[VPN] VPN using Netscreen 5xp

Tom McHugh TomM at spectrum-systems.com
Wed Oct 2 11:08:46 EDT 2002 

I work with both the NetScreen hardware and the software, and I think the
latter has improved a bit lately.  I would suggest, though, that you stick
with IKE-based VPNs rather than manual keys because the regular
renegotiations of the keys means that the encryption codes keep changing, so
its more secure.

Tom McHugh, Senior Systems Engineer
mailto:tomm at spectrum-systems.com

Spectrum Systems, Inc.
"Today's Technology--Solutions for Tomorrow"

11320 Random Hills Road, Suite 630
Fairfax, VA 22030-6001
703-591-7400 x218
703-591-9780 (Fax)
http://www.spectrum-systems.com/

Stop struggling with your network!  You can save yourself the headache of
total network management and save money at the same time by using the help
and expertise of experienced professionals.  Call us at 800-929-3781 or
visit us at http://www.spectrum-systems.com to learn more.


> -----Original Message-----
> From: Chad Osmond [mailto:osmond at holburn.com]
> Sent: Monday, September 30, 2002 2:05 PM
> To: Watson, Travis
> Cc: vpn at lists.shmoo.com
> Subject: Re: [VPN] VPN using Netscreen 5xp
> 
> 
> > I'm a little confused, Chad.  You mention setting up a b2b but you
> > reference client software as well.  And, your remote (which 
> I presume
> > is work) is the end with a dynamic IP address?  It seems like I'm
> > missing something.
> 
> I'm looking to setup road-warriors -> Office VPN's
> 
> Road warriors have dynamic IP addresses, Office is static.
> Office is a NetScreen 5XP device, RW's will have to be some 
> sort of client
> like Netscreen remote, or alternative (Which I'm still trying 
> to find a good
> one)
> 
> > The endpoint IP is usually included as part of the SA, but 
> you can go
> > around that if you use certificates for authentication.  I 
> don't know
> > how sophisticated the distant end device is, but the Netscreen can
> > handle it--if you can get your hands on a couple of certs and
> > convince the distant end to use it, which might be a non-starter.
> 
> The netscreen can also use some sort of Username 
> authentication and manual
> keys, I'm still unsure of how to set this up. Certs are a 
> possibilty but I'd
> like to avoid them for now. Static IP -> Static IP vpn's are 
> a breeze and I
> have a few up now. Just adding the one side dyanmic that 
> messes me up a bit.
> 
> > Also, Netscreen has their own client software (Netscreen-Remote)
> > which sells for a dollar a seat, I'm pretty sure.  Their client
> > software used to be pretty bad, truthfully, but this new stuff is
> > supposed to be excellent.  You may well want to give that a go.
> 
> $15.20 CAD / Seat according to the call I was just on. 
> Minimum order of 10.
> I think I'm about to get a demo of their (NS) client to try 
> and see if I can
> get to go.
> 
> > Let me know what I'm missing though--I know I'm not understanding it
> > fully.
> 
> I agree it was a little unclear, I need to start drinking coffee or
> something in the morning (I think thinkgeek has a caffeinated soap.. I
> should look into that.)
> 
> Chad
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>

More information about the VPN mailing list