Build a site to site VPN without static address?

Ed Cyr ecyr at tns-inc.com
Thu Sep 9 09:47:40 EDT 1999


Laurent:

I have implemented both the Nortel Contivity Extranet Access Switch and the
Altiga VPN Concentrators.  After evaluating products from Checkpoint, Cisco
and others, Nortel and ALtiga clearly have the best technology.  Both
products are IPSec compliant and support DHCP and NT authentication.  Altiga
supports NT authentication to your domain directly from the concentrator or
via pass-thru RADIUS; Nortel supports NT authentication via pass-thru RADIUS
only.  If you are looking at clients accessing the VPN via 56K dial access
only, the Nortel solution performs better because of their compression
feature.  Nortel compresses the data before it is encrypted and provides
50-100% performance over the Altiga solution at speeds 56K or below.  If you
require site-to-site or high speed access such as DSL or Cable Modem, the
Altiga box would be the right choice.  It is much more scalable and offers
better overall throughput.  Each solution is extremely easy to setup and
configure, both the VPN box and client software.  Hope this helps...

Regards,
Ed Cyr
Internetwork Solutions Engineer
Total Network Solutions, Inc.


> -----Original Message-----
> From: owner-vpn at listserv.secnetgroup.com
> [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Laurent Hebert
> Sent: Wednesday, September 08, 1999 9:39 AM
> To: vpn at listserv.secnetgroup.com
> Subject: Build a site to site VPN without static address?
>
>
> I am looking for VPN architecture (products) that could be implemented on
> an ISP (cable modem) network for which IP addresses are assigned by DHCP.
> Most of the products I see on the market are using static IP addresses to
> build reliable VPN.  There are less products using DHCP.
>
> So far, I have think about the following solutions:
>
> 1- Use PPTP (or eventually L2TP) with a S/W client that could handle DHCP
> and update a DDNS server that could be installed with a dedicated
> connection to the Internet. My problem with this solution is the on-going
> support.  I do not think that it is robust enough to address the Business
> market.  On top of that, it does not follow the IPsec (unless we use IPsec
> within L2TP for which I believe it is not mature).
>
> 2- Use a central VPN Hub concept for which all client sites would
> use a VPN
> access device that support DHCP.  These access devices would then
> establish
> a VPN session with a central VPN hub.  At that VPN hub, we would
> be able to
> "interconnect" the various VPN sessions together to create a site to site
> Intranet.  Different companies would then be able to share this
> VPN hub and
> we (the ISP) would be able to offer other IP services (behind the VPN Hub)
> using this architecture.  I know that 3COM offer products that seems to do
> that kind of job (Tunel Switch) but I do not know other products and I do
> not know what are the draw backs of that solution.
>
> Is there other alternatives that could be used that are robust and
> manageable?
>
> Another aspect of the problem is to find a solution that support
> the client
> to site.  On that side, most of the VPN client are not well
> integrated with
> the NT or Novell Security and Authentification tools.  Any
> recommendations?
>
> Laurent Hebert
> Consultant at Netesys
>
>
>
>
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list