VPN protocal

I am looking at setting up a VPN, speed it a big factor. I am looking at SSL VPN or Open VPN (not supported by many routers). Putting security aside which do you recommend? For instance, the Barracuda X200 has SSL VPN only most of the Cisco routers do not support OpenVPN also.
I'm open to other protocols also please let me know what you think is the best VPN for EU to US connections.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorCommented:
is this for site to site VPN, client access VPN, or both?

If site to site VPN you need an appliance that can handle the amount of traffic that will pass between sites
If client access you need one that will handle the most concurrent user sessions you can imagine

You can install OpenWRT on a variety of SOHO routers but if you are doing site to site and have more than 10 people per location I would avoid this

For larger implementations you should look at the firewalls offered by; Meraki, SonicWALL, FortiNet, Cisco, NetGear, etc

My choice would be Meraki but you want to have the same device type at each end.

Remember though no matter what brand you go with you will likely need to license multiple remote access clients to get everything working.

If you give me an idea of size, traffic expectations, and connection types I can advise specific models.
J SpoorTMECommented:
meraki doesn't offer any really security... so if you are looking for a firewall with VPN capability, with the ever emerging threats and malware out there, look into a UTM or NGFW that can do all.

For client access, I suggest SSL-VPN, with IPsec you sometimes run into the limitations that for example in hotels they won't support IPsec. SSL-VPN has however a larger overhead.

For site-to-site indeed look into a IPsec VPN capable unit.

Specially in a link with high latency, US-EMEA you should also look in WAN acceleration, as laency is a big impact in throughput speeds.

the SonicWALL offers all of the above

View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
ido90Author Commented:
I am trying to setup a Client->site VPN. Most of the time there will be four users at most, and those need to have low latency speeds.

Also with OpenVPN, there is usually the option of split VPN so you don't loose the local connectivity. Is that available in any other protocol that is good?

I tried with an old Cisco Router (RV220W) PPTP connection. Europe to US client (100/2) site (10/10) what I get is (1/1) ping 230ms.

Do you think there is a router or another protocol that would improve that?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

J SpoorTMECommented:
It's the latency that kills you.
Both with IPsec Client to Site and SSL-VPN you can do split tunneling.

if speed is the main concern, you need WAN optimization.
ido90Author Commented:
who in your opinion has a good WAN optimization feature? for client-site
I would look into Cisco ASA. If it is only for 4 users, 5506-X should be enough. The main reason for suggesting is DTLS. DTLS is a variant of SSL which uses UDP and was designed for time sensitive apps. Anyconnect uses DTLS as primary protocol with fall back to TLS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J SpoorTMECommented:
SonicWALL, firewall as SSL-VPN and a WXA on top (managed from the firewall)
Erik BjersPrincipal Systems AdministratorCommented:

I would like to know why you think Meraki does not provide any real security.
J SpoorTMECommented:
Coz I just did a full analysis of it.

It has huge limitations on the AV engine and only inspects HTTP, can't do SSL inspection, nor does it inspect anything else then HTTP traffic.

IPS seems ok as it's snort based.

App control is very limited.

It's practically a home router functionality wise with 0 enterprise features, even missing proper networking features.
Erik BjersPrincipal Systems AdministratorCommented:
Thanks JSpoor,

My team recently decided to switch to Meraki for our field sites but I was not involved in the selection so did not really look much into them.

Have you looked at them since Cisco bought the company?  I know they have made some improvements.
J SpoorTMECommented:
This review was done just a few weeks ago.

The only recent addition is AMP sandboxing, but again only for HTTP downloads.

For any other competitive data feel free to PM me.
Reviewed PAN, Fortinet, Check Point, Meraki, WatchGuard and Sophos (Sophos and Cyberoam)
J SpoorTMECommented:
In the mean feel free to view the SonicWALL features and UI here

http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
ido90Author Commented:
I'm still with a big ??? on the VPN situation. For now, I installed a CISCO RV325. I tried various protocols, seems PPTP is the only one that actually gives be some speed on this router. The Linksys LRT224 I has before actually did give good speed with OpenVPN UDP but it was no reliable. I read on WAN acceleration and from what I can see it will not help me. I need real-time speed, it's not about the files, I need to read and write directly to PLC units onsite.  It seems what I need is UDP type of protocol, One option, is the CISCO ASA5506-K9 with DTLS as suggested and the other option seems to be setting up an OpenVPN server on one PC machine on site. I could not find any good OpenVPN routers for commercial use, Any suggestions on which direction I should go?
J SpoorTMECommented:
don't think the CISCO RV325 has hardware crypto for IPsec, hence the low perfromance

I personally have a Site-to-site IPSec from Netherlands to California using SonicWALLs on both ends, and have good transfer. Even without WAN acceleration.

If it's speed and security you need, don't look at rotuers that are not designed for IPsec :)
ido90Author Commented:
I just talked to SonicWall they suggested the TZ400 but they said they are "only the manufacturer" and they don't know about IPsec and all that... they also do not have technical people... does the TZ400 have the capabilities you are talking about?
J SpoorTMECommented:
TZ400 is a full IPsec Concentrator :) I use a TZ600 myself at home
J SpoorTMECommented:
c'rection, TZ500, still have to unbox the TZ600 :)
J SpoorTMECommented:
all the TZs and NSAs are available to review on http://livedemo.sonicwall.com
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.