[vpn] Review of 13 VPN products

Longar, Dennis dlongar at ibsys.com
Thu Oct 4 10:48:53 EDT 2001


The cisco doesn't work based on IP address coming in, but I
still say it supports multiple IKE Policies.  It's maybe just
not as flexible in how it does it.  So your sort of right and
were sort of right.

I think Guy Raymakers summed it up and provided IOS
config for the cisco.  It' not per IP address or range, but it
does negotiate multiple IKE policy.

>From:Guy
>Isn't so that only one Crypto map can be applied at one interface. This
>crypto map is really the collection of all IPSEC parameters for a given
>connections (one crypto map can have multiple instances). However to my
>knowledge, the IKE (ISAKMP) settings are not really matched with a crypto
>map. So if this is correct, this could imply that many IKE policies can be
>set for one crypto map and it's up to the IKE negotiation to pick the IKE
>policy that is matching.
>.. He provided configs for IOS ..

And the 3000 works similarly.

Thanks!

-Dennis

> -----Original Message-----
> From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM]
> Sent: Wednesday, October 03, 2001 5:26 PM
> To: Dana J. Dawson
> Cc: Joel Snyder; vpn at securityfocus.com
> Subject: Re: [vpn] Review of 13 VPN products
> 
> 
> It's easy to make arrogant and unsupported statements like 
> that, but it would
> be more useful to everyone --- including the un-credible author of the
> article --- if you would offer some proof.  
> 
> In the version of IOS and of PIX which was tested, I claim 
> that you can have
> only a single IKE policy, which is an ordered list of IKE 
> transforms and
> proposals which are acceptable.  That policy may have 
> multiple transforms, but
> you cannot express a policy such as, for example:
> 	
> 	When initiating an SA to 1.2.3.4, I would like to use 
> certificates.
> 	When initiating an SA to 2.3.4.5, I would like to use PSS.
> 	When initiating an SA to 3.4.5.6, I would like to use 
> certificates,
> 				but I would fall back to PSS.
> 	When initiating an SA to 4.5.6.7, I would like to use 
> certificates,
> 				but I would fall back to 
> encrypted nonces.
> 	When initiating an SA to 5.6.7.8, I would like to use PSS, but I
> 				would also be willing to use 
> certificates.
> 
> If you can offer a working Cisco config on a GD release, I'll happily
> apologize and offer a correction.
> 
> jms
> 
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)  
> jms at Opus1.COM    http://www.opus1.com/jms    Opus One
> 
> 
> >Joel Snyder wrote:
> >>
> >> Folks:
> >>
> >> In case you hadn't seen it, Network World just published a 
> review I did
> >> of 13 different VPN products, focusing on site-to-site and 
> enterprise applications:
> >>
> >> http://www.nwfusion.com/reviews/2001/1001rev.html
> >>
> >> --
> >> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> >> +1 520 324 0494 x101 (voice)    +1 520 324 0495 (FAX)
> >> jms at Opus1.COM    http://www.opus1.com/jms    Opus One
> >> Electronic mail is always the best way to contact me.
> >>
> >> VPN is sponsored by SecurityFocus.com
> 
> >I disagree with the assertion in the article that the Cisco 
> products only allow
> >a single IKE policy to be configured.  Both IOS and the PIX 
> allow multiple
> >isakmp policy clauses, and it's not very hard to figure that 
> out.  If the people
> >doing the testing missed something this obvious when 
> configuring the Cisco gear,
> >it makes me wonder how much else they might have missed.  
> Because of this, I
> >have serious doubts about the credibility of the testers and 
> their results.
> 
> >Dana
> 
> >--
> >Dana J. Dawson                     djdawso at qwest.com
> >Senior Staff Engineer              CCIE #1937
> >Qwest Global Services              (612) 664-3364
> >Qwest Communications               (612) 664-4779 (FAX)
> >600 Stinson Blvd., Suite 1S
> >Minneapolis  MN  55413-2620
> 
> >"Hard is where the money is."
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list