It has been a common case for enterprises to implement a site-to-site VPN solution to connect its central office to remote offices. In some cases when leased line is the primary path between the two locations, site-to-site VPN can serve as a backup solution if primary path is to fail. Obviously, if you have to select the right site-to-site VPN solution today, there are lots of options out there with companies like Cisco and Juniper dominating that market.
In order to build the right and affordable solution – you should thoroughly analyze your requirements.
- Will you require a built-in redundancy and failover between your VPN tunnels?
- Will you require a statefull failover or can live with stateless failover?
- What is the VPN encryption throughput, bits/sec and packets/sec, you are planning to accommodate?
- Given encryption is a CPU intensive task, what other functions does your VPN device perform?
- Will you require the use of hardware based solutions to encrypt the traffic or will software based VPN do the job for you?
- Are you planning to run dynamic routing protocols over VPN?
- Can you leverage existing network infrastructure, such as Cisco Catalyst 6500 switches, to build your VPN solution?
Below are some industry standard best practices to build a reliable and resilient site-to-site VPN solution:
- Use 3DES or AES encryption algorithms to encrypt the data payload.
- If possible try to use hardware based encryption module to achieve better performance and scalability. Software based solution is going to be CPU bound at some point if your VPN throughput is to increase.
- For High Availability – implement an HSRP based failover
- Use pre-shared Key for VPN peer authentication, however if you are concerned about security – use digital certificates, as exchange of the shared key can be sniffed during the IPsec phase one.
- Other then the ACL to identify which traffic is to be encrypted, avoid having other ACLs on that interfaces.
- Use Reverse Route Injection (RRI) if you plan to implement redundant VPN solution. It makes failover seamless by injecting/withdrawing the network static route is remote peer is not accessible.
- Whatever vendor software you are using – make sure it supports IPsec VPN and is relatively bug-free.