Solved

VPN protocal

Posted on 2016-09-20
18
66 Views
Last Modified: 2016-12-03
I am looking at setting up a VPN, speed it a big factor. I am looking at SSL VPN or Open VPN (not supported by many routers). Putting security aside which do you recommend? For instance, the Barracuda X200 has SSL VPN only most of the Cisco routers do not support OpenVPN also.
I'm open to other protocols also please let me know what you think is the best VPN for EU to US connections.
0
Comment
Question by:ido90
  • 10
  • 4
  • 3
  • +1
18 Comments
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 41806267
is this for site to site VPN, client access VPN, or both?

If site to site VPN you need an appliance that can handle the amount of traffic that will pass between sites
If client access you need one that will handle the most concurrent user sessions you can imagine

You can install OpenWRT on a variety of SOHO routers but if you are doing site to site and have more than 10 people per location I would avoid this

For larger implementations you should look at the firewalls offered by; Meraki, SonicWALL, FortiNet, Cisco, NetGear, etc

My choice would be Meraki but you want to have the same device type at each end.

Remember though no matter what brand you go with you will likely need to license multiple remote access clients to get everything working.

If you give me an idea of size, traffic expectations, and connection types I can advise specific models.
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41806338
meraki doesn't offer any really security... so if you are looking for a firewall with VPN capability, with the ever emerging threats and malware out there, look into a UTM or NGFW that can do all.

For client access, I suggest SSL-VPN, with IPsec you sometimes run into the limitations that for example in hotels they won't support IPsec. SSL-VPN has however a larger overhead.

For site-to-site indeed look into a IPsec VPN capable unit.

Specially in a link with high latency, US-EMEA you should also look in WAN acceleration, as laency is a big impact in throughput speeds.

the SonicWALL offers all of the above



View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 

Author Comment

by:ido90
ID: 41806406
I am trying to setup a Client->site VPN. Most of the time there will be four users at most, and those need to have low latency speeds.

Also with OpenVPN, there is usually the option of split VPN so you don't loose the local connectivity. Is that available in any other protocol that is good?

I tried with an old Cisco Router (RV220W) PPTP connection. Europe to US client (100/2) site (10/10) what I get is (1/1) ping 230ms.

Do you think there is a router or another protocol that would improve that?
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41806437
It's the latency that kills you.
Both with IPsec Client to Site and SSL-VPN you can do split tunneling.

if speed is the main concern, you need WAN optimization.
0
 

Author Comment

by:ido90
ID: 41806442
who in your opinion has a good WAN optimization feature? for client-site
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41806473
I would look into Cisco ASA. If it is only for 4 users, 5506-X should be enough. The main reason for suggesting is DTLS. DTLS is a variant of SSL which uses UDP and was designed for time sensitive apps. Anyconnect uses DTLS as primary protocol with fall back to TLS.
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41806537
SonicWALL, firewall as SSL-VPN and a WXA on top (managed from the firewall)
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 41807956
JSpoor,

I would like to know why you think Meraki does not provide any real security.
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41808221
Coz I just did a full analysis of it.

It has huge limitations on the AV engine and only inspects HTTP, can't do SSL inspection, nor does it inspect anything else then HTTP traffic.

IPS seems ok as it's snort based.

App control is very limited.

It's practically a home router functionality wise with 0 enterprise features, even missing proper networking features.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Expert Comment

by:Erik Bjers
ID: 41808236
Thanks JSpoor,

My team recently decided to switch to Meraki for our field sites but I was not involved in the selection so did not really look much into them.

Have you looked at them since Cisco bought the company?  I know they have made some improvements.
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41808256
This review was done just a few weeks ago.

The only recent addition is AMP sandboxing, but again only for HTTP downloads.

For any other competitive data feel free to PM me.
Reviewed PAN, Fortinet, Check Point, Meraki, WatchGuard and Sophos (Sophos and Cyberoam)
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41808258
In the mean feel free to view the SonicWALL features and UI here

http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 

Author Comment

by:ido90
ID: 41808767
I'm still with a big ??? on the VPN situation. For now, I installed a CISCO RV325. I tried various protocols, seems PPTP is the only one that actually gives be some speed on this router. The Linksys LRT224 I has before actually did give good speed with OpenVPN UDP but it was no reliable. I read on WAN acceleration and from what I can see it will not help me. I need real-time speed, it's not about the files, I need to read and write directly to PLC units onsite.  It seems what I need is UDP type of protocol, One option, is the CISCO ASA5506-K9 with DTLS as suggested and the other option seems to be setting up an OpenVPN server on one PC machine on site. I could not find any good OpenVPN routers for commercial use, Any suggestions on which direction I should go?
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41808849
don't think the CISCO RV325 has hardware crypto for IPsec, hence the low perfromance

I personally have a Site-to-site IPSec from Netherlands to California using SonicWALLs on both ends, and have good transfer. Even without WAN acceleration.

If it's speed and security you need, don't look at rotuers that are not designed for IPsec :)
0
 

Author Comment

by:ido90
ID: 41808980
I just talked to SonicWall they suggested the TZ400 but they said they are "only the manufacturer" and they don't know about IPsec and all that... they also do not have technical people... does the TZ400 have the capabilities you are talking about?
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41809029
TZ400 is a full IPsec Concentrator :) I use a TZ600 myself at home
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41809034
c'rection, TZ500, still have to unbox the TZ600 :)
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41809037
all the TZs and NSAs are available to review on http://livedemo.sonicwall.com
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now