Large Scale VPN (LSVPN) - Opinions from end users?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Large Scale VPN (LSVPN) - Opinions from end users?

L0 Member

I'm looking for feedback from customers who have deployed LSVPN on PAN-OS firewalls. I'm getting ready to rebuild a highly manual, semi-fullmesh VPN infrastructure of abotu 10 sites. Yes, I have a mess on my hands.

 

I am planning on a dual-hub and spoke model. The dual-hubs are two datacenters that are connected via IPSEC between them. Each of the spokes is a remote corporate office. I'd like the offices connected to each hub and I will control routing with BGP.

 

Anyone have opinions on PAN-OS LSVPN deployments? Did you like their implementation? Run into any gotchas?

2 REPLIES 2

L7 Applicator

Just my personal opinion.

 

I would not use PAN LSVPN. This is really a misnomer. The process allows a quicker low configuration connection of remote sites to the SSL VPN gateway at the hub site. Not really a LSVPN in the normal sense of the word. This is just a kind of short cut to get a vpn to a remote site with minimal config.

 

In my opinion it does not save enough work to justify it, especially for only two DC and 10 offices.  You would be better off just using Panorama templates and building out a traditional IPSEC hub and spoke.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Cyber Elite
Cyber Elite

The only time that I would actually use LSVPN is if I'm going to be depoloying a steady stream of firewalls that need to connect back to the main office, for example if you provide a dedicated firewall for a PCI network that connects back to your HQ and constantly have to set these up and deploy them. Other than that if you are in an enviroment where you are not constantly adding clients and your number of offices is fairly static I wouldn't really worry about it.

For the type of enviroment that you have deployed I would simply run IPSEC between all your sites and get down and dirty with your route table. This is easier done with Panorama and might be a good time to get it approved by management if you do not already have it. It would be easy enough to maintian it without Panorama though as well. 

  • 2013 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!