Currently in Migration - Jason Edelman's Old Blog
  • Home
  • About
  • Contact

Never have trouble again setting up a site to site VPN tunnel between disparate vendors

10/11/2013

0 Comments

 
I was driving home tonight and saw a tweet from Ethan Banks (@ecbanks) that stated, “After all these years of IPSEC (a standard, after all), bringing up a tunnel between disparate vendors is one of the hardest tasks I do."  When I see these kinds of statements and have these thoughts myself, I think, there is clear problem, do others have the same problem, is this a problem looking for a solution, and can be there be a better way?  In this particular case, it’s definitely a problem, but can there be a better way?  Can we view this as an example where the network and security industry has been okay with mediocrity?  Maybe.  
Why just maybe?

Simply put – because each vendor has VPN wizards and GUIs to try and simplify the process of creating site to site VPN tunnels.  Vendors listened and wizards were created.  I often hear good things about these wizards, but they fall short for working across multi-vendor deployments.

Where can we improve?

As Ethan said, “between disparate vendors” specifically.  But, every vendor is using IPSec, so what’s the complication?  We know implementations vary, nerd knobs need to be turned, and this doesn’t always go as planned.  I often hear negative remarks from the delivery team or customers about this.  Consulting dollars usually go up when it’s a multi-vendor IPSec deployment so the recommendation is usually, let’s keep it simple and try and have the same platform on each site of the tunnel.  Unfortunately, we live in the real world and that’s always not the case.

How can we improve?


Wait for it….can SDN, programmability, open source, or just some good collaboration be the answer?

  • What if a controller brokered the setup of these tunnels and the controller was aware of the nuances of particular IPsec setups to dynamically provision the nerd knobs or “gotchas?”
  • What if this controller was a hosted out of band service that existed somewhere on the Internet of Everything (#IOE)?
  • What if all you had to do is give the controller/hosting provider your public IP and access to your VPN device to be allowed to create the tunnel?  Each party would do this and in minutes the tunnel would be setup.
  • Can this be a service that Managed Security Service Providers (MSSP) can offer?

Not feeling this just yet, what if the MSSP or general web site had a portal where you entered the data of each device type, you clicked submit, and the output were the commands or steps needed to configure the VPNs on each side?  Who would create such a site?  There is enough brain power on the interwebs that shouldn’t actually be too hard – it could even be wiki-like.

Think different.  Start taking note of your problems and wish lists.  If you don’t publicize these problems or wish lists, nothing will change.  At the very least, send your problems to me!  Write in and let me know what else drives you crazy.  Is it configuring certain features or is it checking certain ‘show’ commands repeatedly?  Let me know! 

Thanks,
Jason


Twitter: @jedelman8
0 Comments



Leave a Reply.

    Author

    Jason Edelman, Founder of Network to Code, focused on training and services for emerging network technologies. CCIE 15394.  VCDX-NV 167.


    Enter your email address:

    Delivered by FeedBurner


    Top Posts

    The Future of Networking and the Network Engineer

    OpenFlow, vPath, and SDN

    Network Virtualization vs. SDN

    Nexus 7000 FAQ

    Possibilities of OpenFlow/SDN Applications 

    Loved, Hated, but Never Ignored #OpenFlow #SDN

    Software Defined Networking: Cisco Domination to Market Education

    OpenFlow, SDN, and Meraki

    CAPWAP and OpenFlow - thinking outside the box

    Introduction to OpenFlow...for Network Engineers


    Categories

    All
    1cloudroad
    2011
    2960
    40gbe
    7000
    Arista
    Aruba
    Big Switch
    Brocade
    Capwap
    Christmas
    Cisco
    Controller
    Data Center
    Dell Force10
    Embrane
    Extreme
    Fex
    Hadoop
    Hp
    Ibm
    Isr G2
    Juniper
    Limited Lifetime Warranty
    Meraki
    Multicast
    N7k
    Nexus
    Nicira
    Ons
    Opendaylight
    Openflow
    Openstack
    Presidio
    Qsfp
    Quick Facts
    Routeflow
    Sdn
    Sdn Ecosystem
    Security
    Ucs


    Archives

    May 2015
    April 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    June 2014
    May 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011


    RSS Feed


    View my profile on LinkedIn
Photo used under Creative Commons from NASA Goddard Photo and Video