[SunHELP] VPN Solution
sunhelp at sunhelp.org
sunhelp at sunhelp.org
Wed Jan 30 13:13:07 CST 2002
VPN's are the hot_new_topic, so there's lots of opinions out there.
Since I have been deploying VPN's for 3 years now, I have seen a number of
the solutions.
There are ways to do it on the cheap (freeswan), but if this is a business
environ and it has to be reliable I would suggest a packaged solution from a
manufacturer.
Having the PIX does provide a way to do it. The Cisco Unified Client runs on
several platforms (Unix, Linux, MSWindows and maybe MAC by now). The UC will
tunnel to a PIX, but I have lost a lot of hair trying to get IPSec/UC to run
on PIXen. I have had easy success with PIX <-> PIX and PIX <-> IOS VPN's.
While on the topic of IPSec, it is the only protocol I would trust. There
are some things native to Windblows (incl. L2TP, IPSec and others), but are
not trustworthy. My pref is IPSec/IKE using the UC.
After all this, I have found what I love for VPN's. Now some people on this
list might accuse me of being a Ciscophile, but I always explore all
solutions before buying something. The Cisco VPN Concentrator 3005 is tough
to beat for User <-> Office VPN's. This little 1U high $3000 box solves all
your problems. Place one interface on your internet connection and place the
other on the inside of your PIX (yes, paralell to the PIX/FW). Distribute
the UC to users and sit back and watch the satisfied users (obviously,
detail is missing here, but if you want detailed help let me know). The
flexibility and security of the VPN3K is astounding (but not perfect - of
course, nothing is ever perfect). The VPN3k will also do LAN <-> LAN VPN's.
Downfalls? I have one user who tried to get the UC to run on Linux but
hasn't succeeded. I also have a number of MAC users and I don't have a UC
for MAC (if one exists, it may not). The solution is the Cisco 3002 VPN
hardware client. The HC sits on a users network and does the IPSec tunnel
for the client machine. This $850.00 box also does a great job of VPNing for
small offices (we have several remote offices in three countries).
There are other solutions, but the only one I have seen that doesn't induce
thoughts of suicide is the Cisco VPN Concentrators.
James Fogg, Network Engineer
Vicinity Corporation - New Hampshire
(603) 442-1751
~ -----Original Message-----
~ From: David Baldwin [mailto:dbaldwin at networkinsight.com]
~ Sent: Wednesday, January 30, 2002 12:51 PM
~ To: sunmanagers at sunmanagers.org
~ Cc: sunhelp at sunhelp.org
~ Subject: [SunHELP] VPN Solution
~
~
~ Hi,
~ I am trying to pinpoint what the best solution would be to
~ allow access
~ to the inside from the outside.
~ Currently we have a pix firewall filtering packets separating
~ inside and
~ web.
~ Where I am having trouble is with the whole VPN concept.
~ Do I need a VPN server to do this? If I do I would like for
~ it to be a
~ Sun solution.
~ It looks like it might be possible to terminate the VPN tunnel at the
~ pix and that would allow for both Win2k and Unices clients to connect
~ using pptp. But, then, how would clients get an IP? So far, the
~ documentation found has not been sufficient.
~ Would I use SunScreen/DHCP to deal out IPs to clients? Will that work
~ for all clients?
~
~ If anyone can tell me which doc to read to make this process clear or
~ has some pointers that can help, I would be grateful.
~
~ Sorry if this is a little off topic, I wasn't sure where to
~ start and I
~ know I would like to use Sun if possible.
~
~ TIA
~ Dave Baldwin
~ _______________________________________________
~ SunHELP maillist - SunHELP at sunhelp.org
~ http://www.sunhelp.org/mailman/listinfo/sunhelp
~
More information about the SunHELP
mailing list