[VPN] VPN using Netscreen 5xp

Watson, Travis Travis.Watson at Honeywell.com
Tue Oct 8 15:15:41 EDT 2002


Chad,

Sorry for the delay--been buried and haven't looked at the list for a while.

Anyway,  that's definitely more clear--I can be pretty obtuse, have to spell it out for me.  I almost choked on the
$15.20 figure.  If that includes the integrated firewall, then that would be a pretty decent price, actually, but I
don't know if it does (rather doubt it).  You should never have to pay more than $10/head for the basic client (the buck
a piece figure was for 1000 users and up--sorry).  The problem with client software is that, usually, there is no real
incentive to make it all that solid--just good enough to sell the hardware.  That's where NS did it right, in my
opinion, in that they gave up on their stuff and went to a company that actually tries to make a living from selling VPN
client software only.  

http://www.ntsecurity.com/netscreen/Scripts/prodList.asp?idCategory=23

If the other device has a dynamic IP, you may well have to pony up the cash to get a routable static or make periodic
edits.  Certs are the only other way to make it work for certain (that I know of) and both devices have to be able to
make a pkcs10 and be able to store the cert for that to happen.  I hope I'm wrong, but that's been my experience.

--Travis


-----Original Message-----
From: Chad Osmond [mailto:osmond at holburn.com]
Sent: Monday, September 30, 2002 11:05 AM
To: Watson, Travis
Cc: vpn at lists.shmoo.com
Subject: Re: [VPN] VPN using Netscreen 5xp


> I'm a little confused, Chad.  You mention setting up a b2b but you
> reference client software as well.  And, your remote (which I presume
> is work) is the end with a dynamic IP address?  It seems like I'm
> missing something.

I'm looking to setup road-warriors -> Office VPN's

Road warriors have dynamic IP addresses, Office is static.
Office is a NetScreen 5XP device, RW's will have to be some sort of client
like Netscreen remote, or alternative (Which I'm still trying to find a good
one)

> The endpoint IP is usually included as part of the SA, but you can go
> around that if you use certificates for authentication.  I don't know
> how sophisticated the distant end device is, but the Netscreen can
> handle it--if you can get your hands on a couple of certs and
> convince the distant end to use it, which might be a non-starter.

The netscreen can also use some sort of Username authentication and manual
keys, I'm still unsure of how to set this up. Certs are a possibilty but I'd
like to avoid them for now. Static IP -> Static IP vpn's are a breeze and I
have a few up now. Just adding the one side dyanmic that messes me up a bit.

> Also, Netscreen has their own client software (Netscreen-Remote)
> which sells for a dollar a seat, I'm pretty sure.  Their client
> software used to be pretty bad, truthfully, but this new stuff is
> supposed to be excellent.  You may well want to give that a go.

$15.20 CAD / Seat according to the call I was just on. Minimum order of 10.
I think I'm about to get a demo of their (NS) client to try and see if I can
get to go.

> Let me know what I'm missing though--I know I'm not understanding it
> fully.

I agree it was a little unclear, I need to start drinking coffee or
something in the morning (I think thinkgeek has a caffeinated soap.. I
should look into that.)

Chad


_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn



More information about the VPN mailing list