What's the best VPN for remote users?

Dana J. Dawson dana at INTERPRISE.COM
Thu Jan 25 16:17:41 EST 2001

"Lauziere, Thomas" wrote:
> Here's my question,
> I need a VPN connection for my remote users that prompts them to log in when
> they activate the client.  We currently use the Cisco Secure Client
> connecting through a PIX firewall. This works fine for it's intended use
> which I think is a site to site  continuous VPN connection. My problem is my
> remote users, they want to be able to activate the VPN client on demand,
> have it prompt them to "log in" to the network, and be able to work as if
> they were here in the building.
>         So, what I'm asking is, what's the best setup for remote users so
> they can get more than just the "established tunnel" that the Cisco Secure
> Client limits us to.
> VPN is sponsored by SecurityFocus.COM

With PIX software 5.2 and later, you can use the newer Cisco VPN 3000 client
instead of the old client.  Several people at Cisco have told me you can get the
3000 client as a free upgrade from the old one, so ask you local Cisco person
about it.  It works pretty well, but it's only available for Windows 95/98/NT.
There's a beta version for Windows 2000 floating around, so I'd expect to see a
final version of it soon.  You'll also need to set up an external AAA server
(RADIUS or TACACS) for the user authentication.  I've not heard anything
specific about Windows ME, but the one person around here who tried it couldn't
get it to work.

You can also terminate MS PPTP sessions in the PIX, and it's actually a little
easier to configure in the PIX than IPSec.  You can put local usernames in the
PIX if you want or need to with PPTP (but not with IPSec), which can make
troubleshooting a bit easier.  From a security perspective, I know PPTP is not a
well regarded as IPSec, but it may be adequate for your purposes.  Note that you
still need the DES license in the PIX if you want 40-bit MPPE encryption, and
the 3DES license if you want 128 bit MPPE encryption.  If you already have the
old Cisco client working, then you should be all set there.  The big advantage
of PPTP is the client availability - it's already on every Windows box - and
ease of setup.  If the security meets your needs, it's a pretty easy way to go.

Good luck!

Dana J. Dawson                              dana at interprise.com
Distinguished Principal Engineer            CCIE #1937
Qwest Communications International, Inc.    (612) 664-3364
600 Stinson Blvd., Suite 1S                 (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list