Best VPN Appliance

Stefan_Fouant3 · March 8, 2010, 7:28pm

Toivo,

The SA Series absolutely supports IPsec if you are using Network Connect. It defaults to using IPsec and if that is not supported then it will fall back to SSL. Of course, NC is not as secure as W-SAM, J-SAM, or Core Access in terms of role and resource granularity control but the support for IPsec is absolutely there.

HTHs.

Stefan Fouant

Blomberg_Orin_P_DOH · March 8, 2010, 7:37pm

There is also the fact to consider that Cisco has said there will be no
support for Windows 64-bit on their IPSEC client, they are pushing
people to the AnyConnect (An SSL-based clientless IPSEC) who want to use
Windows 64-bit or other OSs, so in the future the argument for having a
separate box for client-based IPSEC will be moot.

Orin

Michael_K_Smith · March 8, 2010, 7:42pm

From: Blomberg, Orin P (DOH) [mailto:Orin.Blomberg@DOH.WA.GOV]
Sent: Monday, March 08, 2010 11:37 AM
To: sfouant@shortestpathfirst.net; Voll, Toivo; Chris Campbell; Dawood
Iqbal
Cc: nanog@nanog.org
Subject: RE: Best VPN Appliance

There is also the fact to consider that Cisco has said there will be

no

support for Windows 64-bit on their IPSEC client, they are pushing
people to the AnyConnect (An SSL-based clientless IPSEC) who want to
use
Windows 64-bit or other OSs, so in the future the argument for having

a

separate box for client-based IPSEC will be moot.

The beta 64-bit VPN client has been released, FYI.

Mike

Brandon_Ewing · March 8, 2010, 7:42pm

Cisco has released a beta version of their 64-bit IPSec client for Windows
7.

Jason_Gurtz · March 8, 2010, 7:43pm

There is also the fact to consider that Cisco has said there will be no
support for Windows 64-bit on their IPSEC client [...]

Amazingly, and to many people's great surprise, Cisco recently made
available a beta version of the IPSEC VPN client that supports 64-bit.

~JasonG

Blomberg_Orin_P_DOH · March 8, 2010, 7:50pm

Thanks for the information. I am just going on what we have been
formally told by our onsite Cisco engineers on several occasions. It
may be that they were misinformed, or that they are trying to make the
sell for AnyConnect Licensing, but I had been going with the facts I
had. I am glad there is a 64-bit in beta, at least, now I don't have to
migrate all those people off the ASAs right away.

Orin

Jon_Auer · March 8, 2010, 7:53pm

If you can use 3rd party VPN clients the ShrewSoft IPSec client on
Windows 7 works great with Cisco concentrators.
http://www.shrew.net/software

Tony_Varriale · March 8, 2010, 8:23pm

Why would you migrate them away instead of buying a $150/$250 one-time license?

tv

Laurens_Vets · March 9, 2010, 1:05pm

There is also the fact to consider that Cisco has said there will be no
support for Windows 64-bit on their IPSEC client, they are pushing
people to the AnyConnect (An SSL-based clientless IPSEC) who want to use
Windows 64-bit or other OSs, so in the future the argument for having a
separate box for client-based IPSEC will be moot.

You can also use the Shrew Soft VPN Client. Comes in various flavors including 64-bit.

Greetings,
L.

Scott_Howard · March 9, 2010, 5:47pm

It was neither, at least not specifically on the side of your
engineers. Cisco had absolutely no plans to release a 64-bit IPSec
client - not because they couldn't (they have had a working version
for some time), but because they have been trying to kill off the
product for years to try and migrate customers to their newer products
(ie, AnyConnect). So your Cisco engineers were absolutely correct -
at the time - in saying that there would never be a 64 bit version.

Obviously it seems they have finally buckled to customer pressure (!)
and release a 64 bit version, which is good news for everyone except
whoever's job in Cisco it was to EOL the IPSec code. It's unfortunate
that they didn't take the obvious approach and put IPSec into
AnyConnect when it first came out, which would have avoided all of
these issues.

(I used to work for Cisco in the Security Technology Business Unit,
but I don't any more so I'm obviously not speaking on behalf of anyone
other than possibly myself!)

Scott.

Voll_Toivo · March 9, 2010, 6:03pm

You are correct; I should have been more pedantic -- the SA series cannot terminate site-to-site IPsec tunnels, according to the sales engineer, unlike the Cisco 3000 series and ASA.

John_Lightfoot · March 9, 2010, 6:54pm

Can anyone tell me how to get the beta 64 bit client? Thanks.

Nick_Hilliard3 · March 9, 2010, 9:07pm

Nick

Mike_Callahan · March 11, 2010, 1:17pm

+1 for the ShrewSoft Client for Windows 7. Works like a champ.

Mike

Dawood_Iqbal · March 18, 2010, 10:17am

Hello All,

Thank-you all for reply and sugessting the VPN Box.
I'm in the process of evaluating different boxes and they are;

SA4500 SSL VPN Appliance
http://www.juniper.net/us/en/products-services/security/sa-series/sa4500/

Barracuda SSL VPN
http://www.barracudanetworks.com/ns/products/sslvpn_overview.php

F5 FirePass SSL VPN
http://www.f5.com/products/firepass/

The problem i'm facing so far is MAC OS X compatibility. The demo box i had for Juniper was not able to run Network Connect on MAC OS 10.5.8.

From your experience from F5, Juniper and Barracuda, which one will be best in terms of;

1) Support
2) Resiliency
3) Security
4) Scalability
5) Manageability

Thanks for all your help.

Regards,
Dawood Iqbal

Joe_Goldberg · March 18, 2010, 2:13pm

For the Juniper box, make sure you are running the 6.5R3 version of code to get the MAC to work. They put a fix in for it. It is working well for us here.

http://kb.juniper.net/index?page=content&id=KB16134&actp=search&searchid=1268921120591

I have no experience with either F5 or Barracuda, but we have found the Juniper SSL to be extremely reliable and flexible to suit all of our needs. We have several 2500's deployed.

Joe

Matthew_Elmore · March 18, 2010, 2:25pm

The problem i'm facing so far is MAC OS X compatibility. The demo box i had

for Juniper was not able to run Network Connect on MAC OS 10.5.8.

We use an SA700 (lowest-end model) and I use NC regularly form my Mac, but I
am running 10.6.2. I did not have trouble running NC when I was on 10.5
however, but that was several months ago. The biggest trick on the Mac is
figuring out how to use a client-side certificate properly...

From your experience from F5, Juniper and Barracuda, which one will be best
in terms of;

Speaking only from my experience with the Juniper product:

1) Support

When dealing with configuring and troubleshooting the appliance itself, JTAC
has been pretty helpful when I've had to call on them. However, it has been
hard getting help when dealing with client issues (Bob's PC won't establish
tunnel properly, host checker issues, etc.).

2) Resiliency

We don't do HA as we only have a handful of users, so I can't speak to this.

3) Security

It's good enough for us, and we have lots of rules we have to follow
(financial institution). Authentication is hooked into our Active Directory,
so passwords are managed from there. We require a client-side certificate
issued from a private CA, which works well, even recognizes and enforces
certificate revocation lists.

4) Scalability

See #2. We have a max of maybe five concurrent users, and that's a rare
occurrence.

5) Manageability

Set it and forget it. Only thing I have to do is load ESAP updates
occasionally (host checker engine definitions). There are a couple useful
SNMP oid's but they're not documented very well.