Very solid advice here
This isn’t an enterprise solution.
Hard disagree. Ran a hub and spoke setup with 2500 tunnels. Fortigates client access SSL-VPN implementation has had a number of vulnerabilities but IPSec is rock solid. HA would failover all the tunnels with maybe a packet or two drop. Their small 40F units can push 4Gb/s of ipsec; near line rate. Never ran into bugs with their IPSec over the 6 years I managed them.
While wireguard can be used as a site to site VPN the question was particularly asking for Enterprise hardware.
This isn’t even close to an enterprise solution.
How do you think SD-WAN products tunnel traffic? They build a tunnel normally using IPsec if not OpenVPN and then throw some black box dynamic routing in the mix.
Its not Magic everything SD-WAN dose could be done by hand that’s the benefit they bring easy of managing. Don’t be running around here saying it’s the key to running the same underlying technology on lower spec hardware.
I feel like people that downvote you haven’t touched CP in years.
Brave of you to insult the darling of this subreddit.
They all have vulnerabilities
I guess you didn’t read the last line of his post.
Good for you. We went from one bug to the next with upgrades recommended by Forti TAC. It’s cheap crap.
I find that a strange response.
Watchguard is indeed enterprise hardware.
It can do full tunneling via BOVPN-VI and custom routing.
I’m running the same with multiple sites, all on 1gig connections, and the throughput is full whack.
You can have zero-routing if required, vpn failover, mobile vpn with ikev2. Plus, in the next release, full saml 2fa with entra if you didn’t want to use their own service.
I’ve not mentioned wireguard anywhere either.
Can you please explain why you think this product isn’t the enterprise category?
Works fine for my friends bio-tech company. Definitely enterprise.
I’m sorry, but there are generally two main types of SD-WAN. IPSec based (which are the majority of firewall vendors), which need very expensive hardware due to CPU requirements to achieve high throughput IPSec, and then you have a handful of others including Velocloud, Viptela etc… who use their own proprietary tunnelling (like we do). Our tunnels do not suffer from out of order packet issues and are built using UDP with proprietary headers etc…
Yes they build tunnels but the ones I am referring to do NOT again I say do NOT use IPsec tunnels.
Our hardware options as an example are tested to 800Mbps throughput and that is our smallest unit.
On a side note jeff_fan, I actually have a pdf I could send you which runs through why we built our own tunnel.
It covers why we chose not to use OpenVPN or BGP or MLPPP or GRE etc.
I’d be very happy to send it over to you just for interests sake.
Eh what can ye do. I have a 4 node cluster doing some very cool stuff, including some of the more layer 3 routing stuff usually handed off to a router.
Edit: definitely expensive but it’s absolutely quality stuff. If OP is home lab ing. Yeah, probably not. If OP is in business production, well worth a look.
There’s also the whole “it’s Israel tech”, which is fair, but you also can’t go wrong with Israeli IPS/IDS in a firewall if that’s what you need.
I also heard about it from a friend who is a sec researcher weeks before it was disclosed.
But , hey if people want to use a unsafe networking stack , go right ahead I suppose
I have to apologize to you. I see now that I miss read your comment and was most likely the cause of you being down voted. I mistook your recommendation for watch-guard as a recommendation for wireguard the VPN technology.
Until the SD cards fail at a bunch of remote sites.