[VPN] VPN using Netscreen 5xp
Watson, Travis
Travis.Watson at Honeywell.com
Tue Oct 8 15:15:41 EDT 2002
Chad,
Sorry for the delay--been buried and haven't looked at the list for a while.
Anyway, that's definitely more clear--I can be pretty obtuse, have to spell it out for me. I almost choked on the
$15.20 figure. If that includes the integrated firewall, then that would be a pretty decent price, actually, but I
don't know if it does (rather doubt it). You should never have to pay more than $10/head for the basic client (the buck
a piece figure was for 1000 users and up--sorry). The problem with client software is that, usually, there is no real
incentive to make it all that solid--just good enough to sell the hardware. That's where NS did it right, in my
opinion, in that they gave up on their stuff and went to a company that actually tries to make a living from selling VPN
client software only.
http://www.ntsecurity.com/netscreen/Scripts/prodList.asp?idCategory=23
If the other device has a dynamic IP, you may well have to pony up the cash to get a routable static or make periodic
edits. Certs are the only other way to make it work for certain (that I know of) and both devices have to be able to
make a pkcs10 and be able to store the cert for that to happen. I hope I'm wrong, but that's been my experience.
--Travis
-----Original Message-----
From: Chad Osmond [mailto:osmond at holburn.com]
Sent: Monday, September 30, 2002 11:05 AM
To: Watson, Travis
Cc: vpn at lists.shmoo.com
Subject: Re: [VPN] VPN using Netscreen 5xp
> I'm a little confused, Chad. You mention setting up a b2b but you
> reference client software as well. And, your remote (which I presume
> is work) is the end with a dynamic IP address? It seems like I'm
> missing something.
I'm looking to setup road-warriors -> Office VPN's
Road warriors have dynamic IP addresses, Office is static.
Office is a NetScreen 5XP device, RW's will have to be some sort of client
like Netscreen remote, or alternative (Which I'm still trying to find a good
one)
> The endpoint IP is usually included as part of the SA, but you can go
> around that if you use certificates for authentication. I don't know
> how sophisticated the distant end device is, but the Netscreen can
> handle it--if you can get your hands on a couple of certs and
> convince the distant end to use it, which might be a non-starter.
The netscreen can also use some sort of Username authentication and manual
keys, I'm still unsure of how to set this up. Certs are a possibilty but I'd
like to avoid them for now. Static IP -> Static IP vpn's are a breeze and I
have a few up now. Just adding the one side dyanmic that messes me up a bit.
> Also, Netscreen has their own client software (Netscreen-Remote)
> which sells for a dollar a seat, I'm pretty sure. Their client
> software used to be pretty bad, truthfully, but this new stuff is
> supposed to be excellent. You may well want to give that a go.
$15.20 CAD / Seat according to the call I was just on. Minimum order of 10.
I think I'm about to get a demo of their (NS) client to try and see if I can
get to go.
> Let me know what I'm missing though--I know I'm not understanding it
> fully.
I agree it was a little unclear, I need to start drinking coffee or
something in the morning (I think thinkgeek has a caffeinated soap.. I
should look into that.)
Chad
_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
More information about the VPN
mailing list