Cisco vs Pfsense preformance for VPN

JaredBusch

@Jason said in Cisco vs Pfsense preformance for VPN:

@Dashrender said in Cisco vs Pfsense preformance for VPN:

As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list?

Not likely. when you do that it is basically two seperate VPNs.

I apparently did not read his entire post last night.

This is correct, I know of now method to have the basic windows VPN service use multiuple DNS names. IPSEC just does not work that way. use a DNS failover service. like the one I linked above to handle it automatically.

Jason

So in our limited testing so far.. we've about tripled the throughput of the VPN by going away from the Cisco routers (Which was costing us tens of thousands in user licensing (Per year) for the vpn on top of the router and security bundle costs. )

Still need to setup the failover but so far it's been great. And since the IKEV2 can be fully deployed with a GPO we add them to the VPN AD group and everything from the root CA, to the vpn profile and access via NPS/Radius is all done with a single step.

stacksofplates

@Jason said in Cisco vs Pfsense preformance for VPN:

So in our limited testing so far.. we've about tripled the throughput of the VPN by going away from the Cisco routers (Which was costing us tens of thousands in user licensing (Per year) for the vpn on top of the router and security bundle costs. )

Still need to setup the failover but so far it's been great. And since the IKEV2 can be fully deployed with a GPO we add them to the VPN AD group and everything from the root CA, to the vpn profile and access via NPS/Radius is all done with a single step.

I wish I could get most of our networking equipment away from Cisco. I sadly I don't pull enough weight as a lowly systems engineer.

Jason

@johnhooks said in Cisco vs Pfsense preformance for VPN:

I wish I could get most of our networking equipment away from Cisco. I sadly I don't pull enough weight as a lowly systems engineer.

Haha.. I don't want to move most of our stuff. We still like our switches and edge routers from them. Their firewalls and VPNs suck though. We switched to Palo Alto for firewalls a good while back.

Dashrender

what did you move to for VPN?

scottalanmiller

@johnhooks said in Cisco vs Pfsense preformance for VPN:

@Jason said in Cisco vs Pfsense preformance for VPN:

So in our limited testing so far.. we've about tripled the throughput of the VPN by going away from the Cisco routers (Which was costing us tens of thousands in user licensing (Per year) for the vpn on top of the router and security bundle costs. )

Still need to setup the failover but so far it's been great. And since the IKEV2 can be fully deployed with a GPO we add them to the VPN AD group and everything from the root CA, to the vpn profile and access via NPS/Radius is all done with a single step.

I wish I could get most of our networking equipment away from Cisco. I sadly I don't pull enough weight as a lowly systems engineer.

Just point out that senior network engineer is just one rung of the ladder below junior system admin.

syncer

@Dashrender you can find OVA on vyos.net