site to site VPN's

Forums › IT Pro and developers › site to site VPN's

1101

1597 posts

Uber Geek
+1 received by user: 369

Topic # 204799 18-Oct-2016 10:59

Hi Guys

Site to site IPSEC VPN's , all via sonicwall (low end) firewalls
For 2 site to site VPN's connecting to a Head Office , through Fibre Internet
The firewalls are very old , and low end units, but the VPN's arnt passing alot of data.

Just what sort of reliability can be expected ?
Is it unrealistic to expect site 2 site VPNs to be free from occasional dropouts ?
Or are top of the line , expensive firewall needed for reliable droput free VPNs
Is a dedicated line between sites needed ?

Dynamic

2464 posts

Uber Geek
+1 received by user: 735

Trusted

Lifetime subscriber

Reply # 1652758 18-Oct-2016 11:04

Brief dropouts are not normally an issue as long as the firewall is reconnecting. Are both sites using the same ISP to minimise routing issues? Perhaps put some monitoring in place so you have good data about the interruptions.

"4 wheels move the body. 2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Sideface

4369 posts

Uber Geek
+1 received by user: 2674

Lifetime subscriber

Reply # 1652760 18-Oct-2016 11:09

" ... The firewalls are very old , and low end units, ..."

What are the "low end units"?

How old is "very old"?

Sideface

networkn

18748 posts

Uber Geek
+1 received by user: 5377

Trusted

Lifetime subscriber

Reply # 1652763 18-Oct-2016 11:18

If the Sonicwalls are TZ105 onward I'd expect very good reliability IF your connectivity is reliable (You can't have traffic on a road, if there is a break in the road).

CYaBro

2985 posts

Uber Geek
+1 received by user: 293

Reply # 1652768 18-Oct-2016 11:34

We've got one client using two Linksys WRT54GL units, running Tomato firmware, for their site-site VPN.

It is only passing a few RDP sessions but it has never dropped the connection once, and they have been installed for over 5 years now.

They cost less than $100 each at the time.

Both sites are on fibre with the same ISP so that could be helping.

Computer Repairs Whangarei
Apple Authorised Reseller
Apple Authorised Service Provider

Zeon

3422 posts

Uber Geek
+1 received by user: 410

Trusted

Reply # 1652886 18-Oct-2016 14:02

I Can't speak for Sonicwall but we have used (virtualised) PFsense for years with very high reliability - passing usually 20-30mbps at any time through the network (it's Mesh - probably 30 tunnels or so) with virtually no dropouts. It also supports AES encryption which is CPU accelerated these days... not that it takes a huge amount of CPU anyway....

Perhaps the biggest issue with older devices is that if it only supports DES etc. that these are no longer thought of as secure encryption methods.

1101

1597 posts

Uber Geek
+1 received by user: 369

Reply # 1653409 19-Oct-2016 11:09

Any recommendations for an IT company who specialises in site to site VPN's

I need a second opinion , the site to site just isnt reliable
Its all sonicwall TZ170's

toyonut

1508 posts

Uber Geek
+1 received by user: 213

Reply # 1653428 19-Oct-2016 11:26

Is that an IT company to replace the hardware or configure it?

If it is new hardware, IFM do Cisco and we have never had a bad experience with them. http://www.ifm.net.nz/

Our experience with site to site VPN's has been fine. We run into Azure, one to CHCH and one to our Aussie office and a couple to client sites. All from the main firewall in AKL. We have had one issue with the Aussie office which was due to the ISP in Aussie breaking a route. Other than that they have all been solid. We run Watchguard hardware and the clients are mostly Cisco and one SonicWall.

As others have said, the connection needs to be good to guarantee a good connection. The hardware could (big could as I don't know the hardware) be fine as long as it is not overstressed already or flaky. Just be aware if it is really old, you are not going to have much choice in encryption standards and it might be slow due to no encryption offloading.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

1101

1597 posts

Uber Geek
+1 received by user: 369

Reply # 1653457 19-Oct-2016 12:14

One person supports this post

toyonut:

Is that an IT company to replace the hardware or configure it?

If it is new hardware, IFM do Cisco and we have never had a bad experience with them. http://www.ifm.net.nz/

Thanks for that, Ive contacted them

jnimmo

What does this tag do
980 posts

Ultimate Geek
+1 received by user: 205

Subscriber

Reply # 1653474 19-Oct-2016 12:32

Also, not sure if you mean all sites are on fibre or just head office

Depending on budget, Cisco Meraki does a wonderful job. MX64 in each site office, MX64W if you need wireless; this can be your router and handles site to site VPN automatically.

Automatic support for dual internet connections too if you wanted to have 4G backup connections or something

Edit - small offices with only a few devices could use the Z1 too pretty well priced

Sideface

4369 posts

Uber Geek
+1 received by user: 2674

Lifetime subscriber

Reply # 1653475 19-Oct-2016 12:37

1101:

<snip>

Its all sonicwall TZ170's

Released 2004
Discontinued 2009
Support withdrawn 2011

Sideface

Wheelbarrow01

886 posts

Ultimate Geek
+1 received by user: 779

Trusted

Chorus

Reply # 1653485 19-Oct-2016 12:49

1101:

Any recommendations for an IT company who specialises in site to site VPN's

I need a second opinion , the site to site just isnt reliable
Its all sonicwall TZ170's

[Shameless Plug Alert]

You could also consider the SecureME service from Spark Digital. It's very competitively priced and is scaleable to your needs. See http://www.sparkdigital.co.nz/solutions/security/secureme/ for details. It's self managed via an online portal that the customer or their IT company can use from anywhere.

- Connectivity
- Connection options include ADSL2+ / VDSL / UFB / 3G/4G (optional)
- Connect branch sites securely via a Virtual Private Network (VPN) to create a low cost wide area network or connect to your own existing wide area network. Options available are IPSEC, SSL, PPTP and OpenVPN(SSL)
- Remote user VPN and device connectivity for staff on the move
- WiFi access point supports guest internet access for staff and customers
- Cloud-based self-management portal to remotely manage sites and users.
Security
- ISCA-certified firewall
- Content filtering, centralised management, real-time alerts and reporting
- Optional PCI DSS certification at network level.
Reliability
- 24/7 service desk
- Optional failover from broadband to Spark mobile 3G network
- Single point of accountability for device and internet connection
- SLAs for service recovery
- Next day replacement of hardware for self-managed install if required

The views expressed by me are not necessarily those of my employer Chorus NZ Ltd

vulcannz

353 posts

Ultimate Geek
+1 received by user: 85

Reply # 1654537 19-Oct-2016 15:43

TZ170s are fairly old and rated to about 30Mbps of IPSEC throughput (they used Cavium Nitrox's for IPSEC acceleration).

You could use them as trade-ins on the SonicWALL Secure Upgrade program. Get yourself a couple of TZ-300s at a decent price under the program, they will handle a 100Mbps fibre circuit with all security services (IPS, GAV/AS, App Control, Web Filtering and SSL Decrypt) enabled - plus the new capture service is a nice malware killer.