Possible Site to Site VPN Solution

M

mikeylikesit5805

n00b
Joined
Aug 24, 2008
Messages
16
Hey Guys,

Long time no talk I have been very busy.

I am looking into a site to site VPN solution. I was wondering what you guys have used in the past. I need to setup two offices with ~8mb down and 3 mb up. about 6 computers on each side of the office and the only thing in the foreseeable future going over the VPN will be ~50-100mb files.

I was looking into the Sonic Walls, but have never used one before. Do you have to pay a monthly licensing fee for those?

What other hardware is good? Any good software solutions?

I was hoping to keep it around 500-700 Dollar to connect the two offices.
 
Two ASA 5505 standard licenses.

Use Site to Site VPN (IPSEC), set it and forget it.

That is it. Easy as pie, rock solid performance. And cheeeeep.
 
Or (2) Zyxel USG 100 slightly cheaper.

Use site to site VPN (IPSEC), set it and forget it.

That is it. Easy as pie, rock solid performance. And no Cisco tax.




Seriously though, Cisco ASA, or Zyxel USG you won't regret either choice.
 
Once again I say use a couple of ASA 5505s they are really very good for low throughput VPNs
 
Tons of firewalls out there which are less than 300 bucks each, with no yearly rape fees, that do site to site VPN tunnels very well...even Ciscos Small Business series (previously Linksys small business series) RV models.

Personally I prefer *nix distros like PFSense or Untangle to do the tunnels...a bit more horsepower for that tunnel.
 
Last edited:
We have used Cisco ASA's at my location, however we share another campus with another school and we had to use a Watchguard, but I am going to tell you to stay clear of those, they may be cheaper, but they act cheaper too and do not work well with other equipment. Stick with Cisco ASA's if you have a choice.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
no but its only a 10 user license so only 10 devices can connect from behind the firewall.
 
The Zyxel USG 100 has no user restrictions in that sense.
However the USG 100, when used as DHCP is limited to 128 reserved IP addresses.
The USG 50 is limited to 64.


The Zyxel USG series VPN firewalls are BSD code based and have no issues running for years without a reboot.
 
I've set up a VPN between two offices using the Sonicwall TZ100's. Aside from adjusting the timeout of the VPN so it would stop renegotiating the tunnel in the middle of their work day, it's been a very rock solid, fire and forget setup. Didn't need to pay any license fees for it.

Also have a few offices with the Cisco RV042's that are markedly less stable. One setup is two offices VPN'ed together, that for a couple months would have to disconnect and reconnect the VPN every couple of weeks because it stopped working. That one has been solid for about 3 months now. Another setup is 5 offices with VPNs going from each RV042 to every other RV042 that was mostly setup when we took it on. Every couple of months, one or two of the tunnels also needs to be disconnected/reconnected because it stops responding.
 
We dumped the Cisco RV series for the Zyxel USG's. It was no comparison those Cisco RV series are junk.
 
Cisco ASA 5505 are not exactly low throughput VPN, they support up to 100mbps VPN data rates. So unless you are rocking some serious internet connection and a budget to back it you probably are not looking for 5505's anyways and are looking for 5510/20 +'s with VPN modules installed.

I say $650 for two 5505's use Site to Site, there is no yearly fees with Cisco to use their hardware. If you want yearly fees you can buy a TAC agreement which is very wise anyways for the added support and warranty. But there are no maintenance fees like some of these other all in one'rs out there.

Since you didnt ask and I will say anyways.... if you want throughput a 5585-S60 will net you 5gbps VPN data rates but at a cost.... $150,000 bones! USD
 
You will never get 100Mbps VPN through a 5505, you don't get 100Mbps via a 5510
 
Jay_oasis said:
You will never get 100Mbps VPN through a 5505, you don't get 100Mbps via a 5510
Click to expand...

That is just according to official Cisco docs.

However you are right and also there is NO VPN on the market that will breach the 100mbps throughput for the price range of $300.00 at least that I can say I have encountered.

No not PFSense either because you have to factor in the cost of the hardware to build the machine.
 
tangoseal said:
That is just according to official Cisco docs.

However you are right and also there is NO VPN on the market that will breach the 100mbps throughput for the price range of $300.00 at least that I can say I have encountered.

No not PFSense either because you have to factor in the cost of the hardware to build the machine.
Click to expand...

the pfsense machines i currently spec are about $335

will do those speeds...

this is using supermicro server board w/ atom and dual intel gig nics... you can definitely get it done cheaper than that though.... depending on your form factor... for example you could even swap the ssd in for a 16GB USB thumb drive on the internal port... that gets you to $300 right there...

http://www.newegg.com/Product/Product.aspx?Item=N82E16811128072
http://www.newegg.com/Product/Product.aspx?Item=N82E16820146723
http://www.newegg.com/Product/Product.aspx?Item=N82E16820227510
http://www.newegg.com/Product/Product.aspx?Item=N82E16813182233

swap out the case for these for rackmount:

http://www.newegg.com/Product/Product.aspx?Item=N82E16811152107
http://www.newegg.com/Product/Product.aspx?Item=N82E16835119049
 
Last edited:
I use ALiX 2D3's on half a dozen sites with <10mbit connections, all connecting back to an ASA in the main office. Running pfsense in the branch offices.

You can buy it all direct from PC Engines on their site - ALiX board costs about $105, case is $10, 2GB CF card is $12, power supply is $5 (although they don't do US adapters, just get one off Amazon.com). Takes about 10 minutes to setup a pfsense box once you know what you are doing.

Extremely low power, no moving parts, can easily do double the speed you need with IPSEC, and no ongoing costs. Get one with 3 ports, and you can have some fun later if you want by dropping in a miniPCI card (DMZ? wireless? faster VPN en/decryption?).

But saying that, the ASA5505 is a great piece of hardware.
 
goodcooper said:
the pfsense machines i currently spec are about $335

will do those speeds...

this is using supermicro server board w/ atom and dual intel gig nics... you can definitely get it done cheaper than that though.... depending on your form factor... for example you could even swap the ssd in for a 16GB USB thumb drive on the internal port... that gets you to $300 right there...

http://www.newegg.com/Product/Product.aspx?Item=N82E16811128072
http://www.newegg.com/Product/Product.aspx?Item=N82E16820146723
http://www.newegg.com/Product/Product.aspx?Item=N82E16820227510
http://www.newegg.com/Product/Product.aspx?Item=N82E16813182233

swap out the case for these for rackmount:

http://www.newegg.com/Product/Product.aspx?Item=N82E16811152107
http://www.newegg.com/Product/Product.aspx?Item=N82E16835119049
Click to expand...

Have you benchmarked the D510 at 100Mbps AES128CBC IPSEC? I have a hard time seeing how it would manage it. The numbers I've seen put atoms in the 50Mbps range.
 
 
Cisco (preferred) or Juniper.

5505 works great for site-to-site VPNs. I'm hosting a bunch of tunnels from one of mine. That thing is an absolute tank. Up-time on it was 400-some days until I did an update a few days ago.

Funny thing; java wont let you back into ASDM after the up-time is beyond 365 days. You have to use the CLI or reboot to reset the up-time.
 
idmud said:
Have you benchmarked the D510 at 100Mbps AES128CBC IPSEC? I have a hard time seeing how it would manage it. The numbers I've seen put atoms in the 50Mbps range.
Click to expand...

Actually, this is exactly what I use at home! And yes, IPSEC performance at the top end is about 50Mbps - not much less than a 5510. But, add a crypto accelerator, and you could probably push 80~90Mbps.

Also, use a normal HDD (or better yet, SSD partitioned to about 8GB) and you have an incredibly powerful little gateway device that'll run snort, squid, apache, asterisk, ftp/tftp, etc, and still not break a sweat.
 
I agree that custom pfsense boxes can fill the gap between "dumb" gateways and full on UTM-devices. However, if all you want to do is set up a ipsec tunnel then a dedicated device for such a thing isn't a bad idea. There are other problems with pfsense in such a scenario, like not treating each tunnel like its own interface, and problems assigning a tunnel as a gateway for other networks.
 
Thanks for getting back guys. At work we use the ASA's with a concentrator. But apparently you can setup a VPN between them too huh? I will try and look up how to do that tonight.

and with the ASA I can have 10 devices behind it? does that mean it will only hand out 10 IP address?
 
I 'll still endorse the Zyxel USG's with no subscriptions. They are fantastic VPN devices and excel at what you are trying to do.

At your price point....

USG 100 would be my first choice 90mbps VPN
That said using an ASA 5510 would be my runner up choice and goes out of your budget just under 90mbps VPN
ASA 5505 would probably be third choice 50+ mbps VPN
USG 50 would be the most inexpensive option ~50mbps VPN
 
Thanks guys,

We don't get possession of the building that I am working in until the 27th. once that happens we will look at the network situation. So far though I like the Zyxel USG's
 
I'd use ASAs with a tunnel built between because that's what I know how to work with. I can't argue with some of the other solutions here that are cheaper and just as effective, but with Cisco I know where I stand.

I spent over an hour on a conference call today with WatchGuard tech support and one of our enterprise customers arguing with WatchGuard as to why the hell their device couldn't just send RFC 1918 traffic to a gateway IP on our MPLS router so that the LAN could communicate across the MPLS with other subnets. "It's not possible!" is what they kept telling me. If it was an ASA, I could have taken care of the issue instantly. Instead, WatchGuard made us set up a whole 'nother subnet on the MPLS so that they could set up an "optional trust" and the customer had to reconfigure his network equipment to operate on the new subnet. I still have no idea why it was necessary.

Does your carrier support using an MPLS? That's something else worth considering if they do.
 
Last edited:
YeOldeStonecat said:
Tons of firewalls out there which are less than 300 bucks each, with no yearly rape fees, that do site to site VPN tunnels very well...even Ciscos Small Business series (previously Linksys small business series) RV models.

Personally I prefer *nix distros like PFSense or Untangle to do the tunnels...a bit more horsepower for that tunnel.
Click to expand...

+1 for PFsense. OpenVPN, IPSEC, PPTP, or L2TP built in. Take your pick. Cert manager on board. 2 old computers and some NICS and you are off to the tunnel.
 
You must log in or register to reply here.
Back
Top