Recommendations for Hardware VPN

Here's our network configuration:

1.) GTE and SpecNet T1 lines go to a Cisco 7010 Router.
2.) From there, an Ethernet connection is made to a PIX 10000 Firewall.
3.) Two internal connections are made (both via Ethernet) : One to a DMZ,
where hosts serving web pages and mail WILL eventually reside, and the second, to our core campus switch, currently a Bay Accelar 1200 series.  
4.) From there, IP is routed to numerous desktop switches (at least one in
each building, most being Bay 350's and 450's.)

As for the changes currently underway, the plan is to exchange the 350 and 450 desktop switches with Cisco 2900 and 3500 series desktop switches, the 7010 router gets replaced by a newer Cisco 7204VXR Router, and the core campus switch (Accelar) gets replaced by a Cisco Catalyst 6509 switch. Also likely is that the PIX 10000 will be replaced next year by a PIX 540 or newer model.

We want to add a hardware VPN box to this mix that will authenticate with a Windows NT/2000 directory service.  The VPN box will be used probably by 20-25 clients at a time (a 50 user capable box should be more than sufficient).  I'm looking for recommendations on what brand to go with.  Naturally, as we move towards Cisco (and newer Cisco products) that seems like the logical solution, but I want other opinions and options and specific model recommendations.  Further, the device should have client side software that essentially splits the connection - where data destined for our network goes to our network but other data comes from their standard internet connection (cable modem, DSL, modem, etc) -  I'll give 50 points to each person who contributes significantly (separate questions for each person).
LVL 98
Lee W, MVPTechnology and Business Process AdvisorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Did you check out the VPN products from Shiva ?  (or Intel as they have bought Shiva).  Take a look at  The clients side functionality you are looking for is available there.
Lee W, MVPTechnology and Business Process AdvisorAuthor Commented:
I'll take a look at it... but I'm rejecting your answer because I want more than one perspective and with a locked question, people aren't likely to read it.
Another product worth a look at is from Modulo at
 In excess of 7 Mbps
Lan Interface
 Two BNC ports, two 10BaseT Ethernet Ports
 1024 concurrent NetFortress Connections
 3" H x 14" D x 14" W
 9.8 lb./2.4 kg
Power Requirements
 115/230 volts AC, 50-60 Hz
Safety Certification
 UL Approved, FCC Class B
Encryption Type
 Network Layer
Encryption Algorithms
 128-bit IDEA, 56-bit DES, 168-bit DES3
Key Management
 Diffie-Hellman permanent common key with dynamic random key exchange at intervals determined by the customer
Software :
Manager 1.0 provides systems administrators with an easy-to-use tool for managing VPN and remote unit in the Virtual Private Network.

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Another product from Extend Systems at might be worth a look
I would suggest first looking into building a PKI infrastructure to hand out the certs.  Next you can utilize this infrastructure with many of the VPN / Encrypted tunnel solutions available on the market right now.

We use Entrust PKI to store the certs and then have Shiva Lanrover Gateways load-balanced on either side of our DMZ as we want secure tunnels inbound on either side of the DMZ (an egg-drop can just as easily come from within).

We have sites that have there own 2611 or 4000 series routers using IOS 12.0 crypto keys generated via Entrust and then create access-lists for psuedo policy based routing by client IP.

Next we have our home or mobile users that use Shiva client 6.5 on NT or W9x with various profiles based on client needs (some profiles will only allow access to the DMZ for webmasters, while others actually provide access to the entire corporate network).

We have connected 3rd party call-center sites via mobile IP (Shiva feature) where NAT'd addresses can run a seperate client behind PIX or a router.

Cisco has their own line of VPN access solutions now with the Cisco AS5300 NAS server.  Follow this link for more info:

Lee W, MVPTechnology and Business Process AdvisorAuthor Commented:
Thanks, and I may yet accept your answer, but I still want other people's input - we haven't made the purchase yet!
Check out Altiga,
They have a range of VPN boxes that scale with your requirements, the bottom of the range being upgradable to the top of the range, which is a good idea.  This product won Network Computings editors choice award and they verified you can have it up and running in about five minutes, as advertised.  They also claim that it will work with the Win2k native IPsec/L2TP VPN client virtually out of the box also.  The product will also support intranet VPNs'.  Last but not least, this company have just been bought by Cisco who will be offering it as one of their front line VPN products and with the amount of money Cisco have in the bank they could probably have afforded to buy just about any VPN hardware manufacturer they wanted, but they chose Altiga.
Lee W, MVPTechnology and Business Process AdvisorAuthor Commented:
Thanks, I'll have a look at that company again - I think I already did and even spoke to a salesperson.

Actually - does anyone know if Cisco's PIX firewall, with VPN support has a client for both the Mac and the PC that will differentiate the network traffic as per my stated needs?
Check out

You will need version 5.0 and above of PIX to enable this feature.

As you can see you'll need to build a CA server so that the certificates can be stored somewhere.

Unfortunately, the Cisco Secure VPN client on works on the Windows family PCs.  There is no MAC client.

Any of the 7xxx series of routers with version Cisco IOS 12.0(5)XE can be used as VPN gateways as well.

If you check out
this document talks about establishing PPTP tunneling between windows clients and a PIX (I know that there is PPTP for Linux so I can only assume that someone ported it to MAC as well).

Finally, everything you wanted to know about implementing VPN's within Cisco IOS is here:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.