Check out AutoVPN as well: http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-autovpn-spoke-authentication-understanding.html
It's hub-and-spoke (as opposed to full-mesh) and a little simpler than GDOI, but you do take the overhead of having to managing PKI across your fleet. Ben On 1 Apr 2014, at 6:17 pm, Per Westerlund <p...@westerlund.se> wrote: > Another possibility is a cluster of units to take care of the dual PSU > requirement. > > For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. > Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps > depending on how you count and configure (50 bidir is actually 100 in > processing power etc). None of the branch SRX have crypto chip, all IPsec is > done in CPU, have to watch that. > > Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but > unfortunately two boxes. > > I don’t have pricing available and don’t run any of these myself, but what > about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? > It claims throughput of 9Gbps. Would that fit the bill instead of the bigger > SRX boxes? > > /Per > > PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you > can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not > work with clusters. Can’t have both right now, sorry. Saves lots of problems > managing pre-shared keys etc. > > 1 apr 2014 kl. 09:36 skrev Ben Dale <bd...@comlinx.com.au>: > >> SRX550 is pretty much your only option in the branch if you require dual >> power supply, but is in every other way overspecced (and thus priced) for >> the remainder of your branch requirements. If you can do without the RPS, >> then I'd go with either an SRX220 or 240, which will easily handle the >> remainder of your requirements. >> >> Are you sure you want 7-10GBps of IPSEC? I'm not sure what market you're >> in, but I don't imagine a 10Gbps WAN port is particularly cheap from your >> carrier (since you list price as being important). >> >> If you absolutely need this much crypto though, then you'll be looking at >> somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC. >> >> As for scalability - no issues - the 650 will support up to 3,000 tunnels >> and the 1400 was good for about 15,000 last time I looked - it's probably >> gotten better since then. >> >> Ben >> >> On 1 Apr 2014, at 4:37 pm, R S <dim0...@hotmail.com> wrote: >> >>> For a project (70 branch offices and 2 Headquarters connected in an >>> hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking >>> for the best device which cover the following items: >>> >>> Branch: >>> Single device >>> At least two Ethernet interfaces (WAN/LAN) >>> Ipsec supporting 10-50-100 Mbs >>> Routing protocols such as BGP-OSPF >>> NAT >>> Redundant power supply (some site not but in principle I need it) >>> >>> HeadQuarter: >>> Single device with XE intf >>> At least two Ethernet interfaces (WAN/LAN) >>> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches) >>> Routing protocols such as BGP-OSPF >>> NAT >>> Redundant power supply >>> >>> Firewall is not needed, MPLS will be runned by the carrier, the devices and >>> IPSEC are on-top of MPLS. >>> I’m looking for the best solution in terms of scalability and price (very >>> important). >>> >>> Also any advice with experience for the decision is appreciated. >>> >>> Regards >>> >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp