Site to Site VPN's are a pain

We rarely setup a site to site vpn, but when we do its always a pain. Tired of messing with our old Cisco ASA’s at remote sites, and our ASA at headquarters… Creating a vpn tunnel either fails deployment on our new firepower, or is a pain in the ass on our old 5516.

Is there a vm, or something we can setup as a VPN “concentrator” at the main office, either on our LAN or public facing that we can bring various sites onto our LAN with minimal effort? We have a mix of remote sites that are cisco devices, cradlepoint, ubiquity…

Have not tinkered with opnsense or pfsense… but open to it. Is wireguard a replacement for this?

Setting up Site to Site VPNs is a pain… on ASAs

The ASA interface for VPNs sucks, that’s the real problem.

Tuning policies is a pain, you can’t see the passwords, rekeying or redoing policies requires you to erase and redo the tunnel config, anything beyond basic work requires the cmdline, the logs are vague, and the troubleshooter is shit.

On Fortinet, Sonicwall, and even Watchguard (or most other NGFWs for that matter) it’s considerably easier to manage.

I can do a tunnel on a Sonicwall in sub 2 minutes, comparable time for a Fortinet

For Meraki Firewalls it’s literally a checkbox to turn it on and it will maintain VPN tunnels to all it’s partner units automagically.

ASAs are ancient, are they even in vendor support still? Why not move to a modern firewall?

Have not tinkered with opnsense or pfsense… but open to it. Is wireguard a replacement for this?

No, OPNSense and PFSense are router operating systems.

WireGuard is a tunnel protocol, like OpenVPN.

But yes, I’d do virtual PFSense on both sides, use WireGuard (It’s the fastest VPN protocol there is, less loss of bandwith and super simple) to tunnel through.

Add a routing table to your ASA and done.

Another vote for SonicWall S2S VPN.

Simple, and robust. Never had any issues with them.

VPN’s on Firepower suck even more than ASA’s. I can’t wait to replace our FP’s with either Palo or Forti.

Think your problem is the mixed bag of devices on the remote side.

Yes some sort of IPSEC hero could make it all work together with ease but most of us only have to touch the tech occasionally.

Pick a brand and stick with it would be my 2 cents here. Fortigate is cost effective with all the right features for this space.

I’d just tunnel the ports you need. Much safer than VPN. You can handle the “auth” however you want for that.

With regards to “being there”, a simple jump host can work. Access to that can again be “protected”. Just realize that there will be “work” if for some reason you need to “smoosh” everything as if it’s one big contiguous network. IMHO, change the way you work and you’ll be much more secure.

Our Sonicwalls make Site-to-site VPN like almost too easy…

With Untangle you can make ipsec, openvpn, and/or wireguard site 2 site connections very easily.

I always just had a router with the crypto feature set behind the firewall, published via NAT

Few of our clients totally run on site-to-site VPN. We noticed that IKEv2 had issues, so we now run our S2S VPN on IKEv1.

We use Barracuda to NSX, and never have any issues.

I was just going to say this. You can crap on SonicWALL all you want, but their s2s VPN config is so simple compared to an ASA. I’ve set up a few dozen site-to-sites while I was running a SonicWALL and the other end was on an ASA, and it was always a chore getting configs to match.

Yea, gonna have to second you on this one.

Site to site VPNs aren’t hard. ASAs are the real source of the issue here.

Setting them up on the RV series are pretty easy too… Our firewall can get them setup on Palo Alto’s pretty quickly too… but his note are pretty extensive.

For Meraki Firewalls it’s literally a checkbox to turn it on

Same for Unifi and Omada FW too.

For the FortiGates, you can also configure ADVPN so you don’t have to manage site to site VPNs between branches, just worry about the VPN to the hub.

in ASA’s you can see the PSKs with more system:running-config

Yup. I’ve done it multiple times and it is always a chore on asa

ASA 5506 is what most of them are and are still supported.