Monday, October 14, 2019

How to terminate VPN tunnels for each client ?

Hello guys !

We have a new product that will be hosted in our Datacenter. This product is installed on a Windows VM that will have to be joined to the customer AD for various interactions, which is why a site-to-site VPN has to be established for every clients.

This is were it gets complicated for us, we've never had to set up dedicated tunnels over internet for clients, and we are now faced with the overlapping IPs issue : on both the clients LANs, and the VM IP addresses that will be chosen by the clients. Impossible for our firewall to be the tunnel endpoint for every clients, without a logical segmentation (VRF, VDOMs, etc...).

The throughput flowing through the tunnel will be very minimal, a few mbps (less than 3) at most for each client (50 are expected within a year).

Do you have a recommendation for a network design that could be implemented without the need for VRFs ? We have enough public IPs for assigning one per client if needed.

We could deploy a firewall VM per client which will terminate the tunnel. Is this a viable option ? What model would you chose to be just a tunnel gateway with the low traffic expected ?

If VRFs are the only option, what brand and models are you suggesting ? Fortinet and their VDOMs seems to be an industry standard for service provider. What about Juniper SRX and their virtual router ? The price point seems way lower than Fortinet, is there a reason ?

Thanks a lot for your help, I need some perspective here ;)



No comments:

Post a Comment