VPN concentrator

Hi All,

Looking at getting peoples advice/recommendations for some on premise devices we can use to terminate site-to-site VPN’s with customers and 3rd parties.

Currently we have some ASA’s doing the work however they are showing their age and we need some extra features that they currently don’t offer.

I want to be able to run multi-contexts, like VRF’s for example. The idea here is that if a customer wants site to site vpn’s to replace their MPLS then we can terminate their VPN and dump them straight into their VRF. However, security will want access controls and next gen type capabilities on these to filter traffic before making it into the customer VRF. We would also need BGP routing capabilities.

We currently have 30 customers, not all using site-to-site VPN’s however that could be the required scale long term.

I have thought about a cisco routers to terminate the VPN’s using a FVRF for to build their tunnels over and placing the tunnel interface into their forwarding VRF. Then using a L2 firewall to bridge the connectivity between the Cisco router and their VRF. The reason for using a router is that they in my experience have been great for VPN’s and provide all the routing capabilities we need.

Palo Alto can do all this in a single box and has great vrf/vsys support

Palo & Fortinet boxes would do the job.

From someone who actively manages a pair of Cisco ASR’s as VPN concentrators (with BGP across them): don’t. Those things can do anything you want and work really well, but they become unmanageable the instant you go beyond 5 tunnels. Let alone trying to automate something.

We had to create a flowchart so engineers won’t forget parts of the config (IKE profile, IPsec profile, IKE transform set, IPsec transform set, keyrings, proposals, FVRF config, tunnel interfaces, Vasili-interfaces, etc …) and not a single soul actually understands what is what.

To give you an idea, each device has around 40 tunnels stuffed in 3100 lines of config. My advice would be to pick something with a UI, be it Fortigate or Palo Alto.

We do exactly this with a fortigate VM

Palo Alto’s work very well for this
They support vrf’s very well and also bgp .
The logging is great. Vpn setup is easy

Juniper SRX would do this fine as well, likely much cheaper than PA (albeit without the NGFW stuff).

Fortinet can do all this with VDOMs, which are basically VRFs. Put each customer in a VDOM and terminate their VPN tunnels to each VDOM as needed. You control traffic using policies, so you can do all the L7/application stuff.

ASR 1000 has been my go to box for site to sites. There isn’t much they won’t do but they aren’t firewalls. ZBFW doesn’t count. You could also go palo and use virtual routers and rules.

A company I used to work for used Meraki Z3 devices as VPN concentrators going from their site to our data centers. I feel like they worked quite well. We had about 250 in play.

You can use any cisco router with security license and vrf. We are using 1001-x for terminating over 1000 ipsec customer tunnels

/u/rotame12a not sure why you locked your question about the fortigate VM which doesn’t allow me to answer back on the right thread.
So I’ll answer here below…

It is simply a virtual FGT appliance running on your vSphere (or others) infra, like Cisco provides with the CSR1000v.
VRFs can be achieved with what FGT calls VDOMs.
You can also automate all the VDOM and tunnel creation with ansible, as modules exist for most of the configuration objects.

If you want HA, you can build an HA cluster as you would with two physical boxes, so with two VMs.

Yeah the amount of configuration in the router did concern me. Not to fussed about deployment however as I would use ansible plays to build them. More concerned about troubleshooting and having junior engineers having to wade through lines of configuration.

I would prefer a web UI with API functionality so tunnels could still be built with ansible.

Can you elaborate a bit more on the VM part? Is it just a firewall running on VMware? Or do you do a VM per tunnel?

Fortinet was definitely something I thought of, especially with their VDOM capabilities. Only thing is it would introduce another vendor into the environment. Not a deal breaker but something to consider.

Have used meraki before but they don’t hit the mark for this job. No multi context and I have found their lack of troubleshooting to a pain. Also don’t rate their support.

This my initial thought but doesn’t hit the Nextgen fw requirements. I do like using routers for tunnels, currently doing this to AWS over our direct connects and works really well.

Sorry didn’t realise it was locked? Don’t believe I locked it. Thanks for taking the time to reply.