GRE over IPSEC and NAT

[Tutek]

Hi,
could you explain me, how should I connect remote office if I need to see on my head office router in connections every source IP of remote site subnet?
All traffic (even going to internet) will be route back to head office so I need to see what computer from remote site is trying to go out and where outside of my network.
So I need any VPN type connection that do not nat, right? Could I use for this GRE over IPSEC?

[Dieselboy]

Monitoring connections
IF you're wanting to monitor traffic like source/destination IP addresses then you would need some sort of logging mechanism to achieve this. I have a product in my network called Firepower and within it, it does log all the connections details (such as source host machine IP and hostname, which IP addresses it had connected to, which ports etc). For this to work, my traffic needs to flow through the Firepower sensor, in my case it is a Cisco ASA.

Remote site to head office connectivity
Now you mention that all the traffic will route back to the head office. If you do not yet have connectivity in place for this then you would need to provide this layer 3 connectivity for your sites. You could do this over private leased line or VPN.

Now lets draw roughly how this may work:

[remote office] -> VPN -> [main office] ->>> firewall -> [Internet access]

Regarding the branch office to main office connectivity, you may have a poor experience if you do this over VPN. If the remote site and main site are very far from each other then you may have high latency. You will have less than 1500-byte mtu because of overheads. Now if there is any packet loss then then this will reduce your throughput. I suggest a POC (proof of concept) to see how it goes for you. Leased lines / VPLS / MPLS may be better but could be costly.

Another option is SDWAN

I think you may have mentioned GRE because of the hub-spoke cisco VPN. Here's some links to explain this and may be helpful to you 

https://cdn-docs.av-iq.com/dataSheet//IOS%20DMVPN_Datasheet.pdf

https://www.cisco.com/c/dam/en_us/solutions/industries/docs/gov/IntegNet_Feb17_915_Lynn.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book.pdf

[icecream-guy]

Monitoring connections
IF you're wanting to monitor traffic like source/destination IP addresses then you would need some sort of logging mechanism to achieve this. I have a product in my network called Firepower and within it, it does log all the connections details (such as source host machine IP and hostname, which IP addresses it had connected to, which ports etc). For this to work, my traffic needs to flow through the Firepower sensor, in my case it is a Cisco ASA.

as I've been told here before friends dont let friends Cisco ASA.

split tunnel over the internet, with centralized logging at the remote sites reporting to HQ, and ability to block/filter remotely,
VPN to the central HQ has lots of overhead, at least it did back on my day,  (HQ would have T3, and remote sites T1 or FracT1 to HQ.  Slooooooow.

really depends on what your monitoring policy is.  do you have one?😊

Multipoint GRE or DMVPN  if you want centralized control

ps. also need to consider DNS, where are internal DNS servers? external DNS servers?  that will play a huge role in architecture. also consider other core services, NTP, Mail, SNMP, etc etc

centralized architecture or distributed architecture

[deanwebb]

That Internet traffic backhaul is a big reason why firms that started with a centrally-dispatched traffic system switch over to local Internet breakouts. You either have to block tons of stuff to keep the line clear enough for real corporate data, or you have to just let it go out a local pipe and then place monitors on the local pipes for DNS security, DLP, things like that.

[Tutek]

[remote office] -> VPN -> [main office] ->>> firewall -> [Internet access]

Regarding the branch office to main office connectivity, you may have a poor experience if you do this over VPN. If the remote site and main site are very far from each other then you may have high latency. You will have less than 1500-byte mtu because of overheads. Now if there is any packet loss then then this will reduce your throughput. I suggest a POC (proof of concept) to see how it goes for you. Leased lines / VPLS / MPLS may be better but could be costly.

Another option is SDWAN

My branches are no so far away from head office not more that 100 kilometres, current latency to routers at remote sites is 10-20 miliseconds. I'm afraid what will be when I will route back internet access through main UTM router (Fortigate), because now they have its own internet access. Do you think I need MPLS? My remote sites use only two database applications (MSSQL and 3RD party database). For logging I will use Fortianalyzer.

I would rather get advice from you, what VPN technology to use to view at my main router every source IP from remote networks - I think only option for me is standard IPSEC VPN because it will do not NAT, if I use something like openvpn or gre then remote subnet will be PAT using remote gateway inteface - am I right? Then at my main router as source from remote sites I will see only openvpn or gre interface IP.

[Dieselboy]

as I've been told here before friends dont let friends Cisco ASA.

<3

Yes - I'm lagging on this one, my apologies. Thanks for this though

Do you think I need MPLS?

No, I've no idea Does anyone even buy mpls these days?