - plus the new capture service is a nice malware killer.

 

 

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.