From pjacob at ftmc.com Mon Mar 1 12:42:42 2004 From: pjacob at ftmc.com (Pete Jacob) Date: Mon, 1 Mar 2004 12:42:42 -0500 Subject: [VPN] NetScreen / Juniper Message-ID: Hello, we have a few NetScreen routers, mainly smaller ones, we are looking at getting some larger NetScreen routers but I am concerned about the Juniper buy out.. I am not real sure about Juniper... I don't know much about them. Does anyone have any thoughts on this? Thanks Pete. From johan.andersson at atea.com Mon Mar 1 15:53:23 2004 From: johan.andersson at atea.com (Andersson Johan) Date: Mon, 1 Mar 2004 21:53:23 +0100 Subject: FW: [VPN] NetScreen / Juniper Message-ID: Yes, I think this could be really great! But NetScreen don't make any routers they mainly make Firewall and VPN boxes but also IDP?s and new also SSL VPN machines! /Johan -----Original Message----- From: Pete Jacob [mailto:pjacob at ftmc.com] Sent: Monday, March 01, 2004 6:43 PM To: vpn at lists.shmoo.com Subject: [VPN] NetScreen / Juniper Hello, we have a few NetScreen routers, mainly smaller ones, we are looking at getting some larger NetScreen routers but I am concerned about the Juniper buy out.. I am not real sure about Juniper... I don't know much about them. Does anyone have any thoughts on this? Thanks Pete. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From lisa at corecom.com Mon Mar 1 17:41:04 2004 From: lisa at corecom.com (Lisa Phifer) Date: Mon, 01 Mar 2004 17:41:04 -0500 Subject: [VPN] Upcoming InfoSec Magazine 4-in-1 Security Gateway Review Message-ID: <6.0.1.1.2.20040301173446.0241ca60@vws0101.fast.net> Folks, Information Security Magazine will soon be testing 4-in-1 security gateways sold to mid-sized companies. Specifically, we're looking for appliances that offer (at minimum) integrated firewall+VPN+IDS+AV. Vendors interested in participating should contact me or Neil Roiter by March 5th to request a copy of the invitation. Lisa Phifer Core Competence Inc. On behalf of InfoSec Magazine From gregory-ietf at earthlink.net Tue Mar 2 02:26:46 2004 From: gregory-ietf at earthlink.net (Gregory M Lebovitz) Date: Mon, 01 Mar 2004 23:26:46 -0800 Subject: [VPN] NetScreen / Juniper Message-ID: <5.1.1.6.0.20040301232305.02270448@popd.ix.netcom.com> Pete - If you read through the literature in the press and on the web site, you will see that NetScreen product line will be left on its own, at least for a while after the merger. It will, of course, gain from the wisdom and experience in the areas of routing excellence, for which the Juniper name is synonymous. Juniper is the premier vendor for ISP and Carrier core routers, and share NetScreen's reputation for technology leadership, excellence, and performance. I would say your trust in NetScreen can only increase from this announcement. Hope this helps, Gregory - - -----Original Message----- From: vpn-bounces+sratcliffe=icsalabs.com at lists.shmoo.com [mailto:vpn-bounces+sratcliffe=icsalabs.com at lists.shmoo.com] On Behalf Of Pete Jacob Sent: Monday, March 01, 2004 12:43 PM To: vpn at lists.shmoo.com Subject: [VPN] NetScreen / Juniper Hello, we have a few NetScreen routers, mainly smaller ones, we are looking at getting some larger NetScreen routers but I am concerned about the Juniper buy out.. I am not real sure about Juniper... I don't know much about them. Does anyone have any thoughts on this? Thanks Pete. _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn +++++++++++++++++++++++++ IETF-related email from Gregory M. Lebovitz Architect - CTO Office NetScreen Technologies W - +01 (1) 408 543 8002 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040301/4f545731/attachment.htm From hani_farouk at yahoo.com Wed Mar 3 03:01:14 2004 From: hani_farouk at yahoo.com (hani farouk) Date: Wed, 3 Mar 2004 00:01:14 -0800 (PST) Subject: [VPN] Re: NetScreen Vs. Juniper In-Reply-To: <20040302190012.3338C2355E@mail.iocaine.com> Message-ID: <20040303080114.46651.qmail@web12101.mail.yahoo.com> Hello.. Juniper is the best performance router, and finally after the new firewall invistiment they will be unbeatable, but they are so expensive also their low end router is so big ( M5 is used in some ISP's core) Regards, Hani Hello, we have a few NetScreen routers, mainly smaller ones, we are looking at getting some larger NetScreen routers but I am concerned about the Juniper buy out.. I am not real sure about Juniper... I don't know much about them. Does anyone have any thoughts on this? Thanks Pete. --------------------------------- Do you Yahoo!? Yahoo! Search - Find what you?re looking for faster. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040303/576cbb94/attachment.htm From travis at traviswatson.com Wed Mar 3 07:30:31 2004 From: travis at traviswatson.com (Travis Watson) Date: Wed, 3 Mar 2004 05:30:31 -0700 Subject: [VPN] NetScreen / Juniper In-Reply-To: References: Message-ID: <200403030530.32619.travis@traviswatson.com> Pete, Others have commented on this and I agree with what they've said largely, but for my 2 cents... Juniper does very well with the ISPs and big portals, not much anywhere else. They bought Netscreen not just for the security aspect, but because they can absorb their reseller channels. Plus, they're both ASIC companies, so they can barrow from each other in development. For Netscreen, the advantage is that they can be associated with a company that is known for high-end routing and a company that already has their hooks in some big carriers. Netscreen has always been afraid of Cisco (rightly so) and this gives them some cushion. Juniper/Netscreen still has a looooong way to go if they want to seriously compete with Cisco (i.e. edge routers, edge switches, wireless), but this merger gets them much closer. And, with this merger, I would say that it's the final death blow to any firewall not on ASIC or running a micro-kernel/controller architecture. So the question isn't really "should I put an investment in Netscreen or Cisco?" but "should I put an investment into any company that is not Netscreen or Cisco?" I just can't imagine how Checkpoint, Sidewinder, etc. can be viable products 5 years from now unless they significantly re-architect their systems very soon. As for Netscreen/Juniper, they aren't leaving anytime soon. Regards, Travis On Monday 01 March 2004 10:42 am, Pete Jacob wrote: > Hello, > > we have a few NetScreen routers, mainly smaller ones, > we are looking at getting some larger NetScreen routers > but I am concerned about the Juniper buy out.. > > I am not real sure about Juniper... I don't know much about them. > > Does anyone have any thoughts on this? > > Thanks > > Pete. > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From qmitchell at macromed.com Wed Mar 3 10:40:53 2004 From: qmitchell at macromed.com (Quinn Mitchell) Date: Wed, 3 Mar 2004 08:40:53 -0700 Subject: [VPN] Re: NetScreen Vs. Juniper Message-ID: Are these Juniper routers out performing Cisco? _____ From: vpn-bounces+qmitchell=macromed.com at lists.shmoo.com [mailto:vpn-bounces+qmitchell=macromed.com at lists.shmoo.com] On Behalf Of hani farouk Sent: Wednesday, March 03, 2004 1:01 AM To: vpn at lists.shmoo.com Subject: [VPN] Re: NetScreen Vs. Juniper Hello.. Juniper is the best performance router, and finally after the new firewall invistiment they will be unbeatable, but they are so expensive also their low end router is so big ( M5 is used in some ISP's core) Regards, Hani Hello, we have a few NetScreen routers, mainly smaller ones, we are looking at getting some larger NetScreen routers but I am concerned about the Juniper buy out.. I am not real sure about Juniper... I don't know much about them. Does anyone have any thoughts on this? Thanks Pete. _____ Do you Yahoo!? Yahoo! Search - Find what you're looking for faster. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040303/0cb26dda/attachment.htm From jsdy at center.osis.gov Wed Mar 3 16:42:34 2004 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Wed, 3 Mar 2004 16:42:34 -0500 Subject: [VPN] NetScreen / Juniper In-Reply-To: <200403030530.32619.travis@traviswatson.com> References: <200403030530.32619.travis@traviswatson.com> Message-ID: <20040303164234.M11540@franklin.center.osis.gov> On Wed, Mar 03, 2004 at 05:30:31AM -0700, Travis Watson wrote: ... > merger gets them much closer. And, with this merger, I would say that it's > the final death blow to any firewall not on ASIC or running a > micro-kernel/controller architecture. So the question isn't really "should I > put an investment in Netscreen or Cisco?" but "should I put an investment > into any company that is not Netscreen or Cisco?" I just can't imagine how > Checkpoint, Sidewinder, etc. can be viable products 5 years from now unless > they significantly re-architect their systems very soon. OK, what kind of pure application proxies are available in an ASIC or a micro-kernel/controller architecture? > As for Netscreen/Juniper, they aren't leaving anytime soon. They did beat out Cisco in some money thing in the Business section this week. [I don't follow the money stuff very well.] -- Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. From Joel.Snyder at Opus1.COM Wed Mar 3 17:14:03 2004 From: Joel.Snyder at Opus1.COM (Joel Snyder) Date: Wed, 03 Mar 2004 15:14:03 -0700 Subject: [VPN] NetScreen / Juniper In-Reply-To: <20040303164234.M11540@franklin.center.osis.gov> References: <200403030530.32619.travis@traviswatson.com> <20040303164234.M11540@franklin.center.osis.gov> Message-ID: <404658AB.6000004@opus1.com> "pure application proxy" is a marketing buzzword and does not represent real technology. It's the rehashing of a 10-year-old argument that the "pure application proxy" vendors have failed to live up to. Proxy-based firewalls have never taken advantage of the architecture to the extent they claimed they could; packet-filtering (stateful) firewalls have created similar or better controls at the application layer than their proxy-based cousins. I recently did an evaluation of both kinds of products to see which had lived up to their promise and, frankly, the proxy-based firewalls have come only 2 baby steps in the last 5 years while the stateful packet inspection devices have made huge strides, in some cases supplanting the capabilities of the "pure application proxy" folks. The arguments offered by proxy firewalls as to why they're "better" are largely smoke and mirrors, and are not supported by the facts. In many cases, they have appended shitty non-stateful packet filtering firewalls to deal with their miserable proxy performance; in all cases, they have failed to exploit the application-layer visibility except in very specific cases, mostly HTTP. Their SMTP proxies are a joke, generally reducing total system security and trading on general fear that somehow a Microsoft TCP/IP stack is vulnerable just because it came from Microsoft. The proof of the pudding is in the eating, and folks who have built-in application layer visibility and ASIC-level speed (including Check Point, NetScreen and maybe Cisco) are at a distinct advantage. jms Joseph S D Yao wrote: > On Wed, Mar 03, 2004 at 05:30:31AM -0700, Travis Watson wrote: > ... > >>merger gets them much closer. And, with this merger, I would say that it's >>the final death blow to any firewall not on ASIC or running a >>micro-kernel/controller architecture. So the question isn't really "should I >>put an investment in Netscreen or Cisco?" but "should I put an investment >>into any company that is not Netscreen or Cisco?" I just can't imagine how >>Checkpoint, Sidewinder, etc. can be viable products 5 years from now unless >>they significantly re-architect their systems very soon. > > > OK, what kind of pure application proxies are available in an ASIC or a > micro-kernel/controller architecture? > > >>As for Netscreen/Juniper, they aren't leaving anytime soon. > > > They did beat out Cisco in some money thing in the Business section > this week. [I don't follow the money stuff very well.] > -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One From jsdy at center.osis.gov Wed Mar 3 17:54:12 2004 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Wed, 3 Mar 2004 17:54:12 -0500 Subject: [VPN] NetScreen / Juniper In-Reply-To: <404658AB.6000004@opus1.com> References: <200403030530.32619.travis@traviswatson.com> <20040303164234.M11540@franklin.center.osis.gov> <404658AB.6000004@opus1.com> Message-ID: <20040303175412.P11540@franklin.center.osis.gov> On Wed, Mar 03, 2004 at 03:14:03PM -0700, Joel Snyder wrote: > "pure application proxy" is a marketing buzzword and does not represent > real technology. It's the rehashing of a 10-year-old argument that the > "pure application proxy" vendors have failed to live up to. Proxy-based > firewalls have never taken advantage of the architecture to the extent > they claimed they could; packet-filtering (stateful) firewalls have > created similar or better controls at the application layer than their > proxy-based cousins. > > I recently did an evaluation of both kinds of products to see which had > lived up to their promise and, frankly, the proxy-based firewalls have > come only 2 baby steps in the last 5 years while the stateful packet > inspection devices have made huge strides, in some cases supplanting the > capabilities of the "pure application proxy" folks. > > The arguments offered by proxy firewalls as to why they're "better" are > largely smoke and mirrors, and are not supported by the facts. In many > cases, they have appended shitty non-stateful packet filtering firewalls > to deal with their miserable proxy performance; in all cases, they have > failed to exploit the application-layer visibility except in very > specific cases, mostly HTTP. Their SMTP proxies are a joke, generally > reducing total system security and trading on general fear that somehow > a Microsoft TCP/IP stack is vulnerable just because it came from Microsoft. > > The proof of the pudding is in the eating, and folks who have built-in > application layer visibility and ASIC-level speed (including Check > Point, NetScreen and maybe Cisco) are at a distinct advantage. I would be interested to see your study. I have asked for proofs of the marketing phrases you use, above, and have never gotten anything useful. Of course, stateful inspection has to have come a lot further from where it was back then! ;-) But, in the end, part of this is, not what YOU [the generic "you"] want to force on customers, but what does the [perhaps educated] customer WANT? And, OBTW, do YOU trust a TCP/IP stack that has been re-engineered so many times, and has built-in [and in many cases unadvertised] places for breaking into it? -- Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. From jsdy at center.osis.gov Thu Mar 4 10:51:20 2004 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Thu, 4 Mar 2004 10:51:20 -0500 Subject: [VPN] NetScreen / Juniper In-Reply-To: <200403031741.24353.travis@traviswatson.com> References: <200403030530.32619.travis@traviswatson.com> <20040303164234.M11540@franklin.center.osis.gov> <200403031741.24353.travis@traviswatson.com> Message-ID: <20040304105120.C28135@franklin.center.osis.gov> On Wed, Mar 03, 2004 at 05:41:24PM -0700, Travis Watson wrote: > Joseph, > > I'm not aware of any product in an ASIC or a micro-kernel/controller > architecture that are capable of "pure application proxies" but, I agree with > Mr. Snyder that it's largely smoke and mirrors anyway. Only partly. Not entirely. It would have been nice to have learned of some, but perhaps it's not likely [see my point about rate limiting below]. > I assume you are thinking of Sidewinder firewalls when you ask the question > (correct me if I'm wrong). Sidewinder is a fine firewall--extremely secure. > But they slapped on the proxy piece from their aquisition of Raptor. No on both counts. I wasn't thinking of any. Sidewinder bought Gauntlet from NAI [and, yes, included parts of it], who had bought it with TIS Labs, while Symantec bought up Raptor. > Apparently it has done them well because their sales are up. I don't want to > get into a flame war over everyone's favorite flavor of firewall, but Joel is > right in that "application proxy" is just a few baby steps away from snake > oil. It's more for convenience from what I can tell. Sidewinder was secure > without it but, I should think, no more secure with it. No, there are real, functional differences. I should have included in my response to Joel that it is unfortunately true that less work has been done on application proxies, which is a pity. I think it is more driven by marketers' perceptions that making a filtering firewall is easier and less expensive, though [and these perceptios are probably true], rather then because of any security studies. > In the end, it just depends on the tool you need for your situation and the > budget you have to work with. ... Quite true. > As for ASIC vs. micro-kernel/controller (looking at Joel's last couple and > yours), ASIC is king for pumping traffic. ... Also true. But that just means that your rate limiting is done at the inspection part - and if you are going for speed, the inspection is likely to be sacrificed. ... > As for VPN/firewall sales, what happens when Cisco goes to all those > Fortune500 companies (and others) that are already Cisco shops and says > something to the effect of, "Hey, why don't you just install our 'secure IOS' > on all your routers and manage them with our groovy central manager? You > wouldn't have to change a thing architectually and you would have a firewall > at all your routing points!" It's a good question--one that > Juniper/Netscreen will have to answer and other firewall vendors can't > answer--and Cisco is only a bit of IOS development and a decent central > manager away from being able to ask it. Quite true. But, rationally, they should then analyze (a) the intrinsic value of Cisco's offering versus other separate or integrated offerings, and (b) the inherent risks of using an integrated tool versus one that "does one thing but does it right". On the third hand, we're talking business here, and rationality doesn't always apply. ;-/ -- Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. From pmis at earthlink.net Wed Mar 10 14:57:20 2004 From: pmis at earthlink.net (PMis) Date: Wed, 10 Mar 2004 14:57:20 -0500 (GMT-05:00) Subject: [VPN] Question: vpn security testing tools and info? Message-ID: <7437008.1078948641366.JavaMail.root@bigbird.psp.pas.earthlink.net> Hi, My apologies if this is some kind of a FAQ (if it is, please send a pointer to the appropriate document) or if this is not an appropriate forum for such a question. I need to test the security of a (new) VPN implementation in my company. What tools would one use for such a testing, what types of tests are typically performed, what should one look for (most common implementation mistakes, etc.), and where can one find more information on such matters (how-to documents, etc). Thank you in advance, John From Shahid.Kamran at conocophillips.com Thu Mar 11 10:22:25 2004 From: Shahid.Kamran at conocophillips.com (Kamran, Shahid:) Date: Thu, 11 Mar 2004 09:22:25 -0600 Subject: [VPN] CICSO VPN The necessary VPN sub-system is not available, you will not be able to male a connection to the remote IPSec server Message-ID: <3330FBED7075F143857369CE5737148FC3C317@HOEXMB1.conoco.net> This can also be due to the service failure at system startup. Look in the event log to see the errors. I was able to bypass the error by doing the following. Go to control panel Select services, (XP services in under Admin tools) You will see the Cisco VPN service has not been started. double click on it and start the service. go back and run VPN. From wajid.muhammad at ufonegsm.net Sun Mar 21 23:00:41 2004 From: wajid.muhammad at ufonegsm.net (Muhammad Wajid) Date: Mon, 22 Mar 2004 09:00:41 +0500 Subject: [VPN] Contivity! Message-ID: <095C7F20DB18664A9D9161C90F9B093A27AC0C@isb-msc-xc01.ufonegsm.net> Can we use contivity as dedicated firewall? Does it support PAT like other firwalls? Regards, M. Abdul Wajid Manager - IT (Ops & System Admin) Ufone PTML, 181-186, TIP Complex Street No. 10, Sector I-9/2, Islamabad. Pakistan. Mobile: + 92 333 5100090, Land Line: + 92 51 4435940 Fax: + 92 51 4435940 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040322/cb5e55b3/attachment.htm From andy.ciordia at pgdc.com Mon Mar 22 12:25:38 2004 From: andy.ciordia at pgdc.com (Andy Ciordia) Date: Mon, 22 Mar 2004 12:25:38 -0500 Subject: [VPN] Need Advice on a start point.. Message-ID: <405F2192.1010500@pgdc.com> The years have rolled on and SSH for just developers is not cutting the mustard for the administrative side of the company. At this time administration exists on a non-routeable, production on its own class c, and a broken installation of Sunscreen-1 running on an aged solaris machine for our firewall rules. We are completely linux on development these days, administration is like most places all windows (2000/xp). We still own a few class C's and I've been toying with moving the office onto one of our secondaries.. that or NAT them.. I'm tired of non-routeable-non-nat, causes so many proxy headaches. Recently we just aquired another company and through their technology I inherited a PIX 515R which is out of date and contract. I need to get a VPN/IPsec rollout initiated and my head is swollen with all of the last 2-3 years of reviews but can't seem to find anything current. We have about 15 users that will need access from outside and I'm vasilating between Cisco's line, Lucents Brick 80, Linksys/Netgear, insert provider here.. I want to replace our firewall, its old, relegated, un-upgradeable and must go. We have existing Catalyst 5000/2500 in use, both at this time are out of contract and could use a fresh IOS push I'm sure. Does anyone have any advice they can give? Bring the 515R into production use through upgrades or go with a fresh rollout? Or should I just start contacting vars and implementing demos? Anyhow, for anyone who has followed this far or can give some ideas, it is so very much appreciated. :) -a From shimons at bll.co.il Mon Mar 22 12:58:05 2004 From: shimons at bll.co.il (Shimon Silberschlag) Date: Mon, 22 Mar 2004 19:58:05 +0200 Subject: [VPN] AES and 3DES performance on Cisco routers References: Message-ID: <004101c41037$3c8c2640$9a04320a@shimons> Can someone on the group comment on the speeds that a Cisco router with HW acceleration used for a VPN end point can reach using AES128, AES256 and 3DES? TIA, Shimon Silberschlag +972-3-9351572 +972-51-207130 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040322/34aaeef4/attachment.htm From nap.van.zuuren at pandora.be Mon Mar 22 13:18:14 2004 From: nap.van.zuuren at pandora.be (Nap van Zuuren) Date: Mon, 22 Mar 2004 19:18:14 +0100 Subject: [VPN] This Week: VPNs -- IPsec vs. SSL Message-ID: <01C41042.6D953F00.nap.van.zuuren@pandora.be> I have no link with this site, but inform you all, as it might be of interest to you. This Week: VPNs -- IPsec vs. SSL VPNs: IPsec vs. SSL IPsec and SSL VPNs each have their place on the network. Browse through our resources and decide which best fits your needs. http://www.searchSecurity.com/featuredTopic/0,290042,sid14_gci930931,00.html?track=NL-105&ad=478683 Greetings, Nap From djdawso at qwest.com Mon Mar 22 14:02:53 2004 From: djdawso at qwest.com (Dana J. Dawson) Date: Mon, 22 Mar 2004 13:02:53 -0600 Subject: [VPN] AES and 3DES performance on Cisco routers In-Reply-To: <004101c41037$3c8c2640$9a04320a@shimons> References: <004101c41037$3c8c2640$9a04320a@shimons> Message-ID: <405F385D.5080406@qwest.com> An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040322/d1f8b6bc/attachment.htm From brian_minier at iisvr.com Mon Mar 22 15:24:12 2004 From: brian_minier at iisvr.com (Brian V. Minier) Date: Mon, 22 Mar 2004 15:24:12 -0500 Subject: [VPN] AES and 3DES performance on Cisco routers In-Reply-To: <004101c41037$3c8c2640$9a04320a@shimons> Message-ID: <20040322201817.4AA70570@mail.iocaine.com> Well, from the Cisco website on a PIX firewall The compact desktop chassis of the Cisco PIX 506E provides two autosensing Fast Ethernet (10/100) interfaces. Ideal for securing high-speed Internet connections, the Cisco PIX 506E delivers up to 100 Mbps of firewall throughput, 16 Mbps of Triple Data Encryption Standard VPN throughput, and 30 Mbps of Advanced Encryption Standard-128 VPN throughput in a cost-effective, high-performance solution. So, it looks like AES 128 is roughly 2x as fast as 3DES. I would hazard a guess and say AES256 would than be about as fast as 3DES. Brian _____ From: vpn-bounces+brian_minier=iisvr.com at lists.shmoo.com [mailto:vpn-bounces+brian_minier=iisvr.com at lists.shmoo.com] On Behalf Of Shimon Silberschlag Sent: Monday, March 22, 2004 12:58 PM To: vpn at lists.shmoo.com Subject: [VPN] AES and 3DES performance on Cisco routers Can someone on the group comment on the speeds that a Cisco router with HW acceleration used for a VPN end point can reach using AES128, AES256 and 3DES? TIA, Shimon Silberschlag +972-3-9351572 +972-51-207130 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040322/154f8abb/attachment.htm From bruns at 2mbit.com Mon Mar 22 21:03:15 2004 From: bruns at 2mbit.com (Brian Bruns) Date: Mon, 22 Mar 2004 21:03:15 -0500 Subject: [VPN] AES and 3DES performance on Cisco routers References: <20040322201817.4AA70570@mail.iocaine.com> Message-ID: <015d01c4107b$029f4270$02005a0a@2mbit.com> On Monday, March 22, 2004 3:24 PM [EST], Brian V. Minier wrote: >> Well, from the Cisco website on a PIX firewall >> >> >> >> The compact desktop chassis of the Cisco PIX 506E provides two autosensing >> Fast Ethernet (10/100) interfaces. Ideal for securing high-speed Internet >> connections, the Cisco PIX 506E delivers up to 100 Mbps of firewall >> throughput, 16 Mbps of Triple Data Encryption Standard VPN throughput, and >> 30 Mbps of Advanced Encryption Standard-128 VPN throughput in a >> cost-effective, high-performance solution. >> >> >> >> So, it looks like AES 128 is roughly 2x as fast as 3DES. I would hazard a >> guess and say AES256 would than be about as fast as 3DES. (3)DES is slow no matter how you look at it. Your best bet is to stick with AES, as it is supposed to replace DES completely. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org From joel at milestonenetworks.com Mon Mar 22 22:41:17 2004 From: joel at milestonenetworks.com (Joel Kappes) Date: Mon, 22 Mar 2004 22:41:17 -0500 Subject: [VPN] Solaris to Netscreen 50 Message-ID: <70400-22004322334117359@milestonenetworks.com> Hello, I have a client that has a bunch of remote Solaris boxes that need to terminate into the corporate NS-50 firewall. Does anyone know of a VPN client off the shelf for Solaris that will work the the Netscreen boxes? Any help or ideas would be greatly appreciated. Joel Joel Kappes Milestone Networks, Inc. 88 Inverness Circle East G103 Englewood, Colorado 80112 303-468-6010 Main 303-468-6015 Direct 303-468-6011 Fax -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040322/292425bf/attachment.htm From piranhabros at yahoo.com Tue Mar 23 04:30:30 2004 From: piranhabros at yahoo.com (Michael Batchelder) Date: Tue, 23 Mar 2004 01:30:30 -0800 (PST) Subject: [VPN] Re: Need Advice on a start point.. In-Reply-To: <20040322190009.5A6B225B24@mail.iocaine.com> Message-ID: <20040323093030.90810.qmail@web13810.mail.yahoo.com> Good things about PIX: Simplicity of having an appliance, rather than separate o/s and firewall software. Some fw's say they're appliances, but PIX is the most convenient of the major fw vendors in this regard. One tftp and you're done. Performance. I'm going to assume your internet connection, based on your company size, is a T1 or maybe a couple mux'd T1's. Your 515 should be able to pass packets in its sleep on that. VPN performance should be fine, but if you find it lacking, you can throw in a PCI crypto accelerator for a mere grand... Fail-over. Very simple to do fail-over on a PIX 515. Buy another PIX. Plug in the serial fail-over cable or use a dedicated ethernet (don't use cross-over, though--obey the install guide!). Although buying the 2nd PIX won't be cheap... Support. Cisco support is good, including documentation. Better than Checkpoint. Oh, did I mention better than Checkpoint? And btw, it's better than Checkpoint. Administration. Everything that a PIX can do can be config'd thru a command line UI, either on the console or via secure network connection (AES encrypted SSH). Bad things about PIX: Administration. If you don't like command line UI's, you're not going to love the PIX. There are graphical tools to manage it, but I find them all pretty lacking in one way or another. I happen to not care about GUI tools. You may. Particularly because the PIX has its own... logic about how to set up rules. Once you get into the mindset of PIX, it's fine. But that takes some bending of your brain. Someone wise once said to me, while I was learning PIXish: "The PIX is not a router. It's a... NAT'ing... thing." Doesn't scale well to more than a few remote sites, unless you like writing Expect scripts or perl w/similar modules. You'll pay for VPN clients on a per-seat basis. Doesn't do SSL VPN if you want a "clientless" VPN solution. Can't have a packet enter and exit the same interface. Just the way the PIX packet forwarding code works. So for example, no "secondary" interfaces for multiple layer 3 networks on a single layer 1/2 network. Or whatever you're trying to do... This has implications for hub-and-spoke VPN topologies. --- That's what's off the top of my head. Feel free to ask me specifics. In general, as stateful packet filters go, it's a fine choice. Michael __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html From miker at cotse.com Tue Mar 23 09:44:15 2004 From: miker at cotse.com (Michael Ray) Date: Tue, 23 Mar 2004 08:44:15 -0600 Subject: [VPN] Solaris to Netscreen 50 In-Reply-To: <70400-22004322334117359@milestonenetworks.com> References: <70400-22004322334117359@milestonenetworks.com> Message-ID: <12j0609qa5apb5srpldhnbr4etlkbom26c@4ax.com> On Mon, 22 Mar 2004 22:41:17 -0500, you wrote: > >Hello, > >I have a client that has a bunch of remote Solaris boxes that need to terminate into the corporate NS-50 firewall. Does anyone know of a VPN client off the shelf for Solaris that will work the the Netscreen boxes? Cisco and F-Secure have clients for Solaris. http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel401/401_clnt.htm http://www.datafellows.com/products/vpnplus/ Sun also has IPSEC implemented on Solaris. http://wwws.sun.com/software/whitepapers/solaris9/ipsec.pdf http://wwws.sun.com/software/solaris/ds/ds-security/ds-security.pdf http://wwws.sun.com/software/solaris/encryption/download.html >Any help or ideas would be greatly appreciated. I have not terminated Solaris to Netscreen but have done so successfully with quite a few different OSes and IPSEC capable devices. (Free/Open/NetBSD, various Linux distros and clients, Windows 2k, XP, 2003. Checkpoint, Cisco, Nortel, Cyberguard and I know I am missing a couple others). I suggest that you create custom Phase1 and Phase2 proposals. You will also want to make sure your NAT traversal and mode is correctly set (aggressive vs main) and supported on the Solaris side. I use VPN monitor when I have the Netscreen connecting to a non-Netscreen device as IKE-heartbeat is only for Netscreen to Netscreen. Here are a few links on Solaris IPSEC, how-to, etc. Three part Securityfocus article: Configuring IPsec/IKE on Solaris, Part One http://www.securityfocus.com/infocus/1616 Configuring IPSec and Ike on Solaris, Part Two http://www.securityfocus.com/infocus/1625 Configuring IPsec and IKE on Solaris, Part Three http://www.securityfocus.com/infocus/1628 Cisco: Cisco VPN Client User Guide for Linux and Solaris http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_book09186a00801728a1.html http://www.cisco.com/application/pdf/en/us/guest/products/ps2308/c1629/ccmigration_09186a008015cff4.pdf Implementing IPSec in the SolarisTM 8 Environment http://www.samag.com/documents/s=1323/sam0110c/0110c.htm You can also find some knowledgebase articles on Netscreen's site. >Joel I hope that helps. Mike From djdawso at qwest.com Tue Mar 23 13:19:46 2004 From: djdawso at qwest.com (Dana J. Dawson) Date: Tue, 23 Mar 2004 12:19:46 -0600 Subject: [VPN] Re: Need Advice on a start point.. In-Reply-To: <20040323093030.90810.qmail@web13810.mail.yahoo.com> References: <20040323093030.90810.qmail@web13810.mail.yahoo.com> Message-ID: <40607FC2.1000700@qwest.com> An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040323/6c94f658/attachment.htm From jef at linuxbe.org Wed Mar 24 04:31:37 2004 From: jef at linuxbe.org (Jean-Francois Dive) Date: Wed, 24 Mar 2004 10:31:37 +0100 Subject: [VPN] AES and 3DES performance on Cisco routers In-Reply-To: <015d01c4107b$029f4270$02005a0a@2mbit.com> References: <20040322201817.4AA70570@mail.iocaine.com> <015d01c4107b$029f4270$02005a0a@2mbit.com> Message-ID: <20040324093137.GF1341@gardafou.assamite.eu.org> please all note that those numbers are marketing and that they are mesured on tailored traffic (max mtu size for each packet) which is not real world traffic; this, at least in most vendor documentation. J. On Mon, Mar 22, 2004 at 09:03:15PM -0500, Brian Bruns wrote: > On Monday, March 22, 2004 3:24 PM [EST], Brian V. Minier > wrote: > > >> Well, from the Cisco website on a PIX firewall > >> > >> > >> > >> The compact desktop chassis of the Cisco PIX 506E provides two autosensing > >> Fast Ethernet (10/100) interfaces. Ideal for securing high-speed Internet > >> connections, the Cisco PIX 506E delivers up to 100 Mbps of firewall > >> throughput, 16 Mbps of Triple Data Encryption Standard VPN throughput, and > >> 30 Mbps of Advanced Encryption Standard-128 VPN throughput in a > >> cost-effective, high-performance solution. > >> > >> > >> > >> So, it looks like AES 128 is roughly 2x as fast as 3DES. I would hazard a > >> guess and say AES256 would than be about as fast as 3DES. > > > (3)DES is slow no matter how you look at it. Your best bet is to stick with > AES, as it is supposed to replace DES completely. > > > -- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / Anti-Spam Resources > http://www.sosdg.org > > The Abusive Hosts Blocking List > http://www.ahbl.org > > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From jef at linuxbe.org Wed Mar 24 04:38:15 2004 From: jef at linuxbe.org (Jean-Francois Dive) Date: Wed, 24 Mar 2004 10:38:15 +0100 Subject: [VPN] Re: Need Advice on a start point.. In-Reply-To: <20040323093030.90810.qmail@web13810.mail.yahoo.com> References: <20040322190009.5A6B225B24@mail.iocaine.com> <20040323093030.90810.qmail@web13810.mail.yahoo.com> Message-ID: <20040324093815.GG1341@gardafou.assamite.eu.org> PIX less scalable ? well, really depends on how you build your configuration .. As of the problem discussed, i'd say that any decent up to date soho router/firewall should do, especially for 15 vpn users only / speed-traffic requiremnts. I suppose it all depends on how much money you want to spend if any. I personnaly would put a plain stupid PC (ok a couple) and openbsd/linux on it but... J. On Tue, Mar 23, 2004 at 01:30:30AM -0800, Michael Batchelder wrote: > Good things about PIX: > > Simplicity of having an appliance, rather than separate o/s and > firewall software. Some fw's say they're appliances, but PIX is > the most convenient of the major fw vendors in this regard. One > tftp and you're done. > > Performance. I'm going to assume your internet connection, > based on your company size, is a T1 or maybe a couple mux'd > T1's. Your 515 should be able to pass packets in its sleep on > that. VPN performance should be fine, but if you find it > lacking, you can throw in a PCI crypto accelerator for a mere > grand... > > Fail-over. Very simple to do fail-over on a PIX 515. Buy > another PIX. Plug in the serial fail-over cable or use a > dedicated ethernet (don't use cross-over, though--obey the > install guide!). Although buying the 2nd PIX won't be cheap... > > Support. Cisco support is good, including documentation. > Better than Checkpoint. Oh, did I mention better than > Checkpoint? And btw, it's better than Checkpoint. Yeah, they rocks (cisco support) ! > > Administration. Everything that a PIX can do can be config'd > thru a command line UI, either on the console or via secure > network connection (AES encrypted SSH). > > Bad things about PIX: > > Administration. If you don't like command line UI's, you're not > going to love the PIX. There are graphical tools to manage it, > but I find them all pretty lacking in one way or another. I > happen to not care about GUI tools. You may. Particularly > because the PIX has its own... logic about how to set up rules. > Once you get into the mindset of PIX, it's fine. But that takes > some bending of your brain. Someone wise once said to me, while > I was learning PIXish: "The PIX is not a router. It's a... > NAT'ing... thing." > > Doesn't scale well to more than a few remote sites, unless you > like writing Expect scripts or perl w/similar modules. > > You'll pay for VPN clients on a per-seat basis. > > Doesn't do SSL VPN if you want a "clientless" VPN solution. > > Can't have a packet enter and exit the same interface. Just the > way the PIX packet forwarding code works. So for example, no > "secondary" interfaces for multiple layer 3 networks on a single > layer 1/2 network. Or whatever you're trying to do... This has > implications for hub-and-spoke VPN topologies. > --- > > That's what's off the top of my head. Feel free to ask me > specifics. In general, as stateful packet filters go, it's a > fine choice. > > Michael > > > __________________________________ > Do you Yahoo!? > Yahoo! Finance Tax Center - File online. File on time. > http://taxes.yahoo.com/filing.html > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From shimons at bll.co.il Wed Mar 24 05:44:30 2004 From: shimons at bll.co.il (Shimon Silberschlag) Date: Wed, 24 Mar 2004 12:44:30 +0200 Subject: [VPN] AES and 3DES performance on Cisco routers References: <20040322201817.4AA70570@mail.iocaine.com> <015d01c4107b$029f4270$02005a0a@2mbit.com> <20040324093137.GF1341@gardafou.assamite.eu.org> Message-ID: <000c01c4118c$ff990ad0$9a04320a@shimons> What I would really like to see is how much overhead the various encryption protocol take from the nominal bandwidth. For example, if I have a 2Mbit line to a branch, and use 3DES my actual throughput will be X vs. if I use AES, the throughput will be Y. Shimon Silberschlag +972-3-9351572 +972-51-207130 ----- Original Message ----- From: "Jean-Francois Dive" To: "Brian Bruns" Cc: "Brian V. Minier" ; "'Shimon Silberschlag'" ; Sent: Wednesday, March 24, 2004 11:31 Subject: Re: [VPN] AES and 3DES performance on Cisco routers > please all note that those numbers are marketing and that they are > mesured on tailored traffic (max mtu size for each packet) which is not > real world traffic; this, at least in most vendor documentation. > > J. > > On Mon, Mar 22, 2004 at 09:03:15PM -0500, Brian Bruns wrote: > > On Monday, March 22, 2004 3:24 PM [EST], Brian V. Minier > > wrote: > > > > >> Well, from the Cisco website on a PIX firewall > > >> > > >> > > >> > > >> The compact desktop chassis of the Cisco PIX 506E provides two autosensing > > >> Fast Ethernet (10/100) interfaces. Ideal for securing high-speed Internet > > >> connections, the Cisco PIX 506E delivers up to 100 Mbps of firewall > > >> throughput, 16 Mbps of Triple Data Encryption Standard VPN throughput, and > > >> 30 Mbps of Advanced Encryption Standard-128 VPN throughput in a > > >> cost-effective, high-performance solution. > > >> > > >> > > >> > > >> So, it looks like AES 128 is roughly 2x as fast as 3DES. I would hazard a > > >> guess and say AES256 would than be about as fast as 3DES. > > > > > > (3)DES is slow no matter how you look at it. Your best bet is to stick with > > AES, as it is supposed to replace DES completely. > > > > > > -- > > Brian Bruns > > The Summit Open Source Development Group > > Open Solutions For A Closed World / Anti-Spam Resources > > http://www.sosdg.org > > > > The Abusive Hosts Blocking List > > http://www.ahbl.org > > > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com > > http://lists.shmoo.com/mailman/listinfo/vpn > > -- > > -> Jean-Francois Dive > --> jef at linuxbe.org > > I think that God in creating Man somewhat overestimated his ability. > -- Oscar Wilde From DShaw at exceed.com.au Wed Mar 24 19:03:16 2004 From: DShaw at exceed.com.au (Dale Shaw) Date: Thu, 25 Mar 2004 11:03:16 +1100 Subject: [VPN] Cisco VPN3k, locking users to client Message-ID: <5D22FB41E0F0994ABEAF2CDBEBA682A808A4EF@hahn.exceed.local> Hi, Can anyone think of a way to ensure that 'user A' can only establish a VPN tunnel if they are connecting from 'VPN client A'? Setup: VPN3030, RADIUS authentication (to Cisco ACS 3.2 on Windoze), no certificates, no hardware tokens. Unless I'm missing something really obvious, I can't see an easy way to do this. cheers, Dale From mjanoska at sympatico.ca Wed Mar 24 22:01:28 2004 From: mjanoska at sympatico.ca (Mark Janoska) Date: Wed, 24 Mar 2004 22:01:28 -0500 Subject: [VPN] Windows 2000 VPN Client configuration Message-ID: <000301c41215$789ec220$6402a8c0@SME> I am looking for detailed information on the configuration options (registry values etc) available for setting up a VPN client using the windows 2000 VPN client with IPsec. The end point for the connection is on a Linksys RV082 router. To date I have been able to find information on how to alter the registry to prevent automatic security policy generation so that I can use my own policy. Thanks MJ From sirish at enet.com.np Wed Mar 24 23:12:42 2004 From: sirish at enet.com.np (Sirish) Date: Thu, 25 Mar 2004 9:57:42 +0545 Subject: [VPN] Problem disconnecting in cisco 1720 Message-ID: <20040325035948.88126966@mail.iocaine.com> Hello, I have been facing a problem of being disconnected whenever I connect through cisco 1720 in a VPN setup. The username and password is valid and it authenticated well when the username and password is used to connect to the internet with a standalone PC but whenever the same username and password is used through cisco 1720 then it gets disconnected after 15 seconds. After diagnosing I found out that the Internet Service Provider (ISP) has a RAS with v.32 module in it. But the modem connected to cisco 1720 has v.90 module. So it is really the problem with v.32 and v.90 (A speed problem). I have tried turning off the v.90 in the script of cisco 1720 but that did not work as well. I have tried changing the IOS several times but that did not work as well. So it there any solution to that. What is the problem with the disconnecting? Please help!!!! Thanks in advance Siris ________________________________________________ Message sent using enet Mail From ssgill at gilltechnologies.com Wed Mar 24 23:11:21 2004 From: ssgill at gilltechnologies.com (Sarbjit Singh Gill) Date: Thu, 25 Mar 2004 12:11:21 +0800 Subject: [VPN] Windows 2000 VPN Client configuration In-Reply-To: <000301c41215$789ec220$6402a8c0@SME> Message-ID: <200403250411.i2P4BT3a020930@eastgate.starhub.net.sg> You could try the Microsoft VPN website http://www.microsoft.com/windows2000/technologies/communications/vpn/default .asp -----Original Message----- From: vpn-bounces+ssgill=gilltechnologies.com at lists.shmoo.com [mailto:vpn-bounces+ssgill=gilltechnologies.com at lists.shmoo.com] On Behalf Of Mark Janoska Sent: Thursday, March 25, 2004 11:01 AM To: vpn at lists.shmoo.com Subject: [VPN] Windows 2000 VPN Client configuration I am looking for detailed information on the configuration options (registry values etc) available for setting up a VPN client using the windows 2000 VPN client with IPsec. The end point for the connection is on a Linksys RV082 router. To date I have been able to find information on how to alter the registry to prevent automatic security policy generation so that I can use my own policy. Thanks MJ _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn From john at dndlabs.net Wed Mar 24 23:40:08 2004 From: john at dndlabs.net (John Ruff) Date: Wed, 24 Mar 2004 23:40:08 -0500 Subject: [VPN] Cisco VPN3k, locking users to client In-Reply-To: <5D22FB41E0F0994ABEAF2CDBEBA682A808A4EF@hahn.exceed.local> References: <5D22FB41E0F0994ABEAF2CDBEBA682A808A4EF@hahn.exceed.local> Message-ID: <406262A8.10708@dndlabs.net> This may not be an exact answer but might point you in the right direction. You can restrict what group user 'A' logs in under by placing a value in the attribute 'CLASS' equal to 'OU=GroupName;' (notice the semicolon). So in other words if user 'A' was apart of group 'A', you would add the 'CLASS' radius attribute to the radius profile assigned to user 'A' having value 'OU=A;'. This would prevent user 'A' from logging in under group B, C, D, etc... Maybe this helps. The documentation on the above is from Cisco's site, so maybe what you're looking for is there too. Good Luck! _________________ John Ruff john at dndlabs.net "No one can see past a decision they don't understand." --The Oracle Dale Shaw wrote: >Hi, > >Can anyone think of a way to ensure that 'user A' can only establish a >VPN tunnel if they are connecting from 'VPN client A'? > >Setup: VPN3030, RADIUS authentication (to Cisco ACS 3.2 on Windoze), no >certificates, no hardware tokens. > >Unless I'm missing something really obvious, I can't see an easy way to >do this. > >cheers, >Dale > >_______________________________________________ >VPN mailing list >VPN at lists.shmoo.com >http://lists.shmoo.com/mailman/listinfo/vpn > > -------------- next part -------------- A non-text attachment was scrubbed... Name: john.vcf Type: text/x-vcard Size: 149 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20040324/781f2e46/attachment.vcf From miker at cotse.com Thu Mar 25 00:31:40 2004 From: miker at cotse.com (Michael Ray) Date: Wed, 24 Mar 2004 23:31:40 -0600 Subject: [VPN] Windows 2000 VPN Client configuration In-Reply-To: <000301c41215$789ec220$6402a8c0@SME> References: <000301c41215$789ec220$6402a8c0@SME> Message-ID: On Wed, 24 Mar 2004 22:01:28 -0500, you wrote: >I am looking for detailed information on the configuration options (registry >values etc) available for setting up a VPN client using the windows 2000 VPN >client with IPsec. The end point for the connection is on a Linksys RV082 >router. To date I have been able to find information on how to alter the >registry to prevent automatic security policy generation so that I can use >my own policy. These 2 links should get you where you want to be. Step by step guide with screen shots, etc Configuring IPsec Between a Microsoft Windows 2000 or XP PC and a Linksys Cable/DSL VPN Router http://www.linksys.com/support/support.asp?spid=86 Microsoft Knowledge Base Article - 252735 How to Configure IPSec Tunneling in Windows 2000 - http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q252/7/35.asp&NoWebContent=1&NoWebContent=1 >Thanks >MJ > I hope that helps. Mike From drue at therub.org Thu Mar 25 17:19:39 2004 From: drue at therub.org (Dan Rue) Date: Thu, 25 Mar 2004 16:19:39 -0600 Subject: [VPN] Sonicwall SOHO2 <-- vpn --> open/free bsd Message-ID: <20040325221939.GA22917@therub.org> We currently have two or three sonicwalls, but no vpn licenses. We would like to get a few vpns set up, but we have a few questions about the sonicwalls before we drop $$$ on vpn licenses. First of all, we are going to move away from the sonicwalls at some point. Ideally, we would get the VPN licenses, and as we phase out the sonicwalls we would use them to connect back to some sort of vpn server ideally running openbsd or freebsd. My question is, how standard is sonicwalls ipsec implementation? Can they interoperate with a bsd vpn server? tia, Dan From john.spanos at adacel.com Thu Mar 25 20:15:32 2004 From: john.spanos at adacel.com (John Spanos) Date: Fri, 26 Mar 2004 12:15:32 +1100 Subject: [VPN] Re: Cisco PIX issue with isakmp identity of peer In-Reply-To: <20040325221939.GA22917@therub.org> Message-ID: Hi all, I have a problem I am trying to figure out. I have a PIX at head office with various other IPSec peers connected via permanent tunnels. I also have a remote client based VPN that uses certificates on the same PIX. Now, for the certificate-based client VPN to operate I MUST have the isakmp identity hostname command set. All my existing site-to-site VPN operate fine under this scenario but I am trying to add a new VPN to a Billion ADSL Firewall which fails under this situation. I run debug output and found that the PIX was doing an ID_FQDN check of the isakmp peer and failing. If I then change the isakmp identity command to address I can successfully setup the tunnel but then my client based VPN is cactus! If anyone can shed some light on getting around this issue I'd much appreciate it. I am not sure HOW the PIX checks the FQDN as I can't find anywhere in configuration documents on how to force the PIX to check a particular DNS Server. Or does it check against 'names' configured hosts in its own config. Thanks In Advance. John Spanos. From miker at cotse.com Fri Mar 26 09:50:01 2004 From: miker at cotse.com (Michael Ray) Date: Fri, 26 Mar 2004 08:50:01 -0600 Subject: [VPN] Sonicwall SOHO2 <-- vpn --> open/free bsd In-Reply-To: <20040325221939.GA22917@therub.org> References: <20040325221939.GA22917@therub.org> Message-ID: On Thu, 25 Mar 2004 16:19:39 -0600, you wrote: >We currently have two or three sonicwalls, but no vpn licenses. We >would like to get a few vpns set up, but we have a few questions about >the sonicwalls before we drop $$$ on vpn licenses. > >First of all, we are going to move away from the sonicwalls at some >point. Ideally, we would get the VPN licenses, and as we phase out the >sonicwalls we would use them to connect back to some sort of vpn server >ideally running openbsd or freebsd. > >My question is, how standard is sonicwalls ipsec implementation? Can >they interoperate with a bsd vpn server? SonicWall's IPSEC is standards based and should work with most IPSEC implementations. The link from SonicWall as step by step how-to documents with a number of different clients, VPN devices and implementations. There is not a *BSD listed but there is a Redhat with FreeS/WAN. It will be straight forward to configure the *BSD box to do the same. SonicWALL - User Manual, Security Appliances, Interoperability http://www.sonicwall.com/services/VPN_documentation.html Here is a mailing list thread on OpenBSD to SonicWall from last year. The end result was it worked. http://www.allard.nu/pipermail/openbsd-ipsec-clients/2003-March/000898.html http://www.allard.nu/pipermail/openbsd-ipsec-clients/2003-March/thread.html#898 VPN(8) - OpenBSD System Manager's Manual vpn - configuring the system for virtual private networks http://www.openbsd.org/cgi-bin/man.cgi?query=vpn&sektion=8&manpath=OpenBSD+Current How to setup IPsec interoperable for Linux, OpenBSD and Kame/*BSD http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html FreeBSD Handbook - 10.10 VPN over IPsec http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html >tia, >Dan I hope that helps. Mike