Looking at getting peoples advice/recommendations for some on premise devices we can use to terminate site-to-site VPN’s with customers and 3rd parties.
Currently we have some ASA’s doing the work however they are showing their age and we need some extra features that they currently don’t offer.
I want to be able to run multi-contexts, like VRF’s for example. The idea here is that if a customer wants site to site vpn’s to replace their MPLS then we can terminate their VPN and dump them straight into their VRF. However, security will want access controls and next gen type capabilities on these to filter traffic before making it into the customer VRF. We would also need BGP routing capabilities.
We currently have 30 customers, not all using site-to-site VPN’s however that could be the required scale long term.
I have thought about a cisco routers to terminate the VPN’s using a FVRF for to build their tunnels over and placing the tunnel interface into their forwarding VRF. Then using a L2 firewall to bridge the connectivity between the Cisco router and their VRF. The reason for using a router is that they in my experience have been great for VPN’s and provide all the routing capabilities we need.
From someone who actively manages a pair of Cisco ASR’s as VPN concentrators (with BGP across them): don’t. Those things can do anything you want and work really well, but they become unmanageable the instant you go beyond 5 tunnels. Let alone trying to automate something.
We had to create a flowchart so engineers won’t forget parts of the config (IKE profile, IPsec profile, IKE transform set, IPsec transform set, keyrings, proposals, FVRF config, tunnel interfaces, Vasili-interfaces, etc …) and not a single soul actually understands what is what.
To give you an idea, each device has around 40 tunnels stuffed in 3100 lines of config. My advice would be to pick something with a UI, be it Fortigate or Palo Alto.
Fortinet can do all this with VDOMs, which are basically VRFs. Put each customer in a VDOM and terminate their VPN tunnels to each VDOM as needed. You control traffic using policies, so you can do all the L7/application stuff.
ASR 1000 has been my go to box for site to sites. There isn’t much they won’t do but they aren’t firewalls. ZBFW doesn’t count. You could also go palo and use virtual routers and rules.
A company I used to work for used Meraki Z3 devices as VPN concentrators going from their site to our data centers. I feel like they worked quite well. We had about 250 in play.
/u/rotame12a not sure why you locked your question about the fortigate VM which doesn’t allow me to answer back on the right thread.
So I’ll answer here below…
It is simply a virtual FGT appliance running on your vSphere (or others) infra, like Cisco provides with the CSR1000v.
VRFs can be achieved with what FGT calls VDOMs.
You can also automate all the VDOM and tunnel creation with ansible, as modules exist for most of the configuration objects.
If you want HA, you can build an HA cluster as you would with two physical boxes, so with two VMs.
Yeah the amount of configuration in the router did concern me. Not to fussed about deployment however as I would use ansible plays to build them. More concerned about troubleshooting and having junior engineers having to wade through lines of configuration.
I would prefer a web UI with API functionality so tunnels could still be built with ansible.
Fortinet was definitely something I thought of, especially with their VDOM capabilities. Only thing is it would introduce another vendor into the environment. Not a deal breaker but something to consider.
Have used meraki before but they don’t hit the mark for this job. No multi context and I have found their lack of troubleshooting to a pain. Also don’t rate their support.
This my initial thought but doesn’t hit the Nextgen fw requirements. I do like using routers for tunnels, currently doing this to AWS over our direct connects and works really well.