[VPN] Cisco 3000 clients

Joel M Snyder Joel.Snyder at Opus1.COM
Fri Sep 27 14:16:03 EDT 2002


>> You can use any IPSec compliant client with Cisco VPN
>> 3000.

>Whahhahahahahah....

>No seriously.

I can echo Eirik's sentiment.  There's a HUGE difference between what is
possible and what is practical.  Yeah, sure, you can find an IPsec client for
virtually anything, and it can be crafted in some way so that it is potentially
possible to talk to almost any VPN gateway server---we prove that in our labs
all the time.  

But the reality is that for remote access VPN, unless you're doing a trivial
case with 10 users and a network that never changes, the only practical way to
do this is to use the vendor-supplied client.  It's not just XAUTH (although
authentication is a big piece of the picture), but also policy updating and
management, support for NAT traversal ("so many standards to pick from; so
little time to try them all..."), and address assignment (mode config). 

Yeah, you got a VPN concentrator and this one Linux guy at home with a static
IP address and a known subnet who wants to come in, sure, you can make it work.
But in the general case, forget it.  You need to go with one of the vendors who
supports a truly broad range of software and hardware clients, which is
astonishingly slim (hint: they both begin with the letter C) if you care about
multiple platforms.  

jms

PS: This is a shortened version of the 3000 word rant on VPN remote access to
appear in Network World on October 28. 

Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)  
jms at Opus1.COM    http://www.opus1.com/jms    Opus One



More information about the VPN mailing list