automated site to site vpn recommendations

LF_OD · June 27, 2016, 8:08pm

Situation: We have salespeople/engineers holding temporary seminars/training/demonstrations in hotel meeting rooms.
Requirements:
field people need a very plug-n-play, simple, reliable vpn back to corporate offices to present videos/slides/demonstrations. The materials are not accessible via the internet directly, they are in a contained environment at corporate HQ locations but not necessarily on the corp network.the solution should be able to provide wireless to attendees. In some cases, guest login will be fine but in some cases the attendees will have registered and provided login creds prior to the event, and these creds will need to be checked before providing accessthe solution should have the option to split tunnel internet traffic out, but in some cases they need all traffic tunneled and internet will be via our corporate offices (NDA/legal, don't ask, it's just a requirement provided)
Nice-to-have:
field person should be able to not only access the presentation materials (in their contained network) but also the corporate network. Some early attempts required a user-vpn connection by the field person over the S2S VPN, but it made it clunky to switch back and forth. This isn't mandatory, but it would be nice to provide one solution providing dual-level access: restricted to attendees, less-restricted to field people
Tried this in the past with basic router/switch/wireless and captive portals because we had some inventory available... it was workable but not quick or easy. We really could use a simple solution that you just flip on, it calls home, and works... or as close to that as possible.
Have been looking at Meraki and a couple other low-touch solutions and they may do the trick, but we are hoping there are lower cost options that people have used successfully? We don't mind dealing with some off brands and even some custom coding (within reason) as long as the end result is a low-touch, reliable solution.
Thanks in advance.

swlaemmr · June 27, 2016, 8:17pm

We use the Meraki series -- MX @ the main office, and Z1 for the remote, or just 2 Z1 units if it's a small network and they work great.

We've even gone so far as to utilize Avaya ip phones over the link so the teleworker's extension works wherever they are. I have to say, compared to a PIX or ASA, etc. they are about the simplest VPN setup you'll ever come across. We've even had cases where the Z1 was behind a fairly restrictive NAT, and it was able to establish a session and work great.

Definitely not the cheapest, but if you can get by with just a couple of Z1s the cost isn't too bad.

Shawn

Karl_Auer · June 27, 2016, 9:59pm

In some cases...

The words "in some cases" are a problem with any supposedly plug and
play solution.

We really could use a simple solution that you
just flip on, it calls home, and works...

...but still requiring someone to enter credentials of some sort,
right? Otherwise you have a device wandering about that provides look
-mum-no-hands access to your corporate network.

MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
for a wireless dongle or storage, and has a highly-scriptable operating
system. Not a bad platform.

Regards, K.

Dan_Stralka · June 27, 2016, 10:28pm

I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by far the simplest platform to offer a field person. They're also
tenacious - I've had them connect to the cloud management platform and
build a VPN under some trying circumstances.

From a security standpoint, they will offer features that will impress for

the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
tunnel control), and we've found they punch above their weight and their
APs perform fantastically.

We deploy them worldwide many times per year in similar use cases,
sometimes with 150 users on the LAN. If your routing is simple, you can
define your security policies, and don't need crazy throughput on your VPN,
Meraki is the way to go. Be careful though: they have to be continually
licensed to work and can get pretty expensive if you go for the higher end
gear. Thus far, we've been able to stick to the cheaper stuff and
accomplish our goals.

Dan

(end)

Michael_Clark · June 27, 2016, 10:39pm

Fortinet has stuff that does this that is non-IT friendly.

Richard_Greasley · June 28, 2016, 4:21pm

Another option is Checkpoint Edge devices.
We use them worldwide with little to no problems.
They're centrally managed and support central logging which is a plus when trying to diagnose issues.
They support dynamic IP addresses as well, so just plug it in and you should be good to go.
Not the cheapest solution, but for sure they get the job done.

Regards,
Richard.

Greg_Sowell · June 28, 2016, 7:53pm

Lorenzo did a MUM presentation(https://www.youtube.com/watch?v=VeZetH9uX_Y)
on how road warriors can can connect with a Mikrotik to automatically
configure VPN. Pretty novel idea using inexpensive hardware. It may not
be as user friendly as you need, though.

Paul_Nash · June 29, 2016, 12:55pm

My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me.

Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity.

paul

Rich_Testani · June 29, 2016, 1:03pm

For several of our clients, we use Sophos UTMs coupled with their RED
units. Once registered with the UTM, the RED unit auto creates an SSL
based VPN back to the UTM. The RED unit is managed from the UTM and pulls
it's config when it boots. It's similar to the function of Meraki without
the direct cloud management portion, though the config profile does get
pushed to a section of Sophos' cloud.

-Rich

swlaemmr · June 29, 2016, 1:32pm

I believe they fixed this -- when I've spoken to tech support recently, I had to give them a tech support key so that they could access the devices I had questions about.

LF_OD · June 29, 2016, 6:40pm

Guys, thanks for all the responses. Thanks to everyone's feedback, we have a number of options that were not on the original list and that is what I was hoping for. Now it's a matter of comparing cost/learning-curve/support-challenge/compatibility with tools/monitoring, etc...
Thanks again.

Eric_Kuhnke · June 29, 2016, 10:33pm

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...

If you want wifi with a centralized controller there's lots of ways to do
it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
segment as the Unifis, or with its own management vlan), or with Unifi APs
programmed to find a controller by hostname/IP address (L3).

Ryan_Spencer1 · June 29, 2016, 10:49pm

I treat Meraki like SmartNET. The subscription comes with lifetime support
(TAC + Warranty), you do have support on your production network gear don't
you? It's not like they trick you going into it either. I for one am a huge
fan of the simplicity, it just works.

Disclaimer: We use them. ~35 access points all around the world.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

Seth_Mattinen · June 29, 2016, 11:00pm

I'm sure most hardware makers would love to lock in a revenue stream of "keep me working" subscriptions if they could get away with it. From the company's perspective what's not to love about that kind of guaranteed revenue?

I often wonder if Microsoft will someday make Office365 the only way to get Office, which if you don't maintain a subscription your locally installed copy of Word will cease to function.

~Seth

Karl_Auer · June 29, 2016, 11:07pm

I live for that day.

Regards, K.

Tim_Raphael · June 29, 2016, 11:38pm

There is a downside to subscription pricing for the vendor: they don't get the instant cashflow they're used to. I know Cisco seems to be taking a tactic where only some product lines use subscriptions and the others are on a typical enterprise 3-5 year replacements cycle to provide Cisco with the large cash injections upon upgrade.

Tim

Geoff_Wolf_AB3LS · June 30, 2016, 2:50am

I have a feeling that most if not all of the requirements you have could be
achieved with a Cisco ISR router running some kind of FlexVPN/DMVPN setup
back to a network VPN hub. The ISR G3 series has the option of enabling a
built in firewall/IPS. You'd need a RADIUS solution to authenticate the VPN
from the spoke router in the field to the hub and also for 802.1X port
authentication. Depending upon the number of port's you'd need, a
downstream switch may be needed (ISR4331 has optional 4-port PoE switch
module).
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/200031-Zero-Touch-Deployment-ZTD-of-VPN-Remot.html

That said, I think this would be a huge headache compared to what can be
done with Meraki. It would also involve a TON of R&D time (believe me).