Cheap VPN for office use - Page 2

Harder to setup I guess...

On WatchGuards, the SSL VPN is more for use as a browser based VPN.

Where as IPSec is for actually connecting to and using resources on the remote network, as well as tunneling all your traffic (assuming you set the flag to force all traffic through the tunnel).

IPSec is the way to go IMO, just an FYI too. If you are running any web servers on the NAT of the source LAN and want to access the sites via the IPSec client, there is a bug, WatchGuard confirmed it to me. I'll tell you if you want how to fix it.

Our company also has/had a Watchguard firewall and I used thier VPN for a while. It was not great. Our current solution is a Cisco ASA 5505. It is a cost effective solution for a small number of VPN clients. The Cisco AnyConnect software (SSL) works great and is easy to configure and use. We are much happier with it than the watchguard solution.

Both are good firewalls / UTM's.

IPSec is typically utilized for site-site VPN's utilizing either IKEv1/isakmp or IKEv2 which utilize pre-shared keys. SSL VPN is usually the preferred for remote access into a network.

As for the ASA5505 with the security license will only cost about $1000 for the unit ~$100 for the SmartNet contract, and requires a separate contract for Content Filtering via IronPort filtering. Depending on the number of concurrent connections hitting your web servers may not be the best solution for you need and would recommend either the 5510. IPS for the 5500 series requires a module and separate SmartNet contract. The 5500x series if I understand it correctly has IPS built into the device so there is no additional cost for the IPS module. The 5512x will cost around $2500 then ~$250 for the SmartNet. I will say that Anyconnect allows for greater flexibility and will also allow for 2 factor authentication if that is a requirement.

Most of what people on OCN will recommend will be OpenSource based products which is fine for some situations, however when you are running a business that requires Near Real-time fault tolerance this is not the way to go as support, HA and recovery is not usually an option.

Regardless your company needs to get some Engineering/Architecture support that will gather all of your requirements and design / implement an over-all solution that will satisfy all of your requirements.

Feel free to PM me if you wish and we can discuss further... have to run to a meeting now.

We actually use both a 5505 and 5510, they have thier duties split between them. The 5505 only handles VPN connections for our key people (3 atm). The 5510 handles more traditional firewall roles. Neither one came close to $25,000. The watchguard vpn software was a bit flakey when installing and did not keep its connection well. It also could not effectively utilize our 100Mbit fiber connection. We moved the watchgaurd to a secondary data center where the data transfer is less important.

The WatchGuard IPSec client software is dodgy, they actually don't even support it anymore.

They recommend you use the free and open source ShrewSoft VPN client instead.

http://www.shrew.net/download

If you're unfamiliar, it's a great tool. Compatible with the WG policies and all...

Hi, this is Deeh from the Cisco small business group. Based on what you just posted, I initially recommend the RV 110W for your VPN needs. You can check the details on this link http://www.cisco.com/en/US/products/ps11762/index.html By the way when do you plan to deploy?

Although this may be a viable solution this would require another device at the remote end for the IPSec functionality. The OP would be better suited with an ASA 5505 in order to utilize SSL VPN's. they could then set up the SSL VPN as either clientless or with AnyConnect.

IPSec is primarily setup for site-to-site VPN tunnels. http://www.cisco.com/en/US/prod/collateral/routers/ps10907/ps9923/data_sheet_c78-660141_ps9923_Products_Data_Sheet.html
IP Security (IPsec) Site-to-Site Tunneling and Point-to-Point Tunneling Protocol (PPTP) VPN support, providing highly secure remote access connectivity for Windows and Mac OS computers

Also if you are indeed from Cisco and are able to act as a rep for them on this site you should speak with a mod about getting put on the Vendor list or something.
Edited by bratas - 2/27/13 at 12:39pm