Download or buy an OPNsense appliance. https://opnsense.org/partners/
Handles IPsec, OpenVPN, tinc, ZeroTier, and WireGuard.
(sees negative vote) I’m not deleting this recommendation. I wasn’t paid to make it.
And if you don’t have the budget for Palo, Fortinet is my second favorite.
You know what… seriously going to consider it. the amount of love that the PA’s get on here is pretty high. Any idea of how the cost is compared to the Cisco solutions?
One thing to watch out for is the limit on Security Zones on the smaller PA units. There’s a limit of 15, which may or may not be an issue depending upon the number of tunnels and how you like to structure rules.
You get my up vote. Been dealing with Palo for the last few years and it’s now all we use.
+1 for PA
We use the 850 at our main site and 220s for the satellites. I’ve had maybe 1 or 2 VPN issues in the past two years. On top of that, if you want to filter all traffic through the 850 you have an excellent application layer IDS/IPS.
Wouldn’t use Palo for a policy-based VPN. If he converts to route-based with Palos behind every site, then maybe, otherwise keep the ASA platform. I would never do cross-platform route-based VPNs. They’re just not reliable IME.
Are they better? My dealings with PA were the 200/500/3020s. 3020s were in the DC while the 200/500 were dedicated to remote offices. I will say that the 200/500s were dog slow when it came to committing any changes. I read it was due to the management plane being underspec’d. As much as I liked the PAs, dealing with the 200/500s was quite unbearable.
^^ Came here to say this, much love for the Palo Alto, they make it pretty damn easy.
+1 to the recomendation of a Fortigate. I do not know the model needed, check that with a local var.
They just work. We have multiple ipsec site-to-site vpn termination in a fortigate. Works perfectly, endpoints differ from Cisco, pfsense, fortigate, mikrorik and several more.
The biggest hurdle as I think a lot of other people have is just getting the same settings on both ends when you only control your side.
I’ve used ASA’s as VPN termination for years. Damn reliable. Period. SSLVPN yes. DTLSVPN yes. Problems ------- no!
Not sure I’d like to go down the FTD track ever. Why monkey with the old ASA stability, with a step in reverse? Why not just run the ASA and FTD side by side (like ASA and CX), and just leave us folks alone who just want to ASA? After all the appliance is just a virtual server anyway.
I’ve done it with other products, but when you find something perfect you want to stay.
On Palo Alto, VPN’s are a little clunky to setup, but reliable.
On Fortigate, VPN’s are a breeze and reliable.
Out of the three, I’d rather have the ASA, as it does VPN’s really well.
I’m about to migrate our client-to-vpn tunnels from ASA to Fortigate and retire the 5525-X (due to monetary not technical decisions). I’m going to miss it.
I never really work with fortigate in full scale production environment. 1-2 unit here and there. I find it easy to configure and their cookbook is very well written. Would definitely use it again in the future.
JunOS is really not that confusing. If you are used to only doing things the Cisco way or whatever vendor… Then sure, but then you’d find any OS confusing as well. JunOS once you get used to it you’ll wonder where it’s been all your life.
I would also go for the SRX series.
Was wondering if anyone was going to suggest pfSense. I replaced my VPN concentrator with a pair of Netgate XU-1537s (official Xeon based pfSense appliances for anyone not familiar) running OpenVPN and they have been fantastic. IPsec may be marginally faster than OpenVPN in some scenarios but the OpenVPN’s flexibility and TCO makes it the easy champ for my needs.
ha… neat document. I wonder how one gets on that list. I imagine it doesn’t hurt if the manufacturer is based out of the EU. 
yea… i can’t imagine they would be cheap… nice devices though… worth the penny
Yea, I hear ya. Our VPN segment is a growing segment and I would like to take this opportunity to implement a solution that is scalable. I might even decide to move the VPN clients away from our “browsing” firewall as a termination point and move them over to whatever solution I choose. I don’t see an ISR being appropriate for this solution. Infact I mentioned that 5506-X and that looks to only be capable of around 10 Site2Site tunnels so that won’t be an option either.
I have to agree here as well. If you need to toss a firewall in behind the router for stateful firewall rules.
Solid and reliable platform.
ROFLCOPTER - how much did Cisco pay you to say that?
Here is some mandatory read when it comes to “solid and reliable” and “cisco firepower” in the same sentence:
https://old.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/
https://old.reddit.com/r/networking/comments/9vynr9/cisco_firepower_rant_ii/