VPN protocal

is this for site to site VPN, client access VPN, or both?

If site to site VPN you need an appliance that can handle the amount of traffic that will pass between sites
If client access you need one that will handle the most concurrent user sessions you can imagine

You can install OpenWRT on a variety of SOHO routers but if you are doing site to site and have more than 10 people per location I would avoid this

For larger implementations you should look at the firewalls offered by; Meraki, SonicWALL, FortiNet, Cisco, NetGear, etc

My choice would be Meraki but you want to have the same device type at each end.

Remember though no matter what brand you go with you will likely need to license multiple remote access clients to get everything working.

If you give me an idea of size, traffic expectations, and connection types I can advise specific models.

meraki doesn't offer any really security... so if you are looking for a firewall with VPN capability, with the ever emerging threats and malware out there, look into a UTM or NGFW that can do all.

For client access, I suggest SSL-VPN, with IPsec you sometimes run into the limitations that for example in hotels they won't support IPsec. SSL-VPN has however a larger overhead.

For site-to-site indeed look into a IPsec VPN capable unit.

Specially in a link with high latency, US-EMEA you should also look in WAN acceleration, as laency is a big impact in throughput speeds.

the SonicWALL offers all of the above



View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com

I am trying to setup a Client->site VPN. Most of the time there will be four users at most, and those need to have low latency speeds.

Also with OpenVPN, there is usually the option of split VPN so you don't loose the local connectivity. Is that available in any other protocol that is good?

I tried with an old Cisco Router (RV220W) PPTP connection. Europe to US client (100/2) site (10/10) what I get is (1/1) ping 230ms.

Do you think there is a router or another protocol that would improve that?

It's the latency that kills you.
Both with IPsec Client to Site and SSL-VPN you can do split tunneling.

if speed is the main concern, you need WAN optimization.

who in your opinion has a good WAN optimization feature? for client-site

SonicWALL, firewall as SSL-VPN and a WXA on top (managed from the firewall)

JSpoor,

I would like to know why you think Meraki does not provide any real security.

Coz I just did a full analysis of it.

It has huge limitations on the AV engine and only inspects HTTP, can't do SSL inspection, nor does it inspect anything else then HTTP traffic.

IPS seems ok as it's snort based.

App control is very limited.

It's practically a home router functionality wise with 0 enterprise features, even missing proper networking features.

Thanks JSpoor,

My team recently decided to switch to Meraki for our field sites but I was not involved in the selection so did not really look much into them.

Have you looked at them since Cisco bought the company?  I know they have made some improvements.

This review was done just a few weeks ago.

The only recent addition is AMP sandboxing, but again only for HTTP downloads.

For any other competitive data feel free to PM me.
Reviewed PAN, Fortinet, Check Point, Meraki, WatchGuard and Sophos (Sophos and Cyberoam)

In the mean feel free to view the SonicWALL features and UI here

http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com

I'm still with a big ??? on the VPN situation. For now, I installed a CISCO RV325. I tried various protocols, seems PPTP is the only one that actually gives be some speed on this router. The Linksys LRT224 I has before actually did give good speed with OpenVPN UDP but it was no reliable. I read on WAN acceleration and from what I can see it will not help me. I need real-time speed, it's not about the files, I need to read and write directly to PLC units onsite.  It seems what I need is UDP type of protocol, One option, is the CISCO ASA5506-K9 with DTLS as suggested and the other option seems to be setting up an OpenVPN server on one PC machine on site. I could not find any good OpenVPN routers for commercial use, Any suggestions on which direction I should go?

don't think the CISCO RV325 has hardware crypto for IPsec, hence the low perfromance

I personally have a Site-to-site IPSec from Netherlands to California using SonicWALLs on both ends, and have good transfer. Even without WAN acceleration.

If it's speed and security you need, don't look at rotuers that are not designed for IPsec :)

I just talked to SonicWall they suggested the TZ400 but they said they are "only the manufacturer" and they don't know about IPsec and all that... they also do not have technical people... does the TZ400 have the capabilities you are talking about?

TZ400 is a full IPsec Concentrator :) I use a TZ600 myself at home

c'rection, TZ500, still have to unbox the TZ600 :)

all the TZs and NSAs are available to review on http://livedemo.sonicwall.com