Recommended VPN Routers for site-to-site

Hi experts

In Office A we have a LAN of about 10 users and have Windows Server 2008.
In Office B we have a LAN of about 6 users without a server.
We also have about 3 or 4 roaming users.

We guess that we should implement a site-to-site VPN solution between Office A and Office B which will allows Office A and Office B to share network resources, but will also allow roaming users to to 'Dial In'.

In this landscape of VPN routers, there are about 6 or more companies, and there are a whole range of routers and solutions. There's Netgear, Cisco, SonicWall, Nortec, DLink, Forinet, etc etc.
Can you provide any advice or recommendation to help us decide who to go with? What product to go with? What to look for in a product? etc.
We hear Cisco is the best but it is the most expensive.
We hear Netgear comes highly recommended.

Your help is appreciated
LVL 13
Who is Participating?
Titan22Connect With a Mentor Commented:
The Cisco ASAs provide site-to-site IPSec or SSL VPN capability, as well as remote access and they are excellent firewalls.
Pete LongConnect With a Mentor Technical ConsultantCommented:
Hello rfwoolf,

If they are small offices you cna also do this with Cisco 800 series routers - the Cisco 837 will also provide wireless access for the offices as well :)


rfwoolfAuthor Commented:
Thanks but we don't really see a need for Wireless (and I personally hate Wireless).
But what I'm not hearing is why you guys recommend Cisco - and why we should pay more for it. I appreciate the recommendations, and I'm printing out Titan22's link to the ASA series, and one supplier is going to quote us on 1x ASA5510-BUN-K9 for the head office and 2x ASA5505-SEC=BUN-K9 for branches. But again, if Netgear comes in much cheaper why shouldn't I just go with that?

I find VPNs complicated beasts. For me to make an "educated decision" I would have to spend several more days researching. :)
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

While Cisco is expensive, with technology you get what you pay for and yes Netgear will definitely come in cheaper, but I don't trust Netgear equipment to work well in a business environment.  I won't even buy Netgear products for my home network.  D-Link is another good manufacturer, but I've never used them in a production environment for a business.  Cisco support will also cost some money, but once you get it installed you'll be happy with the purchase you made.

By the way, I am not affiliated with Cisco in any way.
RPPreacherConnect With a Mentor Commented:
Use what you can support.

I have been doing Cisco since...well... a long time (I'm the old man in the IT department) so I use Cisco but if you have someone on staff that knows Juniper, use it.

Don't plan on implementing a VPN and not being able to support it.  VPNs introduce a whole other layer of complexity.

Personally I like the Cisco PIX/ASA because of the IPSec offloading for better throughput.  But they are expensive...
tigermattConnect With a Mentor Commented:

Everyone has their own likes and dislikes. I have personally been using Netgear and HP Procurve equipment in home and business networks for years, and have never had a problem.

Your deployment sounds similar to a small business I support. We run two Netgear FVS114 VPN firewalls in each office, which create the site-to-site VPN connection between the two offices. Works flawlessly and the hardware is much cheaper than the Cisco kit.

In very large enterprise environments, Netgear wouldn't stand a chance because the big names (HP, Cisco, Nortel) excel in these situations. However for most businesses which operate in a small environment with only a few users, you cannot justify the cost of Cisco equipment if cheaper kit will suffice (and you can support it).

rfwoolfAuthor Commented:
Thanks tigermatt...

Here's a ballbreaker with NetGear that I've only just discovered (and still trying to understand)
..with a model like FVS336G VPN Router, it supports up to 25 IPsec VPN tunnels - this is apparently used for Branch-to-Branch or Site-To-Site connections. So to connect two branches (two routers) you use one of these tunnels. Right? But for Remote users to 'dial in' and use one of these tunnels, you have to buy a NetGear VPN Client software license for about $50.
However, this Router does come with 10 SSL VPN tunnels which can be used by Remote Users without a NetGear VPN Client software license.
So with this router, if you have more than 10 remote users, you gotta buy them licenses.
This... is .

I can't understand why we can't have one versatile router that can do all of this WITHOUT client software?
I can't understand why they are separating the protocols like this? Why is IPSec used for branch-to-branch but SSL is only used for roaming users?

Now I have to go through all the Netgear router models to try and identify one that isn't full of  ;)

The model I use to link the two sites is the FVS114. Agreed, it does have a limit to the number of remote tunnels supported, but it is ideal for linking two offices. For remote sessions from remote users when away from either office, I offer a PPTP VPN direct into their office's server, which is much better and integrates more nicely with Windows than the Netgear implementation.

I do believe most router models require specialist software to connect to their VPNs, which is why I prefer RRAS in conjunction with NPS on Server 2008.

Sanga CollinsSystems AdminCommented:
i recommend juniper netscreen 5gt.

they are EOL so you can get them cheap on ebay ($150 and less for unlimited device)
they have the same screenOS (firmware) as the newer ssg devices so you actually get $800 worth of features.
They are simple to configure but have the ability to support very complex network setups
VPN features set is very flexible and allows several different VPN configs to be used at once for different needs.
FYI - SSL VPN licenses are typically per connection not per user.  So your 10 licenses would cover 10 concurrent connections not 10 users (you could cover 100 users but only 10 could connect at a time).

SSL VPN is the latest trend for clientless VPN connect (you connect using a web address).  Example:  your user browses to, they enter a username/password and they have remote access.
Hi Guys,

I have been using cisco for years and yes they are best and yes they are the most exspensive, but they do things other vendors just dream about, also if youre not used to cisco it will be a nightmare, yes there is a gui, but to be frank it's rubbish, so command line is the forward, but very going if you dont know cisco

If you dont need all the features (which you dont with a simple ipsec vpn) then I would reccomend Draytek get a couple of 2820's , about £120.00 each and a doddle to set up, let me know if you need a hand, once you have these installed, walk away and forget all about them, they will not let you down,

There's already an entry on this but I wanted to provide my two cents. In a prior employment I supported 6 remote retail outlets and 1 remote warehouses. We used Netgear FVS114 VPN firewalls  and did not have any issues. The setupo is easy to understand and maintain; adding or removing users, etc.
Reasonable price.
QlemoBatchelor and DeveloperCommented:
Many things were said yet. I have to add my 2x 2c (worth a penny) to this.
I back up the statement "buy what you can manage in reasonable time". Managing a VPN can be a hell. But in a site-to-site VPN, you can make assumptions and fixed settings which make it much easier.
Don't even consider the usual SSL VPN stuff. There (certainly) are solutions for site-to-site, but in most cases they are for clientless mobile user connection from anywhere. If it comes with your choice -  ok, use it for your mobile users. Else don't care about VPN client licenses - use free Shrew VPN. It is versatile, and tutorials are available for many VPN devices.

With cheaper devices, debugging is more difficult (if possible) as with "business-class" ones. Of course you need this only if something is not working - but even "when nothing has changed", everything is changed for sure. It is like with a very cheap car - as long as it drives, very good, but if the first repair is on the horizon, throw it away.

This leads me to the recommendation to spend rather more money on the device than on the work. Investing in support contracts and more expensive devices pay!

BTW, I'm keen on Juniper. The WebUI is (almost) as mighty as the CLI, and you can change between both to your liking. And you can debug all kind of stuff.
Get you a Juniper sa2000 or SA device, it will work great.
QlemoBatchelor and DeveloperCommented:
... but SA devices allow ONLY for SSL access, i.e. clients and no site-2-site.
rfwoolfAuthor Commented:
Update: we have pushed this VPN site-to-site project back a few weeks because another project has taken priority.
I want to award points when I revisit this again where I will be able to award points in an educated way.
(I will endevour to do so before then, but can't promise)
If you object, you can propose a points award result, or you can request attention from the mods and ask them to reward the points.

Thanks for all your input
rfwoolfAuthor Commented:
Same story... need some more time. If you guys get impatient, let me know :p
Not at all, take your time.
rfwoolfAuthor Commented:
I belive there are many good suggestions here.
That was not my intention.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.