Multiple VPNs

I have about two dozen remote sites that I need to create VPN tunnel.  I have Checkpoint FW cluster here.  The 23 remote sites either have Cisco, Forcepoint, Palo Alto or Juniper firewalls.  Using IPSEC, I need a good plan for setting up individual tunnels to these disparate sites.  I have a general understanding of IPSEC but not the specifics for configuring each firewall.

Can you point me to good literature, or links, or video media that helps me lay out a plan for gathering all the information needed for/from each customer to roll out these VPNs?
Ted JamesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskyDirector of Solutions ConsultingCommented:
First thing to gather are all the subnets and WAN IP(s). Do you need policy based routing? Are there overlapping subnets? Will there be any spoke to spoke communication? How will you rotate keys and monitor traffic?
You generally need to know the public IP of the remote firewall for each site, and the private IP space that they are using at each site.

What is the purpose of the VPN tunnels? Are the remote sites supposed to talk to each other? Do any of the remote sites have more than 1 subnet that you need to communicate with? Are there any sites that use the same private IP addresses? Do you think you need to run any routing protocols over the tunnels? What traffic do you need to run over the tunnels? Any traffic you need to block? Will internet traffic go over the tunnels?

You can generally Google how to setup basic VPN between each vendor using pre shared keys.

Depending on the answers to the above questions, you may have a more complicated setup.
Ted JamesAuthor Commented:
Aaron and Kevin very good questions.  Let me try to answer them, some with more questions:

The other ends of the tunnels will vary based on the equipment there and based on personnel there.

PBR?  I don't know, in what scenarios would I need PBR?

Overlapping subnets?  Do you mean from one remote site to another?  I don't plan on it, but if some sites mandate a private subnet that overlaps another, what would I do?

Rotate keys?  I would only own the local firewall and what is behind it.  The clients own all of the other end.  So does key rotation still come into play?

Monitoring?  We would monitor the VPN traffic.  Any suggestions of what to use?

Purpose of the tunnels is for local analysts here, or from their homes and login here and grab a VDI, to access remote clients' subnets to do some work.

More than one subnet?  Yes some sites may have more than one subnet to access.

Overlapping private IPs?  I don't plan on it but, again, what would I do if that were the case?

Routing protocols over the tunnel?  I don't plan on it, but if it becomes the case in the future, how would I transport routing updates?

Traffic over the tunnel?  So I think my list is the following:  ssh, http (maybe), https, logs (like ArcSight or Splunk or similar).  Block anything else.  Am I missing anything obvious?

Internet?  Only internet is the public IP termination points at both ends
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Aaron TomoskyDirector of Solutions ConsultingCommented:
So your employees will hit a VDI in your office, then need to get to client networks, got it.

You will probably have clients with the same subnet, which means routed vpn tunnels, the most fun to setup.

Ideally I would recommend not doing ipsec vpn tunnels, MSPs have struggled with with for years and there isn't a good solution. Something like LogMeIn or screenconnect or zscaler private access is a much cleaner solution that doesn't involve the risks of actually joining networks. Even a jump box at a client with RDS or proxy ssh will work depending on your access needs.
Ted JamesAuthor Commented:
Routed VPN tunnels?  That would alleviate the issue of overlapping subnets across clients?
Aaron TomoskyDirector of Solutions ConsultingCommented:
Yes, so your network knows that 10.100.1.x goes over vpn 1 to client 1 subnet 192.168.0.x
10.100.2.x goes to vpn2 to client 2 subnet 192.168.0.x

I've only done this personally with sonic wall and had to nat individual IP addresses of servers I wanted to talk to, ymmv on your gear and setup.
Ted JamesAuthor Commented:
I agree with your previous comment that doing VPN tunnels is less desirable.  In the short term I am stuck with it.  Can I have your take (pros, cons, whould you?) on the following alternatives for future development?
1. MPLS   Is it as secure?

2. SDWAN solution

3.   LogMeIn or screenconnect or zscaler private access solutions you mentioned.  Are the connections encrypted?

4.  Jump box but not likely they will allow putting this box on premises.
Aaron TomoskyDirector of Solutions ConsultingCommented:
The carrier makes a private network for you. The most expensive and least flexible of the options, IMO worse than vpn tunnels

The best of the networking routes, similar to manual firewalls vpn tunnels but more agile and centrally managed but still a network joining solution which has inherent difficulties joining organizations that shouldn't be joined.

LogMeIn, screenconnect, zScaler private access. All of these have subtle differences in function and licensing models but are all designed to do what you want: grant access to a server without joining networks. Based on what I know of your situation, one of these is my leading recommendation by far.

Jumpbox  this isn't really a solution on its own, this just means each client gives you a server to connect to that you can use to jump to other servers and network gear. You still have to get to this server over one of the other options or a public rds gateway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ted JamesAuthor Commented:
Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.