Link to home
Start Free TrialLog in
Avatar of Tom Riteck
Tom Riteck

asked on

IPSec Site to Site VPN Topology

Hello Experts,

I am re-designing an existing network using a new ISP and new hardware. The existing network has approximately 50 remote sites all using different local ISP's connected to each other via IPSec site to site VPN tunnels within a hub and spoke topology. Every site terminates to the same vendor's VPN concentrator. Our server infrastructure is cloud based and we authenticate to Active Directory Services in the cloud. As of right now each site or 'spoke' has to go thru the 'vendor hub' to access any other site, which tends to slow things down a bit on occasion.

If I utilize a mesh topology, every site would have to host 50 VPN tunnels (I guess 49 to be exact) to connect to all other locations, which means that the firewall, router, or VPN concentrator would have to be large enough to support this - frankly our budget isn't that big. I would like to utilize a FortiGate 60/90 in each location.

I'm considering a hybrid hub and spoke / mesh topology but looking for some ideas as to how to approach this from a topology perspective.
Avatar of SIM50
SIM50
Flag of United States of America image

DMVPN with either phase 2 or 3. Or FlexVPN if you want to use IKEv2.
Not sure if it is supported on Fortigates though. On the other hand, for spokes, you can get inexpensive routers like Cisco 800 or 1900 series depending on the traffic.
Avatar of Tom Riteck
Tom Riteck

ASKER

Thanks SIM50!

DMVPN is new to me so I have been doing some research, and so far it sounds like it may be exactly what I'm looking for. Unless anyone has any other topology related suggestions, could you give me some specifics around how I would configure it to support a great many remote locations?
Also, is DMVPN a Cisco specific solution? In other words, will it only work with Cisco hardware?
Yes, DMVPN is Cisco proprietary. I can look up some articles for you when I get home. Cisco site also has a design section where you can find already tested designs and configs.
ASKER CERTIFIED SOLUTION
Avatar of SIM50
SIM50
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you SIM50 - I appreciate your feedback and guidance; this is great information and I have learned a lot.  Unfortunately, given that this is a Cisco dependent solution, and we're looking to go in a different direction from a hardware perspective due to a somewhat limited budget, I don't think this will work for us.

After some additional research, it appears that there are some new cloud based VPN termination solutions. They will allow us to terminate all of our VPN endpoints to a single cloud based virtual gateway, and they offer high availability options as well.  

SIM50, I am going to give you credit for your proposed solution because it helped me to arrive at my current line of thinking.