site to site VPN's

Forums › IT Pro and developers › site to site VPN's

1101

3122 posts

Uber Geek

#204799 18-Oct-2016 10:59

Hi Guys

Site to site IPSEC VPN's , all via sonicwall (low end) firewalls
For 2 site to site VPN's connecting to a Head Office , through Fibre Internet
The firewalls are very old , and low end units, but the VPN's arnt passing alot of data.

Just what sort of reliability can be expected ?
Is it unrealistic to expect site 2 site VPNs to be free from occasional dropouts ?
Or are top of the line , expensive firewall needed for reliable droput free VPNs
Is a dedicated line between sites needed ?

Dynamic

3867 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1652758 18-Oct-2016 11:04

Brief dropouts are not normally an issue as long as the firewall is reconnecting. Are both sites using the same ISP to minimise routing issues? Perhaps put some monitoring in place so you have good data about the interruptions.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

Sideface

9357 posts

Uber Geek

Trusted

Lifetime subscriber

#1652760 18-Oct-2016 11:09

" ... The firewalls are very old , and low end units, ..."

What are the "low end units"?

How old is "very old"?

Sideface

networkn

Networkn
32351 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1652763 18-Oct-2016 11:18

If the Sonicwalls are TZ105 onward I'd expect very good reliability IF your connectivity is reliable (You can't have traffic on a road, if there is a break in the road).

CYaBro

4585 posts

Uber Geek

ID Verified

Trusted

#1652768 18-Oct-2016 11:34

We've got one client using two Linksys WRT54GL units, running Tomato firmware, for their site-site VPN.

It is only passing a few RDP sessions but it has never dropped the connection once, and they have been installed for over 5 years now.

They cost less than $100 each at the time.

Both sites are on fibre with the same ISP so that could be helping.

Opinions are my own and not the views of my employer.

Zeon

3916 posts

Uber Geek

Trusted

#1652886 18-Oct-2016 14:02

I Can't speak for Sonicwall but we have used (virtualised) PFsense for years with very high reliability - passing usually 20-30mbps at any time through the network (it's Mesh - probably 30 tunnels or so) with virtually no dropouts. It also supports AES encryption which is CPU accelerated these days... not that it takes a huge amount of CPU anyway....

Perhaps the biggest issue with older devices is that if it only supports DES etc. that these are no longer thought of as secure encryption methods.

Speedtest 2019-10-14

1101

3122 posts

Uber Geek

#1653409 19-Oct-2016 11:09

Any recommendations for an IT company who specialises in site to site VPN's

I need a second opinion , the site to site just isnt reliable
Its all sonicwall TZ170's

toyonut

1508 posts

Uber Geek

#1653428 19-Oct-2016 11:26

Is that an IT company to replace the hardware or configure it?

If it is new hardware, IFM do Cisco and we have never had a bad experience with them. http://www.ifm.net.nz/

Our experience with site to site VPN's has been fine. We run into Azure, one to CHCH and one to our Aussie office and a couple to client sites. All from the main firewall in AKL. We have had one issue with the Aussie office which was due to the ISP in Aussie breaking a route. Other than that they have all been solid. We run Watchguard hardware and the clients are mostly Cisco and one SonicWall.

As others have said, the connection needs to be good to guarantee a good connection. The hardware could (big could as I don't know the hardware) be fine as long as it is not overstressed already or flaky. Just be aware if it is really old, you are not going to have much choice in encryption standards and it might be slow due to no encryption offloading.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

Wise

Send money globally for less with Wise - one free transfer up to NZ$900 (affiliate link).

1101

3122 posts

Uber Geek

#1653457 19-Oct-2016 12:14

toyonut:

Is that an IT company to replace the hardware or configure it?

If it is new hardware, IFM do Cisco and we have never had a bad experience with them. http://www.ifm.net.nz/

Thanks for that, Ive contacted them

jnimmo

1097 posts

Uber Geek

#1653474 19-Oct-2016 12:32

Also, not sure if you mean all sites are on fibre or just head office

Depending on budget, Cisco Meraki does a wonderful job. MX64 in each site office, MX64W if you need wireless; this can be your router and handles site to site VPN automatically.

Automatic support for dual internet connections too if you wanted to have 4G backup connections or something

Edit - small offices with only a few devices could use the Z1 too pretty well priced

Sideface

9357 posts

Uber Geek

Trusted

Lifetime subscriber

#1653475 19-Oct-2016 12:37

1101:

<snip>

Its all sonicwall TZ170's

Released 2004
Discontinued 2009
Support withdrawn 2011

Sideface

Wheelbarrow01

1723 posts

Uber Geek

Trusted

Chorus

#1653485 19-Oct-2016 12:49

1101:

Any recommendations for an IT company who specialises in site to site VPN's

I need a second opinion , the site to site just isnt reliable
Its all sonicwall TZ170's

[Shameless Plug Alert]

You could also consider the SecureME service from Spark Digital. It's very competitively priced and is scaleable to your needs. See http://www.sparkdigital.co.nz/solutions/security/secureme/ for details. It's self managed via an online portal that the customer or their IT company can use from anywhere.

- Connectivity
- Connection options include ADSL2+ / VDSL / UFB / 3G/4G (optional)
- Connect branch sites securely via a Virtual Private Network (VPN) to create a low cost wide area network or connect to your own existing wide area network. Options available are IPSEC, SSL, PPTP and OpenVPN(SSL)
- Remote user VPN and device connectivity for staff on the move
- WiFi access point supports guest internet access for staff and customers
- Cloud-based self-management portal to remotely manage sites and users.
Security
- ISCA-certified firewall
- Content filtering, centralised management, real-time alerts and reporting
- Optional PCI DSS certification at network level.
Reliability
- 24/7 service desk
- Optional failover from broadband to Spark mobile 3G network
- Single point of accountability for device and internet connection
- SLAs for service recovery
- Next day replacement of hardware for self-managed install if required

The views expressed by me are not necessarily those of my employer Chorus NZ Ltd

vulcannz

436 posts

Ultimate Geek
Inactive user

#1654537 19-Oct-2016 15:43

TZ170s are fairly old and rated to about 30Mbps of IPSEC throughput (they used Cavium Nitrox's for IPSEC acceleration).

You could use them as trade-ins on the SonicWALL Secure Upgrade program. Get yourself a couple of TZ-300s at a decent price under the program, they will handle a 100Mbps fibre circuit with all security services (IPS, GAV/AS, App Control, Web Filtering and SSL Decrypt) enabled - plus the new capture service is a nice malware killer.