Cisco Support Community
Community Member

SSL and IPSEC VPNs - design considerations for companies merging?

I'm looking for some advice/suggestions on best design practice in the following scenario:

Our company (Company A) has several hundred remote branches.  Each branch has a Cisco 800 series router and ADSL line and we employ IPSEC VPN to allow these remote sites to connect to our head office resources (the IPSEC VPNs terminating on ASA5500 series firewall)

We have merged with another company (Company B) who have a smaller number of branches, around 100.  They use cheap consumer grade ADSL routers in their branches and connect to their head office resources (behind a Fortigate firewall) using browser based SSL VPNs. 

We want to integrate both systems so that, effectively, each branch will be able to access resources at "Head Office A" AND resources at "Head Office B" (this will be needed on a temporary basis before all systems are fully integrated in one head office).

What are people's thoughts on the best way of achieving this?  e.g. should/could we have IPSEC to Head Office A running in parallel with SSL VPN to Head Office B?  Or would it be better to have, say, IPSEC VPNs for communications to both head offices (or, indeed, SSL VPNs for communications to both offices)

And how might we facilitate a rollout of new config/technology to such sites?  (e.g. if we needed to send out 100 new routers, would we have to configure all 100 individually or are there any clever techniques or processes to aid in a mass configuration of such devices?)

Also, similar topic, but what resilience options are there for backup to the branch ADSL line?  All I can really think of is to use 3G as a backup or, perhaps, to bond ADSL lines to give increased bandwidth and the resilience if one of the lines was to drop.  Anyone got any thoughts on this aspect?

Thanks in advance for your input!

Community Member

again, interested to see how

again, interested to see how this worked out in the end? Cheers,

Community Member

Pretty much along the same

Pretty much along the same lines as the other thread:

- established site to site IPSEC VPN as a "short-term" tactical solution

- strategic solution was to merge the 2 networks into a single MPLS based solution

- standardised on Cisco 800 series routers at branches across the estate

- redeployed firewalls into a multi-tiered solution (Fortigate and Cisco)

The complexities of merging 2 networks (both technical and political challenges) should not be underestimated!

Hope that is of some help.

CreatePlease to create content