We use SonicWall TZ series for just this purpose. The IPSec VPN endpoints can be behind NAT, and we just use DYNDNS to map whatever is current to a FQDN. Each side thus has the public IP of the other side and can connect as long as you pass through GRE.
-mel via cell On Feb 10, 2022, at 1:05 PM, Matt Harris <m...@netfire.net> wrote: [cid:image200517.png@6CD88F22.1B50C51A] Matt Harris | Infrastructure Lead 816‑256‑5446 | Direct Looking for help? Helpdesk<https://help.netfire.net/> | Email Support<mailto:h...@netfire.net> [https://netfire.net/Flag-United-States-of-America.jpg] We build customized end‑to‑end technology solutions powered by NetFire Cloud. On Thu, Feb 10, 2022 at 12:03 PM William Herrin <b...@herrin.us<mailto:b...@herrin.us>> wrote: Hi folks, Do you have any recommendations for VPN appliances? Specifically: I need to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but one of the sites are behind an IPv4 NAT gateway with dynamic public IP addresses. Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my customer insists on a network appliance. Site to site VPNs using IPSec and static IP addresses on the plaintext side are a dime a dozen but traversing NAT and dynamic IP addresses (and automatically re-establishing when the service goes out and comes back up with different addresses) is a hard requirement. For OpenVPN, I like the Netgate boxes running pfsense. Works great, super easy integrations with stuff like AC/LDAP/radius/etc for auth, frr and others for your routing, etc. This is probably your best bet. For IPSec I tend to stick to Juniper SRX boxes. Good luck!
