At an impressive rate, organizations are deploying site to site VPN for small office connectivity.  Here’s a quick summary of design options:

1. Direct IPSec for simplicity in smaller implementations.  Nearly any firewall and many sub-$1000 routers will accomplish this.  Fastest failover to a backup hub gateway can be achieved here in under 2 seconds.  This is the quick-and-dirty lowest-cost option.  As usual, such solutions can grow hard to manage and troubleshoot.

2. Multiple IPSec tunnels with GRE for improved reliability and redundancy.  Routers become the main option here unless another device is introduced to handle the IPSec termination only.  Per-tunnel QoS is one feature unique here.  Multicast support is introduced at this level.

3.  Dynamic Multipoint VPN uses GRE, NHRP, IPSec and an IGP to further improve resilience and scalability.  Full mesh and minimal spoke configurations are significant advantages. I’ve heard of DMVPN with hundreds of spokes on sub-$2k routers and the headend running a $5k router.  Let me know of other scalable solutions you like!I’ve heard of DMVPN with hundreds of spokes on sub-$2k routers and the headend running a $5k router.  Let me know of other scalable solutions you like!

I’ve heard of DMVPN with hundreds of spokes on sub-$2k routers and the headend running a $5k router.  Let me know of other scalable solutions you like!