January 30, 2012 9:00 AM
IPSec: the right choice as your WAN backup
We're in the process of taking on a new partner to look after some of the systems whose support we've decided to outsource. It's nice letting someone else deal with all the RFP guff for once; all I really have to do is arrange to hook them into our network so they can get at the stuff they need to. We've considered a number of options, from dual resilient leased lines down to SDSL. The option we've decided on is a point-to-point primary link with IPSec backup over the Internet.
Is this likely to be a robust way to do it, though? Actually yes, I reckon it is because I've been doing it for some time in the US component of our global network. The US is a particularly cool place to take this approach, because although point-to-point links cost proper money, Internet connectivity costs nothing. Sub-US$1000 for a 100Mbit/s link in Minnesota - that'll do nicely thanks!
When we adopted this approach in the US some time ago I was cynical until we tried it out. After all, I figured that if something's so cheap it'll be nothing like as fast as promised, and as flaky as a flaky thing. Whereas in fact when we failed the 100Mbit/s point-to-point link and the IPSec tunnel kicked in, all we really noticed was a 10-15% increase in latency and the users didn't really notice.
I reckon we'll be absolutely fine with our new service provider; the point-to-point will most likely be as reliable as we hope, and for that modest amount of time that it's down, we'll be piggy-backing the IPSec on the existing firewall and Internet link with no need to upgrade. Should work great.