VPN S2S Meraki vs Four-Faith

JAIROJASH
Here to help

VPN S2S Meraki vs Four-Faith

Dear Network,

 

I am developing a highway infrastructure project where for long distances we need to connect cameras, radars and others to the DC through 4G-LTE connections and these connections must be through VPN however we have an MX100 which must receive these Connections however some parameters that need to be configured on the Meraki side are not available.

 

X1.PNG

 

X2.PNG

 

X3.PNG

 

My question is is there an alternative or should I install a separate VPN server?

 

I appreciate your recommendations.

4 Replies 4
ww
Kind of a big deal
Kind of a big deal

If it doesnt work out with these settings  then you need another device yes.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#IPsec_policies

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You are in for quite a bit of work on this one!

 

First let's discuss the hardware of doing this using your existing equipment.

 

First, all your LTE connections will need a static IP address.  Compulsory.

 

No one (especially a public service) should use DES or 3DES or MD5 anymore.  Make sure you use AES128 as a minimum.  Unfortunately for Meraki we can only use SHA-1, so select that option.

 

You'll need to allocate each one of these devices a unique subnet, and that is your local subnet.  The "peer" subnet is the subnet behind the MX that you want to talk to.

Local and Peer Id's should not be needed.

 

Untick the PFS option.

 

You can make the life times 8 hours.

 

And generate a random key for each site.

 

 

On the Meraki side you should have an entry for each one of your devices (each device is a separate VPN).

 

 

 

Now let's talk about the easy (and far more reliable) way.

 

Get rid of the Four-Faith boxes.  They are going to make your life hard.  Instead, get a Meraki MX67C.

https://meraki.cisco.com/products/appliances/mx67c

This box can be powered from a 12VDC supply.  Note that there is not an "official" Meraki guide on this, but this specific model (and the MX64) use a power supply with a 12VDC output.  You'll need to arrange someone to wire up a 12VDC power line with the same plug on it (but you are going to need someone to plumb in a 12VDC line anyway).

Consequently, these units are also popular in marine applications.

If your "sites" are going to have mains power then I guess this is all a non-issue.

 

With the Fourth-Faith boxes you are going to have to manually configure every single one of them.  And when they die, you are going to have to re-configure them.

With the MX67C you will create a template once.

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

And then you won't have to do anything more complicated than assign and plug them in.  The saving in man-hours will be huge.

 

Plus you gain the capability to monitor all of the remote sites, including their 4G signal.  You won't be sending people out to figure out what is wrong when a unit has gone down.  You'll be able to do this remotely.  The ongoing man hours required to manage the solution will be much less.

PhilipDAth
Kind of a big deal
Kind of a big deal

I should also point out (since you are operating in a public sector) that the MX67C option will also automatically apply security and firmware updates.  Plus you will also gain security monitoring.

 

I don't know how you are planning on handling the security aspect of the Faith boxes.  I imagine it is going to be hard.  Someone would probably have to regularly log in and apply any security updates.  This would be a huge number of man hours.

 

 

Whatever you do, please don't deploy a camera system in the public sector without having answers to how the security of the system is going to be maintained.  Otherwise, it will come back to bite you.

Doug100
Here to help

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels