Hardware that can do Robust IPSEC w/ 3 Sites

mda

2[H]4U
Joined
Mar 23, 2011
Messages
2,207
Hey all!

Looking for a way to create a robust VPN between 3 sites that can seamlessly maintain connectivity that can tolerate the loss of any one ISP at each site:

1. Each site has 2 ISPs (2 DSL connections and static IPs per site). ISP reliability is crap here so we need backups.
2. Each remote site needs a connection with the main office, but each remote site does not need to be connected to the other remote site.
3. Bandwidth requirements are close to none, as we only have <10mbps connections.

I need to know what is the cheapest setup/appliance/firewall/vpn router that can do this.

Current VPN is setup via IPSEC and with cheap 5-10 year old DLinks that are dying, and is currently very vulnerable to single ISP failures. Apart from this, we have no managed switches of any sort. All are of the unmanaged 10/100 variety.

All the local Cisco resellers are trying to sell me up to ISA device or firewall that cost more than all the computers at the remote sites put together for just one unit, any they are telling me I need three...

What are the most cost effective options do I have at this point? Linux boxes?

Other possibly relevant information:
I have a pair of RV320s in the mail, as a stopgap solution in case the DLinks die off tomorrow...

Thanks!
 
if you got spare hardware laying around i think the easy setup would be a pfSense at all the sites, pfSense support more than 1 internet connection.
 
Can these pfsense boxes create VPN/IPSEC tunnels that can tolerate single ISP failures assuming I have two ISPs?

I have a few boxes with spare NICs I can probably use...

I will also start reading up on pfsense as well...
 
I don't know about cheapest, but I do this all the time with Watchguard firewalls. Multi-WAN setup with fault tolerant VPN tunnels. It's probably possible with UBNT EdgeRouters, but would require some CLI work since their Multi-WAN isn't possibly via WebUI right now.
 
Can these pfsense boxes create VPN/IPSEC tunnels that can tolerate single ISP failures assuming I have two ISPs?

I have a few boxes with spare NICs I can probably use...

I will also start reading up on pfsense as well...

not sure on tunneling

I know pfsense supports multiple "internet" connection and can do "kind of balancing".

as long as pfsense can switch from a failure internet connection (ISP), the vpn client ( openvpn on my undersanding) can reconnect as long as the end point is reachable and can do re-negotiation :D..

good luck reading pfsense.

if possible get the processor that has AES... :D this is very usefull when using AES encryption in vpn without costing processor processing power much!.
 
Cost effective? Probably the EdgeRouter Lite. They handle Mutli-WAN as well.
 
Edgerouter pro or Mikrotik CCR-1009

Do some research on both OS's for pros/cons of ether os. UBNT EdgeOS is a little more user friendly, Mikrotik RouterOS is a little more configurable.

The CCR-1009 also has a 10gb model if that makes a difference for you.

Either is overkill for your application but it's better that way because future bandwidth upgrades will be covered. It could be done cheaper, but then you would have to buy more hardware after a bandwidth upgrade.
 
Last edited:
Thank you all for the replies...

I don't know about cheapest, but I do this all the time with Watchguard firewalls. Multi-WAN setup with fault tolerant VPN tunnels. It's probably possible with UBNT EdgeRouters, but would require some CLI work since their Multi-WAN isn't possibly via WebUI right now.

Cost effective? Probably the EdgeRouter Lite. They handle Mutli-WAN as well.

Found a watchguard distributor in our country. Will try to check with UBNT ones as well. I have no experience with any managed/CLI based switches and routing but I'm willing to give it a try. (That's what they pay me for :O)

not sure on tunneling

I know pfsense supports multiple "internet" connection and can do "kind of balancing".

as long as pfsense can switch from a failure internet connection (ISP), the vpn client ( openvpn on my undersanding) can reconnect as long as the end point is reachable and can do re-negotiation :D..

good luck reading pfsense.

if possible get the processor that has AES... :D this is very usefull when using AES encryption in vpn without costing processor processing power much!.

Thanks. Already downloaded the installer but will probably do the install this weekend... On first glance at the settings though, pfsense doesn't seem to support failover (I did not see this in the settings menu).

Edgerouter pro or Mikrotik CCR-1009

Do some research on both OS's for pros/cons of ether os. UBNT EdgeOS is a little more user friendly, Mikrotik RouterOS is a little more configurable.

The CCR-1009 also has a 10gb model if that makes a difference for you.

Either is overkill for your application but it's better that way because future bandwidth upgrades will be covered. It could be done cheaper, but then you would have to buy more hardware after a bandwidth upgrade.

Looking for Mikrotik distros too at this point. I've always heard the name being floated around but never really knew which niche they were in. I'll check them out. Thanks!

TP-Link TL-WDR3600 boxes running OpenWRT most likely ;-)

Are there any lower models that will support what I need with OpenWRT? A quick check on the online stores in my country don't show any WDR3600s... but thanks for the info!
 
There is not simple clicking to set multiple wan for balancing or failed over on pfsense.

You have to know what are you doing.
The instruction is on pfsense wiki doc.

I find fully explanation on how to setup as a plain English athttp://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense/

As someone said. If you want to buy on the shelf solution. Do not buy low entry model since you will replace it with middle or higher model due on slow hardware on low entry model.
 
I have personally had great luck with Fortigate units with Dual-ISP, Dual-IPSEC Failover. Whats great, is they even created a Help Doc to help the end user configure it. I honestly don't know if the other manufacturers listed here do or not since I have not used them. You mentioned you wanted maximum connectivity and reliability. This gives you 4 possible connection paths with failover and failback.

http://docs-legacy.fortinet.com/fos...iOS%205.0%20Help/redundant-tunnel.121.05.html
 
Thank you all again for your replies.

A vendor I was in contact with came back with a quotation for Sonicwall TZ300s and a TZ500 for the main site. Might be too pricey for the company, and comes with UTM that we may not need at this point...

Contacted some Mikrotik distributors. 2 days and no word from them yet.

There is not simple clicking to set multiple wan for balancing or failed over on pfsense.

You have to know what are you doing.
The instruction is on pfsense wiki doc.

I find fully explanation on how to setup as a plain English athttp://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense/

As someone said. If you want to buy on the shelf solution. Do not buy low entry model since you will replace it with middle or higher model due on slow hardware on low entry model.

Thanks. Will check this out! Yes, I am wary of entry level stuff. If budget permits, I intend to get hardware that is one grade higher if it is an OTS solution.

I've had good luck with Zyxel IPSEC Firewalls

Dual Wan and Failover IPSEC.

We've had the Zywall distributor come and demo the system at our office.

What appears to be the problem is that based on their demo, the robust IPSEC with failover only works one way.

IE it assumes that the static IP at the main site is always reachable (no fault tolerance with regards to uptime at the main site).

Either this is the case, or the people who were demonstrating the product couldn't configure it well. =/

I have personally had great luck with Fortigate units with Dual-ISP, Dual-IPSEC Failover. Whats great, is they even created a Help Doc to help the end user configure it. I honestly don't know if the other manufacturers listed here do or not since I have not used them. You mentioned you wanted maximum connectivity and reliability. This gives you 4 possible connection paths with failover and failback.

http://docs-legacy.fortinet.com/fos...iOS%205.0%20Help/redundant-tunnel.121.05.html

Will try to find distributors in our country. Thank you so much!

@ mda
Which country?

Philippines.

Again, thank you all so much for your replies! Very much appreciated!
 
Assuming your DSL is providing less then 100mbit, another option is to pickup 3 or 4 used Juniper/Netscreen SSG5. They handle both site to site VPN and ISP failover. Failover switching is automatic and reverts to primary when service restored.

Available on the used market for around $100US each. Make sure the seller is including the power supply. Three would work for your 2 remotes and 1 main. The fourth could be a quick to deploy spare.
 
Back
Top