VPN concentrator

Hi All,

Looking for advice/recommendations on some on-premise devices to terminate site-to-site VPNs with customers and third parties.

We currently use some ASA’s, but they are aging and lack features we now need.

I want to support multi-contexts, like VRFs. If a customer wants site-to-site VPNs to replace MPLS, we can terminate their VPN and directly connect to their VRF. Security needs access controls and next-gen features for traffic filtering before entering the customer VRF. BGP routing capabilities are also required.

We have 30 customers, not all using site-to-site VPNs, but potential scale for the future.

I’m considering Cisco routers for VPN termination using FVRF to build tunnels, placing tunnel interfaces into forwarding VRFs, and bridging connectivity with a L2 firewall. Routers are preferred for VPN functionality and routing capabilities.

Any recommendations or insights?

Thanks!

Palo Alto can do all this in a single box and supports vrf/vsys well.

Palo & Fortinet devices would handle this.

From someone managing Cisco ASR VPN concentrators (with BGP): avoid. They can do a lot but become unmanageable beyond 5 tunnels. Config complexity is high, with around 40 tunnels in 3100 lines of config. Recommend devices with a UI, like Fortigate or Palo Alto.