From paul at yaskowski.com Thu Apr 8 23:39:58 2004 From: paul at yaskowski.com (Paul R. Yaskowski) Date: Thu, 8 Apr 2004 23:39:58 -0400 Subject: [VPN] Recommendations Message-ID: <20040409034002.BAAD725CFA@mail.iocaine.com> I'm looking to setup a site-to-site VPN the replace a leased line used solely for AS/400 access. I have a couple questions as to what I should get. The main office consists of about 25 users with static SDSL. The remote office is about 5 users with dynamic ADSL. I've looked at the PIX-501, but I've always been a little scared of per-user licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at the main office, it would only allow 10 users to get Internet access? No matter what product I choose, would a site-to-site VPN work with a static address on one side and a dynamic on the other? Would any PIX handle PPPoE with a dynamically assigned IP? The company is cost-conscious, and I've looked at the PIX-506E, without the per-user licensing, but it is 50% more. Any comments or suggestions as to which products I should look at would be a great boon to me. I prefer Cisco products, because I am familiar with their interface, but am flexible. I would appreciate any help with this, I had Cisco certs back in the hey-day, but I worked with them so rarely that I let the certs expire. Paul From davepier at optusnet.com.au Fri Apr 9 04:42:42 2004 From: davepier at optusnet.com.au (David Pierson) Date: Fri, 9 Apr 2004 18:42:42 +1000 Subject: [VPN] Recommendations References: <20040409034002.BAAD725CFA@mail.iocaine.com> Message-ID: <000e01c41e0e$a3a08d00$0701000a@qld.optushome.com.au> Paul, Do have a look at Snapgear www.cyberguard.com/snapgear as they do not charge a per-user licensing for their VPN. The LITE+ will do up to 0.5Mbps 3DES and the SME530 up to 3Mbps with 3DES or 8Mbps AES. Depends how much traffic you think you'll have. The equipment is a joy to use too. The reason you don't hear as much about them on the VPN channels may be that their stuff just works and their lucky admins like me don't have any hassles. :-) Cheers David ----- Original Message ----- From: "Paul R. Yaskowski" To: Sent: Friday, April 09, 2004 1:39 PM Subject: [VPN] Recommendations > I'm looking to setup a site-to-site VPN the replace a leased line used > solely for AS/400 access. I have a couple questions as to what I should get. > > The main office consists of about 25 users with static SDSL. The remote > office is about 5 users with dynamic ADSL. > > I've looked at the PIX-501, but I've always been a little scared of per-user > licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at > the main office, it would only allow 10 users to get Internet access? > > No matter what product I choose, would a site-to-site VPN work with a static > address on one side and a dynamic on the other? > > Would any PIX handle PPPoE with a dynamically assigned IP? > > The company is cost-conscious, and I've looked at the PIX-506E, without the > per-user licensing, but it is 50% more. > > Any comments or suggestions as to which products I should look at would be a > great boon to me. I prefer Cisco products, because I am familiar with their > interface, but am flexible. > > I would appreciate any help with this, I had Cisco certs back in the > hey-day, but I worked with them so rarely that I let the certs expire. > > Paul > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From miker at cotse.com Fri Apr 9 08:48:18 2004 From: miker at cotse.com (Michael Ray) Date: Fri, 09 Apr 2004 07:48:18 -0500 Subject: [VPN] Recommendations In-Reply-To: <20040409034002.BAAD725CFA@mail.iocaine.com> References: <20040409034002.BAAD725CFA@mail.iocaine.com> Message-ID: On Thu, 8 Apr 2004 23:39:58 -0400, you wrote: >I'm looking to setup a site-to-site VPN the replace a leased line used >solely for AS/400 access. I have a couple questions as to what I should get. > >The main office consists of about 25 users with static SDSL. The remote >office is about 5 users with dynamic ADSL. > >I've looked at the PIX-501, but I've always been a little scared of per-user >licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at >the main office, it would only allow 10 users to get Internet access? > >No matter what product I choose, would a site-to-site VPN work with a static >address on one side and a dynamic on the other? > >Would any PIX handle PPPoE with a dynamically assigned IP? > >The company is cost-conscious, and I've looked at the PIX-506E, without the >per-user licensing, but it is 50% more. > >Any comments or suggestions as to which products I should look at would be a >great boon to me. I prefer Cisco products, because I am familiar with their >interface, but am flexible. > >I would appreciate any help with this, I had Cisco certs back in the >hey-day, but I worked with them so rarely that I let the certs expire. > >Paul > I would look at the Netscreen 5GT products (standard and extendend) and Fortinet's Fortigate 50A or 60 depending on your needs. Both companies offer antivirus, higher level content control on top of firewalling, IDS, VPN and traffic shaping, etc. Netscreen's option is a bit more for the AV and Deep Inspection while Fortinet includes them standard. They are both easy to administer and will work with your static to dynamic VPN requirements. As a side note. Forinet was founded by one of the original Netscreen founders. http://www.netscreen.com/products/at_a_glance/ds_5gt.jsp http://www.fortinet.com/doc/FGT50A_100DS.pdf Mike From KHart at helixtechnology.com Fri Apr 9 09:06:41 2004 From: KHart at helixtechnology.com (Hart, Kevin) Date: Fri, 9 Apr 2004 09:06:41 -0400 Subject: [VPN] Recommendations Message-ID: <6FA79BD0B67DD411AAC400306E00B08C04E34E6A@exchange1.helixtech.com> >>I've looked at the PIX-501, but I've always been a little scared of per-user >>licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at >>the main office, it would only allow 10 users to get Internet access? Yes...10 user license means just that. You'll need to order the PIX 501 with a 50 user license if you want more connections. For the main site, I would go with a 506E. >>No matter what product I choose, would a site-to-site VPN work with a static >>address on one side and a dynamic on the other? Yes, the PIX can do IPSEC LAN to LAN tunnels with dynamic IP at one site. http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a0080094680.shtml >>Would any PIX handle PPPoE with a dynamically assigned IP? Yes...Pix with PPPOE: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration _example09186a00801055dd.shtml Watch for wraps on the URLs Kevin -----Original Message----- From: Paul R. Yaskowski [mailto:paul at yaskowski.com] Sent: Thursday, April 08, 2004 11:40 PM To: vpn at lists.shmoo.com Subject: [VPN] Recommendations I'm looking to setup a site-to-site VPN the replace a leased line used solely for AS/400 access. I have a couple questions as to what I should get. The main office consists of about 25 users with static SDSL. The remote office is about 5 users with dynamic ADSL. I've looked at the PIX-501, but I've always been a little scared of per-user licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at the main office, it would only allow 10 users to get Internet access? No matter what product I choose, would a site-to-site VPN work with a static address on one side and a dynamic on the other? Would any PIX handle PPPoE with a dynamically assigned IP? The company is cost-conscious, and I've looked at the PIX-506E, without the per-user licensing, but it is 50% more. Any comments or suggestions as to which products I should look at would be a great boon to me. I prefer Cisco products, because I am familiar with their interface, but am flexible. I would appreciate any help with this, I had Cisco certs back in the hey-day, but I worked with them so rarely that I let the certs expire. Paul _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From paul at yaskowski.com Fri Apr 9 11:28:28 2004 From: paul at yaskowski.com (Paul R. Yaskowski) Date: Fri, 9 Apr 2004 11:28:28 -0400 Subject: [VPN] Recommendations In-Reply-To: <20040409072246.78884.qmail@web25110.mail.ukl.yahoo.com> Message-ID: <20040409152832.2E77A25D7A@mail.iocaine.com> The PPPoE is for authenticating the DSL. I've considered SmoothWall, but I don't plan on being here too long, and I'd hate to leave them with something no one else knows about. If you need Cisco help, you can get Cisco help. A $90K AS/400 and a $400/month leased line between offices less than a half mile apart that should be merged. They're about broke now. Paul -----Original Message----- From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] Sent: Friday, April 09, 2004 3:23 AM To: Paul R. Yaskowski; vpn at lists.shmoo.com Subject: Re: [VPN] Recommendations > I've looked at the PIX-501, but I've always been a > little scared of per-user > licensing. If I purchased a 10-user PIX-501, and set > it behind the SDSL at > the main office, it would only allow 10 users to get > Internet access? Yes, it will only allow 10 IP addresses to pass out to the internet. Maybe, you could setup a web proxy (if its only web access that your users want) and then NAT it to go out. That way you can do with a 10-user license. > > No matter what product I choose, would a > site-to-site VPN work with a static > address on one side and a dynamic on the other? Yes, you can do this. Look at: http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_exa mple09186a0080094680.shtml > > Would any PIX handle PPPoE with a dynamically > assigned IP? Why do you want to do PPPoE? Do IPSec. > The company is cost-conscious, and I've looked at > the PIX-506E, without the > per-user licensing, but it is 50% more. Your management bought an AS/400 but can't afford a PIX 506E?? :) > > Any comments or suggestions as to which products I > should look at would be a > great boon to me. I prefer Cisco products, because I > am familiar with their > interface, but am flexible. > Look at Sonicwall and NetScreen. Both pack in more features that Cisco PIX, both have pretty good web GUIs and simpler configuration. A tip on PIX: If you plan on using its Web GUI, then configure it from scratch using the GUI. If you configure it from CLI during installation and later try to switch to the GUI, you may run into trouble. HTH, Siddhartha ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From losttoy2000 at yahoo.co.uk Fri Apr 9 03:22:46 2004 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Fri, 9 Apr 2004 08:22:46 +0100 (BST) Subject: [VPN] Recommendations In-Reply-To: <20040409034002.BAAD725CFA@mail.iocaine.com> Message-ID: <20040409072246.78884.qmail@web25110.mail.ukl.yahoo.com> > I've looked at the PIX-501, but I've always been a > little scared of per-user > licensing. If I purchased a 10-user PIX-501, and set > it behind the SDSL at > the main office, it would only allow 10 users to get > Internet access? Yes, it will only allow 10 IP addresses to pass out to the internet. Maybe, you could setup a web proxy (if its only web access that your users want) and then NAT it to go out. That way you can do with a 10-user license. > > No matter what product I choose, would a > site-to-site VPN work with a static > address on one side and a dynamic on the other? Yes, you can do this. Look at: http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml > > Would any PIX handle PPPoE with a dynamically > assigned IP? Why do you want to do PPPoE? Do IPSec. > The company is cost-conscious, and I've looked at > the PIX-506E, without the > per-user licensing, but it is 50% more. Your management bought an AS/400 but can't afford a PIX 506E?? :) > > Any comments or suggestions as to which products I > should look at would be a > great boon to me. I prefer Cisco products, because I > am familiar with their > interface, but am flexible. > Look at Sonicwall and NetScreen. Both pack in more features that Cisco PIX, both have pretty good web GUIs and simpler configuration. A tip on PIX: If you plan on using its Web GUI, then configure it from scratch using the GUI. If you configure it from CLI during installation and later try to switch to the GUI, you may run into trouble. HTH, Siddhartha ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From losttoy2000 at yahoo.co.uk Sat Apr 10 03:12:11 2004 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sat, 10 Apr 2004 08:12:11 +0100 (BST) Subject: [VPN] Recommendations In-Reply-To: <20040409152832.2E77A25D7A@mail.iocaine.com> Message-ID: <20040410071211.45606.qmail@web25109.mail.ukl.yahoo.com> Umm, so you are using PPPoE only for authentication? You can do that in IPSec with pre-shared keys. --- "Paul R. Yaskowski" wrote: > The PPPoE is for authenticating the DSL. > > I've considered SmoothWall, but I don't plan on > being here too long, and I'd > hate to leave them with something no one else knows > about. If you need Cisco > help, you can get Cisco help. > > A $90K AS/400 and a $400/month leased line between > offices less than a half > mile apart that should be merged. They're about > broke now. > > Paul > > -----Original Message----- > From: Siddhartha Jain > [mailto:losttoy2000 at yahoo.co.uk] > Sent: Friday, April 09, 2004 3:23 AM > To: Paul R. Yaskowski; vpn at lists.shmoo.com > Subject: Re: [VPN] Recommendations > > > I've looked at the PIX-501, but I've always been a > > little scared of per-user > > licensing. If I purchased a 10-user PIX-501, and > set > > it behind the SDSL at > > the main office, it would only allow 10 users to > get > > Internet access? > > Yes, it will only allow 10 IP addresses to pass out > to > the internet. Maybe, you could setup a web proxy (if > its only web access that your users want) and then > NAT > it to go out. That way you can do with a 10-user > license. > > > > > No matter what product I choose, would a > > site-to-site VPN work with a static > > address on one side and a dynamic on the other? > > Yes, you can do this. Look at: > http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_exa > mple09186a0080094680.shtml > > > > > Would any PIX handle PPPoE with a dynamically > > assigned IP? > > Why do you want to do PPPoE? Do IPSec. > > > The company is cost-conscious, and I've looked at > > the PIX-506E, without the > > per-user licensing, but it is 50% more. > > Your management bought an AS/400 but can't afford a > PIX 506E?? :) > > > > > Any comments or suggestions as to which products I > > should look at would be a > > great boon to me. I prefer Cisco products, because > I > > am familiar with their > > interface, but am flexible. > > > > Look at Sonicwall and NetScreen. Both pack in more > features that Cisco PIX, both have pretty good web > GUIs and simpler configuration. > > A tip on PIX: If you plan on using its Web GUI, then > configure it from scratch using the GUI. If you > configure it from CLI during installation and later > try to switch to the GUI, you may run into trouble. > > HTH, > > Siddhartha > > > > > > > ____________________________________________________________ > Yahoo! Messenger - Communicate instantly..."Ping" > your friends today! Download Messenger Now > http://uk.messenger.yahoo.com/download/index.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From travis at traviswatson.com Sat Apr 10 13:58:54 2004 From: travis at traviswatson.com (Travis Watson) Date: Sat, 10 Apr 2004 10:58:54 -0700 Subject: [VPN] Recommendations In-Reply-To: <20040409034002.BAAD725CFA@mail.iocaine.com> References: <20040409034002.BAAD725CFA@mail.iocaine.com> Message-ID: <200404101058.54790.travis@traviswatson.com> Paul, You've already received some good recommendations and I don't mean to poor it on, but you may want to look at m0n0wall as well for the smaller site--particularly if management is cheap (http://m0n0.ch/wall/). It's pretty cool stuff and the price is right. Having said that, I usually lean toward Netscreen. They are very reasonable in price, solid, and easy to manage. The only caustion I would give you is that the 5-series has the 10 user and "unlimited" option for VPN. Ten nodes through a tunnel can happen pretty quickly and the unlimited option just about doubles the price. The 10 user limitation is for VPN only, however, not general connectivity. Good luck. --Travis On Thursday 08 April 2004 08:39 pm, Paul R. Yaskowski wrote: > I'm looking to setup a site-to-site VPN the replace a leased line used > solely for AS/400 access. I have a couple questions as to what I should > get. > > The main office consists of about 25 users with static SDSL. The remote > office is about 5 users with dynamic ADSL. > > I've looked at the PIX-501, but I've always been a little scared of > per-user licensing. If I purchased a 10-user PIX-501, and set it behind the > SDSL at the main office, it would only allow 10 users to get Internet > access? > > No matter what product I choose, would a site-to-site VPN work with a > static address on one side and a dynamic on the other? > > Would any PIX handle PPPoE with a dynamically assigned IP? > > The company is cost-conscious, and I've looked at the PIX-506E, without the > per-user licensing, but it is 50% more. > > Any comments or suggestions as to which products I should look at would be > a great boon to me. I prefer Cisco products, because I am familiar with > their interface, but am flexible. > > I would appreciate any help with this, I had Cisco certs back in the > hey-day, but I worked with them so rarely that I let the certs expire. > > Paul > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From paul at yaskowski.com Sat Apr 10 19:15:40 2004 From: paul at yaskowski.com (Paul R. Yaskowski) Date: Sat, 10 Apr 2004 19:15:40 -0400 Subject: [VPN] Recommendations In-Reply-To: <20040410071211.45606.qmail@web25109.mail.ukl.yahoo.com> Message-ID: <20040410231547.976CE25D4B@mail.iocaine.com> PPPoE for authentication to Verizon, the DSL provider. Paul -----Original Message----- From: vpn-bounces+paul=yaskowski.com at lists.shmoo.com [mailto:vpn-bounces+paul=yaskowski.com at lists.shmoo.com] On Behalf Of Siddhartha Jain Sent: Saturday, April 10, 2004 3:12 AM To: vpn at lists.shmoo.com Subject: RE: [VPN] Recommendations Umm, so you are using PPPoE only for authentication? You can do that in IPSec with pre-shared keys. --- "Paul R. Yaskowski" wrote: > The PPPoE is for authenticating the DSL. > > I've considered SmoothWall, but I don't plan on > being here too long, and I'd > hate to leave them with something no one else knows > about. If you need Cisco > help, you can get Cisco help. > > A $90K AS/400 and a $400/month leased line between > offices less than a half > mile apart that should be merged. They're about > broke now. > > Paul > > -----Original Message----- > From: Siddhartha Jain > [mailto:losttoy2000 at yahoo.co.uk] > Sent: Friday, April 09, 2004 3:23 AM > To: Paul R. Yaskowski; vpn at lists.shmoo.com > Subject: Re: [VPN] Recommendations > > > I've looked at the PIX-501, but I've always been a > > little scared of per-user > > licensing. If I purchased a 10-user PIX-501, and > set > > it behind the SDSL at > > the main office, it would only allow 10 users to > get > > Internet access? > > Yes, it will only allow 10 IP addresses to pass out > to > the internet. Maybe, you could setup a web proxy (if > its only web access that your users want) and then > NAT > it to go out. That way you can do with a 10-user > license. > > > > > No matter what product I choose, would a > > site-to-site VPN work with a static > > address on one side and a dynamic on the other? > > Yes, you can do this. Look at: > http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_exa > mple09186a0080094680.shtml > > > > > Would any PIX handle PPPoE with a dynamically > > assigned IP? > > Why do you want to do PPPoE? Do IPSec. > > > The company is cost-conscious, and I've looked at > > the PIX-506E, without the > > per-user licensing, but it is 50% more. > > Your management bought an AS/400 but can't afford a > PIX 506E?? :) > > > > > Any comments or suggestions as to which products I > > should look at would be a > > great boon to me. I prefer Cisco products, because > I > > am familiar with their > > interface, but am flexible. > > > > Look at Sonicwall and NetScreen. Both pack in more > features that Cisco PIX, both have pretty good web > GUIs and simpler configuration. > > A tip on PIX: If you plan on using its Web GUI, then > configure it from scratch using the GUI. If you > configure it from CLI during installation and later > try to switch to the GUI, you may run into trouble. > > HTH, > > Siddhartha > > > > > > > ____________________________________________________________ > Yahoo! Messenger - Communicate instantly..."Ping" > your friends today! Download Messenger Now > http://uk.messenger.yahoo.com/download/index.html > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From djdawso at qwest.com Mon Apr 12 11:43:25 2004 From: djdawso at qwest.com (Dana J. Dawson) Date: Mon, 12 Apr 2004 10:43:25 -0500 Subject: [VPN] Recommendations In-Reply-To: <200404101058.54790.travis@traviswatson.com> References: <20040409034002.BAAD725CFA@mail.iocaine.com> <200404101058.54790.travis@traviswatson.com> Message-ID: <407AB91D.5060303@qwest.com> An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040412/70c5ba26/attachment.htm From Adam.Pierce at hutto.txed.net Mon Apr 12 21:26:28 2004 From: Adam.Pierce at hutto.txed.net (Adam Pierce) Date: Mon, 12 Apr 2004 20:26:28 -0500 Subject: [VPN] RE: Cisco PIX 501 and Cisco remote VPN client&In-Reply-To=20040130150404.67610.qmail@mail.reds Message-ID: Here's a few things you are missing. First, you need an access-list to keep your vpn traffic from being nat. access-list 101 permit ip 192.168.1.0 255.255.255.0 "vpn pool range" You'll also need another nat statement to put this access-list in place nat (inside) 0 access-list 101 Your VPNpool will need to be in a different network than your internal network so it can be routed. It's also a good idea to not use numbers that are frequently used in home networks, i.e. 192.168.1.0 or 192.168.100.0. ip local pool VPNpool 192.168.128.230-192.168.128.240 These issues will certainly give you problems. I hope this helps! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040412/ff2beefc/attachment.htm From travis at traviswatson.com Mon Apr 12 21:47:38 2004 From: travis at traviswatson.com (Travis Watson) Date: Mon, 12 Apr 2004 18:47:38 -0700 Subject: [VPN] Recommendations In-Reply-To: <407AB91D.5060303@qwest.com> References: <20040409034002.BAAD725CFA@mail.iocaine.com> <200404101058.54790.travis@traviswatson.com> <407AB91D.5060303@qwest.com> Message-ID: <200404121847.38871.travis@traviswatson.com> Dana, I guess I'm not quite following. Are you talking about outbound IPSec client connections? That shouldn't be a problem at all unless you tweaked the MTU to a small size on purpose. You aren't trying to PAT outbound connections, are you? --Travis On Monday 12 April 2004 08:43 am, Dana J. Dawson wrote: > > > > > > > > One issue I've had with Netscreen firewalls in the past is that I've > never managed to get them to support IPSec pass-thru for generic IPSec > clients through the Netscreen in router mode with PAT (i.e. not using > NAT-Traversal or any other type of TCP/UDP encapsulation of the IPSec > traffic).  Is this a known limitation of the Netscreen, or is there a > trick I haven't found?  I haven't tried the latest software, so maybe > this is no longer an issue - the last version I've tried is 4.0.3r3.0 > in a 5XP.
>
> Dana
>

> border="0">
>
>
> Travis Watson wrote: >
type="cite"> >
Paul,
>
> You've already received some good recommendations and I don't mean to poor
> it on, but you may want to look at m0n0wall as well for the smaller
> site--particularly if management is cheap ( href="http://m0n0.ch/wall/">http://m0n0.ch/wall/).  It's pretty cool
> stuff and the price is right.
>
> Having said that, I usually lean toward Netscreen.  They are very
> reasonable in price, solid, and easy to manage.  The only caustion I would
> give you is that the 5-series has the 10 user and "unlimited" option for
> VPN.  Ten nodes through a tunnel can happen pretty quickly and the
> unlimited option just about doubles the price.  The 10 user limitation is
> for VPN only, however, not general connectivity.
>
> Good luck.
>
> --Travis
>
> On Thursday 08 April 2004 08:39 pm, Paul R. Yaskowski wrote:
>   
>
>
I'm looking to setup a site-to-site VPN the replace a
> leased line used solely for AS/400 access. I have a couple questions as to
> what I should get.
>
> The main office consists of about 25 users with static SDSL. The remote
> office is about 5 users with dynamic ADSL.
>
> I've looked at the PIX-501, but I've always been a little scared of
> per-user licensing. If I purchased a 10-user PIX-501, and set it behind the
> SDSL at the main office, it would only allow 10 users to get Internet
> access?
>
> No matter what product I choose, would a site-to-site VPN work with a
> static address on one side and a dynamic on the other?
>
> Would any PIX handle PPPoE with a dynamically assigned IP?
>
> The company is cost-conscious, and I've looked at the PIX-506E, without the
> per-user licensing, but it is 50% more.
>
> Any comments or suggestions as to which products I should look at would be
> a great boon to me. I prefer Cisco products, because I am familiar with
> their interface, but am flexible.
>
> I would appreciate any help with this, I had Cisco certs back in the
> hey-day, but I worked with them so rarely that I let the certs expire.
>
> Paul
>
> _______________________________________________
> VPN mailing list
>  href="mailto:VPN at lists.shmoo.com">VPN at lists.shmoo.com  class="moz-txt-link-freetext"
> href="http://lists.shmoo.com/mailman/listinfo/vpn">http://lists.shmoo.com/m
>ailman/listinfo/vpn 
>
>

> _______________________________________________
> VPN mailing list
>  href="mailto:VPN at lists.shmoo.com">VPN at lists.shmoo.com  class="moz-txt-link-freetext"
> href="http://lists.shmoo.com/mailman/listinfo/vpn">http://lists.shmoo.com/m
>ailman/listinfo/vpn
>
>   
>
> > From djdawso at qwest.com Tue Apr 13 11:43:12 2004 From: djdawso at qwest.com (Dana J. Dawson) Date: Tue, 13 Apr 2004 10:43:12 -0500 Subject: [VPN] Recommendations In-Reply-To: <200404121847.38871.travis@traviswatson.com> References: <20040409034002.BAAD725CFA@mail.iocaine.com> <200404101058.54790.travis@traviswatson.com> <407AB91D.5060303@qwest.com> <200404121847.38871.travis@traviswatson.com> Message-ID: <407C0A90.2050901@qwest.com> An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040413/7ee32b04/attachment.htm From stu at gateway10.homeip.net Sat Apr 17 02:25:09 2004 From: stu at gateway10.homeip.net (stu) Date: Sat, 17 Apr 2004 08:25:09 +0200 Subject: [VPN] Vpn support Message-ID: <20040417082435.1BB14CEF87@firewall.gateway10.homeip.net> Hello VPN'ers Is it possible to build a VPN tunnel between a linux machine and a sonicwall firewall? Running suse 9.0 pro with iptables. Sonicwall firmware 6.5.0.4 I am talking about a LAN vpn'ed behind the linux box to the LAN behind the sonicwall appliance. Not a linux client to a sonicwall. Thanks Stu From chris at vashel.net Sat Apr 17 11:52:21 2004 From: chris at vashel.net (chris vashel) Date: Sat, 17 Apr 2004 08:52:21 -0700 Subject: [VPN] Vpn support In-Reply-To: <20040417082435.1BB14CEF87@firewall.gateway10.homeip.net> References: <20040417082435.1BB14CEF87@firewall.gateway10.homeip.net> Message-ID: <408152B5.8040709@vashel.net> > Hello VPN'ers > > Is it possible to build a VPN tunnel between a linux machine and a sonicwall > firewall? > Running suse 9.0 pro with iptables. > Sonicwall firmware 6.5.0.4 > > I am talking about a LAN vpn'ed behind the linux box to the LAN behind the > sonicwall appliance. Not a linux client to a sonicwall. > you might try: http://www.sonicwall.com/services/VPN_documentation.html and more specifically: ftp://ftp.sonicwall.com/pub/info/vpn/SonicWALL_IKEVPNTunnel_FreeSWAN.pdf good luck chris From casigmon at cryptek.com Mon Apr 19 09:48:21 2004 From: casigmon at cryptek.com (Clinton Sigmon) Date: Mon, 19 Apr 2004 09:48:21 -0400 Subject: [VPN] Vpn support In-Reply-To: <408152B5.8040709@vashel.net> References: <20040417082435.1BB14CEF87@firewall.gateway10.homeip.net> <408152B5.8040709@vashel.net> Message-ID: <4083D8A5.2080709@cryptek.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.johnleach.co.uk/documents/freeswan-sonicwall-example/ cs chris vashel wrote: |> Hello VPN'ers |> |> Is it possible to build a VPN tunnel between a linux machine and a |> sonicwall |> firewall? |> Running suse 9.0 pro with iptables. |> Sonicwall firmware 6.5.0.4 |> |> I am talking about a LAN vpn'ed behind the linux box to the LAN behind |> the |> sonicwall appliance. Not a linux client to a sonicwall. |> | | you might try: | http://www.sonicwall.com/services/VPN_documentation.html | and more specifically: | ftp://ftp.sonicwall.com/pub/info/vpn/SonicWALL_IKEVPNTunnel_FreeSWAN.pdf | | good luck | chris | | | _______________________________________________ | VPN mailing list | VPN at lists.shmoo.com | http://lists.shmoo.com/mailman/listinfo/vpn | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAg9ilHzOIKh1rUV4RAr1oAJ9FcQ9LioCYtXZ+cDhPoBEjxx2dgQCgv7sa /ZdBPRpT1Jflb/e48He9QHQ= =IV+a -----END PGP SIGNATURE----- From nkulshreshtha at ipolicynet.com Fri Apr 23 14:06:56 2004 From: nkulshreshtha at ipolicynet.com (Kulshreshtha, Naveen) Date: Fri, 23 Apr 2004 11:06:56 -0700 Subject: [VPN] does RFC mentioned about number of Idci and Idcr in quick mode Message-ID: Hi, I have question about the number of IDci and IDcr in the Quick mode exchange. How many of each of them I can attach? Can I send more than one IDci and more than one IDcr? Does RFC mention that there should be only one IDci and one IDcr ? In the absence of any identification tagged to the ID payload, How can it be understand that which one is IDci and which one is IDcr ? While there is one IDci and one IDcr, sequence {first IDci and than IDcr} makes it sure that these payload identified properly . Thanks Naveen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040423/22497fb6/attachment.htm From jef at linuxbe.org Wed Apr 28 05:10:43 2004 From: jef at linuxbe.org (Jean-Francois Dive) Date: Wed, 28 Apr 2004 11:10:43 +0200 Subject: [VPN] does RFC mentioned about number of Idci and Idcr in quick mode In-Reply-To: References: Message-ID: <20040428091043.GC2183@gardafou.assamite.eu.org> You will always have HASH|SA|NONCE|IDci|IDcr payload in a valid quick mode exchance (in msg 1). The first ID payload is the initiator id, second beeing responder and this will always be the case. If you want to negotiate more network pair accesses, you will need to start multiple quick mode exchanges (they even can be negoatiated concurently). hope this help, J. On Fri, Apr 23, 2004 at 11:06:56AM -0700, Kulshreshtha, Naveen wrote: > Hi, > > > > I have question about the number of IDci and IDcr in the Quick mode exchange. How many of each of them I can attach? Can I send more than one IDci and more than one IDcr? Does RFC mention that there should be only one IDci and one IDcr ? > > > > > > In the absence of any identification tagged to the ID payload, How can it be understand that which one is IDci and which one is IDcr ? While there is one IDci and one IDcr, sequence {first IDci and than IDcr} makes it sure that these payload identified properly . > > > > Thanks > > Naveen > > > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From Onsite.DeTeWe at firstgroup.com Thu Apr 29 12:18:11 2004 From: Onsite.DeTeWe at firstgroup.com (Onsite DeTeWe) Date: Thu, 29 Apr 2004 17:18:11 +0100 Subject: [VPN] Help with VPN Client 4.0.3 to PIX through A vigor internet link Message-ID: Hi, I was wondering if anyone can help with this one. Client PC running windows XP SP 1 and Cisco VPN client 4.0.3 connected to the internet using ADSL with NAT IP address 192.168.1.1, NAT address xxx.xxx.xxx.xxx Pix is behind an ADSL router (Vigor 2600 v2.5) public address yyy.yyy.yyy.yyy with the pix's 'outside' interface 192.168.0.249. Open ports and firewall open for UDP 500 to the pix from the vigor. After running appropriate debug I have got this resulting. It does this with NAT traversal on or off, this is with it on. Any ideas would really be greatful, as I am rapidly comming to to the end of things to try. crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 spt:500 dpt: 500 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing vendor id payload ISAKMP (0): received xauth v6 vendor id ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): processing vendor id payload ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to a Unity client ISAKMP (0): ID payload next-payload : 10 type : 1 protocol : 17 port : 0 length : 8 ISAKMP (0): Total payload length: 12 ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0:0): constructed HIS NAT-D ISAKMP (0:0): constructed MINE NAT-D ISAKMP (0:0): Detected port floating return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 spt:500 dpt: 500 VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0 ISAKMP: larval sa found crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 spt:500 dpt: 500 VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0 ISAKMP: larval sa found ISAKMP (0): retransmitting phase 1 (0)... crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 spt:500 dpt: 500 VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0 ISAKMP: larval sa found ********************************************************************** This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this message in error, please advise us immediately. Internet email is not necessarily secure. First does not accept responsibility for changes to any email which occur after the email has been sent. Attachments to this email could contain software viruses which could damage your system. First have checked the attachments for viruses before sending, but you should virus-check them before opening. http://www.firstgroup.com ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040429/cab58db8/attachment.htm