Re: automated site to site vpn recommendations

[Geoff Wolf AB3LS]

I have a feeling that most if not all of the requirements you have could be
achieved with a Cisco ISR router running some kind of FlexVPN/DMVPN setup
back to a network VPN hub. The ISR G3 series has the option of enabling a
built in firewall/IPS. You'd need a RADIUS solution to authenticate the VPN
from the spoke router in the field to the hub and also for 802.1X port
authentication. Depending upon the number of port's you'd need, a
downstream switch may be needed (ISR4331 has optional 4-port PoE switch
module).
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/200031-Zero-Touch-Deployment-ZTD-of-VPN-Remot.html

That said, I think this would be a huge headache compared to what can be
done with Meraki. It would also involve a TON of R time (believe me).

On Wed, Jun 29, 2016 at 7:38 PM, Tim Raphael 
wrote:

> There is a downside to subscription pricing for the vendor: they don't get
> the instant cashflow they're used to. I know Cisco seems to be taking a
> tactic where only some product lines use subscriptions and the others are
> on a typical enterprise 3-5 year replacements cycle to provide Cisco with
> the  large cash injections upon upgrade.
>
> Tim
>
> > On 30 Jun 2016, at 7:00 AM, Seth Mattinen  wrote:
> >
> >> On 6/29/16 15:33, Eric Kuhnke wrote:
> >> My biggest issue with Meraki is the fundamentally flawed business model,
> >> biased in favor of vendor lock in and endlessly recurring payments to
> the
> >> equipment vendor rather than the ISP or enterprise end user.
> >>
> >> You should not have to pay a yearly subscription fee to keep your
> in-house
> >> 802.11(abgn/ac) wifi access points operating. The very idea that the
> >> equipment you purchased which worked flawlessly on day one will stop
> >> working not because it's broken, or obsolete, but because your
> >> *subscription* expired...
> >
> >
> > I'm sure most hardware makers would love to lock in a revenue stream of
> "keep me working" subscriptions if they could get away with it. From the
> company's perspective what's not to love about that kind of guaranteed
> revenue?
> >
> > I often wonder if Microsoft will someday make Office365 the only way to
> get Office, which if you don't maintain a subscription your locally
> installed copy of Word will cease to function.
> >
> > ~Seth
>



-- 
Geoffrey Wolf

Re: automated site to site vpn recommendations

[Tim Raphael]

There is a downside to subscription pricing for the vendor: they don't get the 
instant cashflow they're used to. I know Cisco seems to be taking a tactic 
where only some product lines use subscriptions and the others are on a typical 
enterprise 3-5 year replacements cycle to provide Cisco with the  large cash 
injections upon upgrade.

Tim 

> On 30 Jun 2016, at 7:00 AM, Seth Mattinen  wrote:
> 
>> On 6/29/16 15:33, Eric Kuhnke wrote:
>> My biggest issue with Meraki is the fundamentally flawed business model,
>> biased in favor of vendor lock in and endlessly recurring payments to the
>> equipment vendor rather than the ISP or enterprise end user.
>> 
>> You should not have to pay a yearly subscription fee to keep your in-house
>> 802.11(abgn/ac) wifi access points operating. The very idea that the
>> equipment you purchased which worked flawlessly on day one will stop
>> working not because it's broken, or obsolete, but because your
>> *subscription* expired...
> 
> 
> I'm sure most hardware makers would love to lock in a revenue stream of "keep 
> me working" subscriptions if they could get away with it. From the company's 
> perspective what's not to love about that kind of guaranteed revenue?
> 
> I often wonder if Microsoft will someday make Office365 the only way to get 
> Office, which if you don't maintain a subscription your locally installed 
> copy of Word will cease to function.
> 
> ~Seth

Re: automated site to site vpn recommendations

[Karl Auer]

On Wed, 2016-06-29 at 16:00 -0700, Seth Mattinen wrote:
> I often wonder if Microsoft will someday make Office365 the only way
> to get Office, which if you don't maintain a subscription your 
> locally installed copy of Word will cease to function.

I live for that day.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: automated site to site vpn recommendations

[Seth Mattinen]

On 6/29/16 15:33, Eric Kuhnke wrote:

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...



I'm sure most hardware makers would love to lock in a revenue stream of 
"keep me working" subscriptions if they could get away with it. From the 
company's perspective what's not to love about that kind of guaranteed 
revenue?


I often wonder if Microsoft will someday make Office365 the only way to 
get Office, which if you don't maintain a subscription your locally 
installed copy of Word will cease to function.


~Seth

Re: automated site to site vpn recommendations

[Spencer Ryan]

I treat Meraki like SmartNET. The subscription comes with lifetime support
(TAC + Warranty), you do have support on your production network gear don't
you? It's not like they trick you going into it either. I for one am a huge
fan of the simplicity, it just works.

Disclaimer: We use them. ~35 access points all around the world.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Wed, Jun 29, 2016 at 6:33 PM, Eric Kuhnke  wrote:

> My biggest issue with Meraki is the fundamentally flawed business model,
> biased in favor of vendor lock in and endlessly recurring payments to the
> equipment vendor rather than the ISP or enterprise end user.
>
> You should not have to pay a yearly subscription fee to keep your in-house
> 802.11(abgn/ac) wifi access points operating. The very idea that the
> equipment you purchased which worked flawlessly on day one will stop
> working not because it's broken, or obsolete, but because your
> *subscription* expired...
>
> If you want wifi with a centralized controller there's lots of ways to do
> it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
> segment as the Unifis, or with its own management vlan), or with Unifi APs
> programmed to find a controller by hostname/IP address (L3).
>
>
>
> On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash  wrote:
>
> > My biggest issue with Meraki is that their tech staff can run tcpdump on
> > the wired or wireless interface of your Meraki box without having to
> leave
> > their desk.  I have no reason to believe that they are malicious, or in
> the
> > pay of the NSA, but I am too paranoid to allow their equipment anywhere
> > near me.
> >
> > Yes, they work well and the cloud control panel makes remote support a
> > breeze; you have to decide how you feel about the insecurity.
> >
> > paul
> >
> > > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel that
> > > they are the most capable platform, they're expensive, and don't always
> > > present you with all the information you'd need for troubleshooting.
> > > However, the VPN offers great dynamic tunneling, instant-on
> performance,
> > > and are by far the simplest platform to offer a field person.  They're
> > also
> > > tenacious - I've had them connect to the cloud management platform and
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint, they will offer features that will impress
> > for
> > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote
> VPN
> > > tunnel control), and we've found they punch above their weight and
> their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases,
> > > sometimes with 150 users on the LAN. If your routing is simple, you can
> > > define your security policies, and don't need crazy throughput on your
> > VPN,
> > > Meraki is the way to go.  Be careful though: they have to be
> continually
> > > licensed to work and can get pretty expensive if you go for the higher
> > end
> > > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> > >
> > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on, it calls home, and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort,
> > >> right? Otherwise you have a device wandering about that provides look
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet,
> USB
> > >> for a wireless dongle or storage, and has a highly-scriptable
> operating
> > >> system. Not a bad platform.
> > >>
> > >> Regards, K.
> > >>
> > >> --
> > >>
> ~~~
> > >> Karl Auer (ka...@biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >
>

Re: automated site to site vpn recommendations

[Eric Kuhnke]

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...

If you want wifi with a centralized controller there's lots of ways to do
it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
segment as the Unifis, or with its own management vlan), or with Unifi APs
programmed to find a controller by hostname/IP address (L3).



On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash  wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
> paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> >
> >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> >>> In some cases...
> >>
> >> The words "in some cases" are a problem with any supposedly plug and
> >> play solution.
> >>
> >>> We really could use a simple solution that you
> >>> just flip on, it calls home, and works...
> >>
> >> ...but still requiring someone to enter credentials of some sort,
> >> right? Otherwise you have a device wandering about that provides look
> >> -mum-no-hands access to your corporate network.
> >>
> >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> >> for a wireless dongle or storage, and has a highly-scriptable operating
> >> system. Not a bad platform.
> >>
> >> Regards, K.
> >>
> >> --
> >> ~~~
> >> Karl Auer (ka...@biplane.com.au)
> >> http://www.biplane.com.au/kauer
> >> http://twitter.com/kauer389
> >>
> >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> >>
> >>
> >>
> >>
>
>

Re: automated site to site vpn recommendations

[Greg Sowell]

Lorenzo did a MUM presentation(https://www.youtube.com/watch?v=VeZetH9uX_Y)
on how road warriors can can connect with a Mikrotik to automatically
configure VPN.  Pretty novel idea using inexpensive hardware.  It may not
be as user friendly as you need, though.

On Tue, Jun 28, 2016 at 11:21 AM, Richard Greasley <greas...@superfund.net>
wrote:

> Another option is Checkpoint Edge devices.
> We use them worldwide with little to no problems.
> They're centrally managed and support central logging which is a plus when
> trying to diagnose issues.
> They support dynamic IP addresses as well, so just plug it in and you
> should be good to go.
> Not the cheapest solution, but for sure they get the job done.
>
> Regards,
> Richard.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dan Stralka
> Sent: Monday, June 27, 2016 6:28 PM
> To: Karl Auer
> Cc: nanog@nanog.org
> Subject: Re: automated site to site vpn recommendations
>
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person.  They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
>
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
>
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go.  Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear.  Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
>
> Dan
>
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer" <ka...@biplane.com.au> wrote:
>
> > On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > > In some cases...
> >
> > The words "in some cases" are a problem with any supposedly plug and
> > play solution.
> >
> > > We really could use a simple solution that you
> > > just flip on, it calls home, and works...
> >
> > ...but still requiring someone to enter credentials of some sort,
> > right? Otherwise you have a device wandering about that provides look
> > -mum-no-hands access to your corporate network.
> >
> > MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > for a wireless dongle or storage, and has a highly-scriptable operating
> > system. Not a bad platform.
> >
> > Regards, K.
> >
> > --
> > ~~~
> > Karl Auer (ka...@biplane.com.au)
> > http://www.biplane.com.au/kauer
> > http://twitter.com/kauer389
> >
> > GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>


-- 

GregSowell.com
TheBrothersWISP.com

RE: automated site to site vpn recommendations

[c b]

Guys, thanks for all the responses. Thanks to everyone's feedback, we have a 
number of options that were not on the original list and that is what I was 
hoping for. Now it's a matter of comparing 
cost/learning-curve/support-challenge/compatibility with tools/monitoring, 
etc...
Thanks again.

> From: r...@tehorange.com
> Date: Wed, 29 Jun 2016 09:03:06 -0400
> Subject: Re: automated site to site vpn recommendations
> To: p...@nashnetworks.ca
> CC: nanog@nanog.org
> 
> For several of our clients, we use Sophos UTMs coupled with their RED
> units.  Once registered with the UTM, the RED unit auto creates an SSL
> based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
> it's config when it boots. It's similar to the function of Meraki without
> the direct cloud management portion, though the config profile does get
> pushed to a section of Sophos' cloud.
> 
> -Rich
> 
> On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash <p...@nashnetworks.ca> wrote:
> 
> > My biggest issue with Meraki is that their tech staff can run tcpdump on
> > the wired or wireless interface of your Meraki box without having to leave
> > their desk.  I have no reason to believe that they are malicious, or in the
> > pay of the NSA, but I am too paranoid to allow their equipment anywhere
> > near me.
> >
> > Yes, they work well and the cloud control panel makes remote support a
> > breeze; you have to decide how you feel about the insecurity.
> >
> > paul
> >
> > > On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyelt...@gmail.com> wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel that
> > > they are the most capable platform, they're expensive, and don't always
> > > present you with all the information you'd need for troubleshooting.
> > > However, the VPN offers great dynamic tunneling, instant-on performance,
> > > and are by far the simplest platform to offer a field person.  They're
> > also
> > > tenacious - I've had them connect to the cloud management platform and
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint, they will offer features that will impress
> > for
> > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > > tunnel control), and we've found they punch above their weight and their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases,
> > > sometimes with 150 users on the LAN. If your routing is simple, you can
> > > define your security policies, and don't need crazy throughput on your
> > VPN,
> > > Meraki is the way to go.  Be careful though: they have to be continually
> > > licensed to work and can get pretty expensive if you go for the higher
> > end
> > > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27, 2016 6:01 PM, "Karl Auer" <ka...@biplane.com.au> wrote:
> > >
> > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on, it calls home, and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort,
> > >> right? Otherwise you have a device wandering about that provides look
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > >> for a wireless dongle or storage, and has a highly-scriptable operating
> > >> system. Not a bad platform.
> > >>
> > >> Regards, K.
> > >>
> > >> --
> > >> ~~~
> > >> Karl Auer (ka...@biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >
  

Re: automated site to site vpn recommendations

[Rich Testani]

For several of our clients, we use Sophos UTMs coupled with their RED
units.  Once registered with the UTM, the RED unit auto creates an SSL
based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
it's config when it boots. It's similar to the function of Meraki without
the direct cloud management portion, though the config profile does get
pushed to a section of Sophos' cloud.

-Rich

On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash  wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
> paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> >
> >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> >>> In some cases...
> >>
> >> The words "in some cases" are a problem with any supposedly plug and
> >> play solution.
> >>
> >>> We really could use a simple solution that you
> >>> just flip on, it calls home, and works...
> >>
> >> ...but still requiring someone to enter credentials of some sort,
> >> right? Otherwise you have a device wandering about that provides look
> >> -mum-no-hands access to your corporate network.
> >>
> >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> >> for a wireless dongle or storage, and has a highly-scriptable operating
> >> system. Not a bad platform.
> >>
> >> Regards, K.
> >>
> >> --
> >> ~~~
> >> Karl Auer (ka...@biplane.com.au)
> >> http://www.biplane.com.au/kauer
> >> http://twitter.com/kauer389
> >>
> >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> >>
> >>
> >>
> >>
>
>

Re: automated site to site vpn recommendations

[Shawn L]

I believe they fixed this -- when I've spoken to tech support recently, I had 
to give them a tech support key so that they could access the devices I had 
questions about.
 


-Original Message-
From: "Paul Nash" <p...@nashnetworks.ca>
Sent: Wednesday, June 29, 2016 8:55am
To: "Untitled 3" <nanog@nanog.org>
Subject: Re: automated site to site vpn recommendations



My biggest issue with Meraki is that their tech staff can run tcpdump on the 
wired or wireless interface of your Meraki box without having to leave their 
desk. I have no reason to believe that they are malicious, or in the pay of the 
NSA, but I am too paranoid to allow their equipment anywhere near me.

Yes, they work well and the cloud control panel makes remote support a breeze; 
you have to decide how you feel about the insecurity.

 paul

> On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyelt...@gmail.com> wrote:
> 
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person. They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
> 
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
> 
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go. Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear. Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
> 
> Dan
> 
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer" <ka...@biplane.com.au> wrote:
> 
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>> 
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>> 
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>> 
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>> 
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
>> for a wireless dongle or storage, and has a highly-scriptable operating
>> system. Not a bad platform.
>> 
>> Regards, K.
>> 
>> --
>> ~~~
>> Karl Auer (ka...@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>> 
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>> 
>> 
>> 
>> 

Re: automated site to site vpn recommendations

[Paul Nash]

My biggest issue with Meraki is that their tech staff can run tcpdump on the 
wired or wireless interface of your Meraki box without having to leave their 
desk.  I have no reason to believe that they are malicious, or in the pay of 
the NSA, but I am too paranoid to allow their equipment anywhere near me.

Yes, they work well and the cloud control panel makes remote support a breeze; 
you have to decide how you feel about the insecurity.

paul

> On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> 
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person.  They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
> 
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
> 
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go.  Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear.  Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
> 
> Dan
> 
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> 
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>> 
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>> 
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>> 
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>> 
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
>> for a wireless dongle or storage, and has a highly-scriptable operating
>> system. Not a bad platform.
>> 
>> Regards, K.
>> 
>> --
>> ~~~
>> Karl Auer (ka...@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>> 
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>> 
>> 
>> 
>> 



smime.p7s
Description: S/MIME cryptographic signature

RE: automated site to site vpn recommendations

[Richard Greasley]

Another option is Checkpoint Edge devices.
We use them worldwide with little to no problems.
They're centrally managed and support central logging which is a plus when 
trying to diagnose issues.
They support dynamic IP addresses as well, so just plug it in and you should be 
good to go.
Not the cheapest solution, but for sure they get the job done.

Regards,
Richard.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dan Stralka
Sent: Monday, June 27, 2016 6:28 PM
To: Karl Auer
Cc: nanog@nanog.org
Subject: Re: automated site to site vpn recommendations

I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by far the simplest platform to offer a field person.  They're also
tenacious - I've had them connect to the cloud management platform and
build a VPN under some trying circumstances.

>From a security standpoint, they will offer features that will impress for
the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
tunnel control), and we've found they punch above their weight and their
APs perform fantastically.

We deploy them worldwide many times per year in similar use cases,
sometimes with 150 users on the LAN. If your routing is simple, you can
define your security policies, and don't need crazy throughput on your VPN,
Meraki is the way to go.  Be careful though: they have to be continually
licensed to work and can get pretty expensive if you go for the higher end
gear.  Thus far, we've been able to stick to the cheaper stuff and
accomplish our goals.

Dan

(end)
On Jun 27, 2016 6:01 PM, "Karl Auer" <ka...@biplane.com.au> wrote:

> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> for a wireless dongle or storage, and has a highly-scriptable operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: automated site to site vpn recommendations

[Dan Stralka]

I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by far the simplest platform to offer a field person.  They're also
tenacious - I've had them connect to the cloud management platform and
build a VPN under some trying circumstances.

>From a security standpoint, they will offer features that will impress for
the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
tunnel control), and we've found they punch above their weight and their
APs perform fantastically.

We deploy them worldwide many times per year in similar use cases,
sometimes with 150 users on the LAN. If your routing is simple, you can
define your security policies, and don't need crazy throughput on your VPN,
Meraki is the way to go.  Be careful though: they have to be continually
licensed to work and can get pretty expensive if you go for the higher end
gear.  Thus far, we've been able to stick to the cheaper stuff and
accomplish our goals.

Dan

(end)
On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:

> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> for a wireless dongle or storage, and has a highly-scriptable operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>

Re: automated site to site vpn recommendations

[Mikeal Clark]

Fortinet has stuff that does this that is non-IT friendly.

On Mon, Jun 27, 2016 at 4:59 PM, Karl Auer  wrote:

> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> for a wireless dongle or storage, and has a highly-scriptable operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>

Re: automated site to site vpn recommendations

[Karl Auer]

On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> In some cases...

The words "in some cases" are a problem with any supposedly plug and
play solution.

> We really could use a simple solution that you
> just flip on, it calls home, and works...

...but still requiring someone to enter credentials of some sort,
right? Otherwise you have a device wandering about that provides look
-mum-no-hands access to your corporate network.

MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
for a wireless dongle or storage, and has a highly-scriptable operating
system. Not a bad platform.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

RE: automated site to site vpn recommendations

[Shawn L]

We use the Meraki series -- MX @ the main office, and Z1 for the remote, or 
just 2 Z1 units if it's a small network and they work great.  
 
We've even gone so far as to utilize Avaya ip phones over the link so the 
teleworker's extension works wherever they are.  I have to say, compared to a 
PIX or ASA, etc. they are about the simplest VPN setup you'll ever come across. 
 We've even had cases where the Z1 was behind a fairly restrictive NAT, and it 
was able to establish a session and work great. 
 
Definitely not the cheapest, but if you can get by with just a couple of Z1s 
the cost isn't too bad.

Shawn
 
 
-Original Message-
From: "c b" <bz_siege...@hotmail.com>
Sent: Monday, June 27, 2016 4:08pm
To: "nanog@nanog.org" <nanog@nanog.org>
Subject: automated site to site vpn recommendations



Situation: We have salespeople/engineers holding temporary 
seminars/training/demonstrations in hotel meeting rooms.
Requirements: 
field people need a very plug-n-play, simple, reliable vpn back to corporate 
offices to present videos/slides/demonstrations. The materials are not 
accessible via the internet directly, they are in a contained environment at 
corporate HQ locations but not necessarily on the corp network.the solution 
should be able to provide wireless to attendees. In some cases, guest login 
will be fine but in some cases the attendees will have registered and provided 
login creds prior to the event, and these creds will need to be checked before 
providing accessthe solution should have the option to split tunnel internet 
traffic out, but in some cases they need all traffic tunneled and internet will 
be via our corporate offices (NDA/legal, don't ask, it's just a requirement 
provided)
Nice-to-have:
 field person should be able to not only access the presentation materials (in 
their contained network) but also the corporate network. Some early attempts 
required a user-vpn connection by the field person over the S2S VPN, but it 
made it clunky to switch back and forth. This isn't mandatory, but it would be 
nice to provide one solution providing dual-level access: restricted to 
attendees, less-restricted to field people
Tried this in the past with basic router/switch/wireless and captive portals 
because we had some inventory available... it was workable but not quick or 
easy. We really could use a simple solution that you just flip on, it calls 
home, and works... or as close to that as possible.
Have been looking at Meraki and a couple other low-touch solutions and they may 
do the trick, but we are hoping there are lower cost options that people have 
used successfully? We don't mind dealing with some off brands and even some 
custom coding (within reason) as long as the end result is a low-touch, 
reliable solution.
Thanks in advance.

automated site to site vpn recommendations

[c b]

Situation: We have salespeople/engineers holding temporary 
seminars/training/demonstrations in hotel meeting rooms.
Requirements: 
field people need a very plug-n-play, simple, reliable vpn back to corporate 
offices to present videos/slides/demonstrations. The materials are not 
accessible via the internet directly, they are in a contained environment at 
corporate HQ locations but not necessarily on the corp network.the solution 
should be able to provide wireless to attendees. In some cases, guest login 
will be fine but in some cases the attendees will have registered and provided 
login creds prior to the event, and these creds will need to be checked before 
providing accessthe solution should have the option to split tunnel internet 
traffic out, but in some cases they need all traffic tunneled and internet will 
be via our corporate offices (NDA/legal, don't ask, it's just a requirement 
provided)
Nice-to-have:
 field person should be able to not only access the presentation materials (in 
their contained network) but also the corporate network. Some early attempts 
required a user-vpn connection by the field person over the S2S VPN, but it 
made it clunky to switch back and forth. This isn't mandatory, but it would be 
nice to provide one solution providing dual-level access: restricted to 
attendees, less-restricted to field people
Tried this in the past with basic router/switch/wireless and captive portals 
because we had some inventory available... it was workable but not quick or 
easy. We really could use a simple solution that you just flip on, it calls 
home, and works... or as close to that as possible.
Have been looking at Meraki and a couple other low-touch solutions and they may 
do the trick, but we are hoping there are lower cost options that people have 
used successfully? We don't mind dealing with some off brands and even some 
custom coding (within reason) as long as the end result is a low-touch, 
reliable solution.
Thanks in advance.