Need hardware for a Site to Site VPN
-
Have a business mission critical app that is currently running on 15 year old Cisco routers with T1s.
I’m going to switch them over to a VPN site to site tunnel using pfSense. Main site where servers are will have two 1G Internet circuits for redundancy. The two branch sites will eventually have two Internet circuits as well. Each branch will connect to the main site. The branches currently have single 100M circuits. I plan to use IPSec, any issues with that? Network traffic is mainly applications connecting to a Oracle DB.
Any recommendations on which Netgate hardware I should go with? Needs to have dual WAN capabilities. Once running, I’ll import config into a backup device that’s sits on a shelf in case of hardware failure. These devices will only run IPSec with wide open firewalls on LAN/VPN. There are other firewalls doing filtering.
-
@munchie A 6100 or maybe 8200:
https://forum.netgate.com/topic/177442/netgate-6100-with-2gb-symmetric-connectionIf you’re going to have a backup, realize pfSense can do high availability with seamless cutover. Well except maybe not IPSec: https://docs.netgate.com/pfsense/en/latest/highavailability/ipsec.html
But it will sync config and states in real time. Plus you can update the backup, then failover, update the primary, and fail back, without dropping connections. -
@steveits The HA function is nifty. But in my experience, a lightning strike or surge takes out my equipment, so I'd rather have one on a shelf as an emergency. An employee can easily swap it out.
-
@munchie said in Need hardware for a Site to Site VPN:
@steveits The HA function is nifty. But in my experience, a lightning strike or surge takes out my equipment, so I'd rather have one on a shelf as an emergency. An employee can easily swap it out.
All true. :) If someone's on site, I suppose...we have HA in our data center but always have some sort of spare for us/our clients. Just have to save config files religiously. We do after every change.
-
If availability is more important to you than throughput you might consider having something like a pair of always up OpenVPN tunnels with one server on each WAN.
Depending on how the connections are used you could failover/loadbalance the gateways or use some dynamic routing across them.You could do the same with Route base IPSec (VTI). Or Wireguard for that matter.
