Hi, all - I’m trying to come up with a method of connecting a number of Peplink BR1 Minis to a handful of downstream CIDRs via SpeedFusion Protect.
Ideally speaking, each of the BR1 Minis (10.100.[1-25].0/25) would connect back to SFC, and then from SFC, I can build the tunnels to each of the peers for the downstream CIDRs (192.168.0.0/17, 172.31.12.0/24) to serve as one giant network, but for the life of me, I can’t figure out where to build that IPSec tunnel. Would that be in each of the BR1 Minis?
I drew a diagram of what I’m trying to achieve, but I’m not sure how far I’ve missed the mark. The web UI of SFC and each of the BR1 Minis has me lost, and I’m trying to find a doc that might help me figure out how to concentrate these connections within SFC Protect.
I’m open to suggestions and room for improvement. Thanks!
You are not going to want to use SFC for this type of deployment. You already have an AWS VPC, therefore I would deploy a FusionHub into your AWS cloud in a separate virtual network. (Routers do not like sharing networks with hosts, FusionHub is a router)
You then have all of the BR1 minis connect via SF to the FusionHub. In addition if you have Peplink routers at your stations you can use SF instead of IPsec, and simply terminate the other IPsec connections into your AWS network.
If you need redundancy you would host the FusionHubs in two separate AWS regions, and have each Mini connected to both FusionHubs.
1 Like
Hey Nicholas, welcome to the forum! What @Paul_Mossip said above is correct. IPSec is secure, but wildly inefficient. You can simplify this topology quite a bit by using FusionHub in AWS which enables you to use SpeedFusion for more efficient bandwidth usage and more streamlined management. If you still need IPSec for the API provider, you can easily enable this with FusionHub as well.
We (Llama Networks) do quite a bit of deployments like what you’re trying to do for various public safety agencies across the US and beyond. Feel free to reach out via DM here or email, sales[at]llamanetworks[dot]com, and we can help tweak your design and support you with purchasing, deployment, and operational support.
I figured that when I was clicking around and didn’t find a way to expose an IPSec tunnel to multiple devices (that API provider mandates IPSec for access to their services), that I was missing either a software license or a product. As I continue to read, it looks like FusionHub is going to be the least painful way to integrate the SFC ecosystem with our various border devices.
As for the stations themselves, they all have Dell SonicWalls at the border, and the API Provider has a FortiGate at its border. This is why my hands are a bit tied with having to use IPSec to access the downstreams.
OK. Even then, IPSec will need to use FusionHub or a really big box (like an SDX/EPX) to manage those connections. Even with a SonicWall, you could use OpenVPN (I think?) or use them in passthrough mode with a Peplink on the front end 
