Re: Cisco VPN concentrator Replacement Recommendation Needed

["Julian Y. Koh" <kohster () NORTHWESTERN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:58 -0400 3/24/2008, schilling wrote:
> Would you kindly share your thoughts on the VPN solutions?

We still have 2 Cisco 3000's deployed, servicing PPTP, L2TP/IPsec, and
IPsec (Cisco VPN Client) connections.  Eventually these will probably get
transitioned to ASA boxes, but PPTP is a sticking point since the ASAs
don't support PPTP.  I know, it's a deprecated protocol, but there are
other factors involved, including (but not limited to):

1.) The Mac OS X L2TP/IPSec client has a bug whereby if you connect to a
VPN3000 through NAT, the connection drops after ~45 minutes.  Cisco and
Apple have been unwilling to fix this for the past 2+ years.  It is still
unclear as to whether this problem exists on the ASAs.  Again, Cisco and
Apple can't seem to supply us with an answer.

2.) Finding a common set of IPSec and IKE parameters that work with
L2TP/IPSec on Windows XP, Mac OS X, and Windows Vista is problematic, since
Vista apparently defaults to using different hash protocols than earlier
versions of Windows and Mac OS X.

So we've still got a very sizable proportion of our population still using
PPTP - all the Mac OS X users and all the Vista users who can't or won't
use the Cisco VPN client.

Now, as far as SSL VPN is concerned, we did an eval of Juniper (nee
Netscreen, nee Neoteris), Cisco, and Aventail back in the fall of 2006.
Juniper won the evaluation, and we deployed it starting in January 2007.
It's been great.  We also have iPlanet LDAP, and doing the role mapping via
LDAP attributes is awesome.  It is possible to do similar things with
Cisco, especially with the newer revisions of their WebVPN product, but it
was a lot more complex, and the Juniper still leads in other areas.  You
can get yourself into interesting situations when a user ends up getting
mapped to multiple roles, but there are workarounds.

We're pitching our SSL VPN not as a replacement for the traditional VPN
service, but an enhancement for system administrators, users of sensitive
data, vendors, consultants, and external collaborators.  Basically the main
differentiating factor is that we can assign custom IP addresses to
different roles, so this allows firewall rules and access control lists to
be much more granular.  We're also using split tunneling with SSL VPN, so
only the traffic that needs to get tunnelled is sent over the tunnel.  With
our traditional VPN service, everyone gets given IPs from a single large
pool, and all traffic is tunneled.

Official web pages are at
<http://www.it.northwestern.edu/oncampus/vpn/sslvpn/>.  Let me know if you
have any additional questions or concerns.


-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.1012

wj8DBQFH58p5DlQHnMkeAWMRAiOPAKCwTQkN0Uzz+buWmUoXE+q2nZSkjQCgicrH
NyNWWjOqJtYpzRhSSCYC7N4=
=c9m0
-----END PGP SIGNATURE-----

--
Julian Y. Koh                         <mailto:kohster () northwestern edu>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>