Currently we have about 80 active locations connected by IPSEC tunnels; we're in the process of migrating them all to IKEv2, however some of them have relatively unreliable ISPs and therefor have multiple connections for failover - and many more are considering doing this, it seems to be a hot idea especially after the CenturyLink outage.
IKEv2 does not support this, though in some cases we have found a workaround using dynamic SNAT and multiple VPN configurations - another option would be route-based VPN meshing, though I worry about the complexity of maintaining that for 80+ locations.
Are there any better (simpler?) alternatives?
One that came to my mind would be to use WAN load balancing/failover, which seems to work fine, alongside something like a site-to-site OpenVPN tunnel. Less configuration, anyway. But I'm not sure if that would be more or less reliable than a full route-based VPN mesh.
Our main datacenter uses Cisco ASA on the edge, though we could also host whitebox software as an endpoint if needed, or get additional hardware. On the client-side, they run run either ASA, Fortigate, or Sonicwall, though we would be open to requiring additional hardware for the use of multiple ISP links. The SonicWalls support add-in cards with 4G, which we'd like to experiment with as well. In any case, we'd want our endpoints to be redundant as well (ASAs are in a HA cluster).
No comments:
Post a Comment