[vpn] Review of 13 VPN products
dlongar at ibsys.com
Thu Oct 4 10:48:53 EDT 2001
The cisco doesn't work based on IP address coming in, but I
still say it supports multiple IKE Policies. It's maybe just
not as flexible in how it does it. So your sort of right and
were sort of right.
I think Guy Raymakers summed it up and provided IOS
config for the cisco. It' not per IP address or range, but it
does negotiate multiple IKE policy.
>Isn't so that only one Crypto map can be applied at one interface. This
>crypto map is really the collection of all IPSEC parameters for a given
>connections (one crypto map can have multiple instances). However to my
>knowledge, the IKE (ISAKMP) settings are not really matched with a crypto
>map. So if this is correct, this could imply that many IKE policies can be
>set for one crypto map and it's up to the IKE negotiation to pick the IKE
>policy that is matching.
>.. He provided configs for IOS ..
And the 3000 works similarly.
> -----Original Message-----
> From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM]
> Sent: Wednesday, October 03, 2001 5:26 PM
> To: Dana J. Dawson
> Cc: Joel Snyder; vpn at securityfocus.com
> Subject: Re: [vpn] Review of 13 VPN products
> It's easy to make arrogant and unsupported statements like
> that, but it would
> be more useful to everyone --- including the un-credible author of the
> article --- if you would offer some proof.
> In the version of IOS and of PIX which was tested, I claim
> that you can have
> only a single IKE policy, which is an ordered list of IKE
> transforms and
> proposals which are acceptable. That policy may have
> multiple transforms, but
> you cannot express a policy such as, for example:
> When initiating an SA to 188.8.131.52, I would like to use
> When initiating an SA to 184.108.40.206, I would like to use PSS.
> When initiating an SA to 220.127.116.11, I would like to use
> but I would fall back to PSS.
> When initiating an SA to 18.104.22.168, I would like to use
> but I would fall back to
> encrypted nonces.
> When initiating an SA to 22.214.171.124, I would like to use PSS, but I
> would also be willing to use
> If you can offer a working Cisco config on a GD release, I'll happily
> apologize and offer a correction.
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)
> jms at Opus1.COM http://www.opus1.com/jms Opus One
> >Joel Snyder wrote:
> >> Folks:
> >> In case you hadn't seen it, Network World just published a
> review I did
> >> of 13 different VPN products, focusing on site-to-site and
> enterprise applications:
> >> http://www.nwfusion.com/reviews/2001/1001rev.html
> >> --
> >> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> >> +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX)
> >> jms at Opus1.COM http://www.opus1.com/jms Opus One
> >> Electronic mail is always the best way to contact me.
> >> VPN is sponsored by SecurityFocus.com
> >I disagree with the assertion in the article that the Cisco
> products only allow
> >a single IKE policy to be configured. Both IOS and the PIX
> allow multiple
> >isakmp policy clauses, and it's not very hard to figure that
> out. If the people
> >doing the testing missed something this obvious when
> configuring the Cisco gear,
> >it makes me wonder how much else they might have missed.
> Because of this, I
> >have serious doubts about the credibility of the testers and
> their results.
> >Dana J. Dawson djdawso at qwest.com
> >Senior Staff Engineer CCIE #1937
> >Qwest Global Services (612) 664-3364
> >Qwest Communications (612) 664-4779 (FAX)
> >600 Stinson Blvd., Suite 1S
> >Minneapolis MN 55413-2620
> >"Hard is where the money is."
> VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
More information about the VPN