Recommendations for Hardware VPN

Posted on 2000-02-01
Medium Priority
Last Modified: 2010-04-11
Here's our network configuration:

1.) GTE and SpecNet T1 lines go to a Cisco 7010 Router.
2.) From there, an Ethernet connection is made to a PIX 10000 Firewall.
3.) Two internal connections are made (both via Ethernet) : One to a DMZ,
where hosts serving web pages and mail WILL eventually reside, and the second, to our core campus switch, currently a Bay Accelar 1200 series.  
4.) From there, IP is routed to numerous desktop switches (at least one in
each building, most being Bay 350's and 450's.)

As for the changes currently underway, the plan is to exchange the 350 and 450 desktop switches with Cisco 2900 and 3500 series desktop switches, the 7010 router gets replaced by a newer Cisco 7204VXR Router, and the core campus switch (Accelar) gets replaced by a Cisco Catalyst 6509 switch. Also likely is that the PIX 10000 will be replaced next year by a PIX 540 or newer model.

We want to add a hardware VPN box to this mix that will authenticate with a Windows NT/2000 directory service.  The VPN box will be used probably by 20-25 clients at a time (a 50 user capable box should be more than sufficient).  I'm looking for recommendations on what brand to go with.  Naturally, as we move towards Cisco (and newer Cisco products) that seems like the logical solution, but I want other opinions and options and specific model recommendations.  Further, the device should have client side software that essentially splits the connection - where data destined for our network goes to our network but other data comes from their standard internet connection (cable modem, DSL, modem, etc) -  I'll give 50 points to each person who contributes significantly (separate questions for each person).
Question by:Lee W, MVP
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 2516333
Did you check out the VPN products from Shiva ?  (or Intel as they have bought Shiva).  Take a look at www.shiva.com.  The clients side functionality you are looking for is available there.
LVL 97

Author Comment

by:Lee W, MVP
ID: 2517851
I'll take a look at it... but I'm rejecting your answer because I want more than one perspective and with a locked question, people aren't likely to read it.

Expert Comment

ID: 2530150
Another product worth a look at is from Modulo at http://www.modulo.com.br/ingles/produto/vpn-over.htm.
 In excess of 7 Mbps
Lan Interface
 Two BNC ports, two 10BaseT Ethernet Ports
 1024 concurrent NetFortress Connections
 3" H x 14" D x 14" W
 9.8 lb./2.4 kg
Power Requirements
 115/230 volts AC, 50-60 Hz
Safety Certification
 UL Approved, FCC Class B
Encryption Type
 Network Layer
Encryption Algorithms
 128-bit IDEA, 56-bit DES, 168-bit DES3
Key Management
 Diffie-Hellman permanent common key with dynamic random key exchange at intervals determined by the customer
Software :
Manager 1.0 provides systems administrators with an easy-to-use tool for managing VPN and remote unit in the Virtual Private Network.

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Expert Comment

ID: 2530171
Another product from Extend Systems at http://www.extendsys.com/prodinfo/pdf/vpn_fambrochure.pdf might be worth a look

Expert Comment

ID: 2570626
I would suggest first looking into building a PKI infrastructure to hand out the certs.  Next you can utilize this infrastructure with many of the VPN / Encrypted tunnel solutions available on the market right now.

We use Entrust PKI to store the certs and then have Shiva Lanrover Gateways load-balanced on either side of our DMZ as we want secure tunnels inbound on either side of the DMZ (an egg-drop can just as easily come from within).

We have sites that have there own 2611 or 4000 series routers using IOS 12.0 crypto keys generated via Entrust and then create access-lists for psuedo policy based routing by client IP.

Next we have our home or mobile users that use Shiva client 6.5 on NT or W9x with various profiles based on client needs (some profiles will only allow access to the DMZ for webmasters, while others actually provide access to the entire corporate network).

We have connected 3rd party call-center sites via mobile IP (Shiva feature) where NAT'd addresses can run a seperate client behind PIX or a router.

Cisco has their own line of VPN access solutions now with the Cisco AS5300 NAS server.  Follow this link for more info:

LVL 97

Author Comment

by:Lee W, MVP
ID: 2570666
Thanks, and I may yet accept your answer, but I still want other people's input - we haven't made the purchase yet!

Expert Comment

ID: 2596992
Check out Altiga, http://www.altiga.com
They have a range of VPN boxes that scale with your requirements, the bottom of the range being upgradable to the top of the range, which is a good idea.  This product won Network Computings editors choice award and they verified you can have it up and running in about five minutes, as advertised.  They also claim that it will work with the Win2k native IPsec/L2TP VPN client virtually out of the box also.  The product will also support intranet VPNs'.  Last but not least, this company have just been bought by Cisco who will be offering it as one of their front line VPN products and with the amount of money Cisco have in the bank they could probably have afforded to buy just about any VPN hardware manufacturer they wanted, but they chose Altiga.
LVL 97

Author Comment

by:Lee W, MVP
ID: 2597043
Thanks, I'll have a look at that company again - I think I already did and even spoke to a salesperson.

Actually - does anyone know if Cisco's PIX firewall, with VPN support has a client for both the Mac and the PC that will differentiate the network traffic as per my stated needs?

Accepted Solution

gfreeman081597 earned 150 total points
ID: 2597792
Check out http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/examples.htm

You will need version 5.0 and above of PIX to enable this feature.

As you can see you'll need to build a CA server so that the certificates can be stored somewhere.

Unfortunately, the Cisco Secure VPN client on works on the Windows family PCs.  There is no MAC client.

Any of the 7xxx series of routers with version Cisco IOS 12.0(5)XE can be used as VPN gateways as well.

If you check out http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/advanced.htm#xtocid2272319
this document talks about establishing PPTP tunneling between windows clients and a PIX (I know that there is PPTP for Linux so I can only assume that someone ported it to MAC as well).

Finally, everything you wanted to know about implementing VPN's within Cisco IOS is here:


Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question