«

Hi Guys

My Client has currently Pix 506 & 501's at their remote sites and are
looking to setup IPSEC VPN tunnels between the remote site (using xdsl) and
the central site that has a PIX 515.

They have Five other sites that they want to connect to the main site via
VPN, but they have been informed that instead of buying Pix 500's they
should buy DreyTek 2600 ADSL routers for the remote sites as they are a
fraction of the cost of a PIX & they can support 16 VPN tunnels.

Has anyone used the Dreyteks ?? I'm trying to dig up dirt to try and disuade
them from buying these instead of PIX's. Do anyone knows of any performance
issues with these Dreytek boxes.

Thanks

Simon.

In article <sMK3d.3869$>,
Simon Watson <> wrote:
:My Client has currently Pix 506 & 501's at their remote sites and are
:looking to setup IPSEC VPN tunnels between the remote site (using xdsl) and
:the central site that has a PIX 515.

xDSL is not often used for point-to-point, so these sites are on the
Internet, right? Even if they only ever want to communicate between
the client's sites, and never want those remote sites to be able to
surf or kazaa or whatever, they have full Internet connections, no?


:They have Five other sites that they want to connect to the main site via
:VPN, but they have been informed that instead of buying Pix 500's they
:should buy DreyTek 2600 ADSL routers for the remote sites as they are a
:fraction of the cost of a PIX & they can support 16 VPN tunnels.

ADSL routers... ummm, they might handle VPN tunnels, but how well do they
handle security? How well can they be configured to keep out intruders,
and to automatically open security pinholes on an as-needed basis?
Are they "statefull packet inspection" (SPI), to use the current
marketting term? And if they are, what protocols are they SPI for?

Do they have decent syslog-able logs that can be used to trace
connections, whether legit or intrusion? If one of the workstations
cannot get through to somewhere, are the logs detailed enough to figure
out what is going on? If you have initial trouble with the IPSec connection,
does it have good debug features to allow you to track the connection
progress? And when your IPSec connection gets jammed (as it -will- at
some point), can you get at enough of the state to figure out what is
stuck?

Can the DreyTek's be configured by pushing in new text-based configs,
so that you can do sensible remote config management? Can you do useful
snmp monitoring of them?


I'm not saying that DreyTek is weak in any of these areas: I'm suggesting
these as topics of comparison. I tend not to expect very much of inexpensive
ADSL "routers".
--
Inevitably, someone will flame me about this .signature.

We are seriously considering a Draytek 2600 series device for a remote new
site.

Why?

1) user friendly web interface
2) easy to understand, step-by-step docs (which include notes for setting up
VPSns to Pix, MicroSoft VPN servers etc)
3) I've heard good things from other companies using them for VPNs from home
users
4) price

If you are a die-hard cisco engineer, then you'll be able to set up a pix in
your sleep. The rest of us mere mortals have problems, and the Draytek seems
orders of magnitude easier to set up.

The Draytek 2600 has inbuilt ADSL, inbuilt stateful-inspection firewall,
NAT, VPN. Ok, maybe the firewall side is possibly NOT quite as good as a Pix
(of course, it COULD be better!), but for most uses, is that really likely
to be a major issue?


paul

"Simon Watson" <> wrote in message
news:sMK3d.3869$...
> Hi Guys
>
> My Client has currently Pix 506 & 501's at their remote sites and are
> looking to setup IPSEC VPN tunnels between the remote site (using xdsl)
and
> the central site that has a PIX 515.
>
> They have Five other sites that they want to connect to the main site via
> VPN, but they have been informed that instead of buying Pix 500's they
> should buy DreyTek 2600 ADSL routers for the remote sites as they are a
> fraction of the cost of a PIX & they can support 16 VPN tunnels.
>
> Has anyone used the Dreyteks ?? I'm trying to dig up dirt to try and
disuade
> them from buying these instead of PIX's. Do anyone knows of any
performance
> issues with these Dreytek boxes.
>
> Thanks
>
> Simon.
>
>

> xDSL is not often used for point-to-point, so these sites are on the
> Internet, right?

A *LOT* of people are using ADSL for business links... in many cases, it
works VERY well, and is very cost-effective. As long as it is done
*intelligently*, and they accept that SOME ADSL link may NOT be suitable (eg
due to local congestion)

> Even if they only ever want to communicate between
> the client's sites, and never want those remote sites to be able to
> surf or kazaa or whatever, they have full Internet connections, no?

....And, as you say, gives a local internet connection too


> ADSL routers... ummm, they might handle VPN tunnels, but how well do they
> handle security? How well can they be configured to keep out intruders,
> and to automatically open security pinholes on an as-needed basis?

Take a look at one of the Draytek sites, you might be suprised at what these
boxes include. Main site is at www.draytek.co.tw, you'll find local sites
linked.

> Are they "statefull packet inspection" (SPI), to use the current
> marketting term? And if they are, what protocols are they SPI for?

Indeed they are.

> Do they have decent syslog-able logs that can be used to trace
> connections, whether legit or intrusion?

I believe they do.

> Can the DreyTek's be configured by pushing in new text-based configs,
> so that you can do sensible remote config management?

For this sort of config, I think you'll find the web interface is quite
adequate

> Can you do useful snmp monitoring of them?

Yes, snmp is on the feature list... but, lets be honest, in *small*
businesses, how many bother with snmp monitoring? Not many in my experience!

> I'm not saying that DreyTek is weak in any of these areas: I'm suggesting
> these as topics of comparison. I tend not to expect very much of
inexpensive
> ADSL "routers".

Very valid things to look at. I started looking at Draytek for home use (to
replace a USR 8003, which also has staeful inspection firewall, but has a
web interface that is even LESS comprehensible than a cisco... and no useful
docs either) and was amazed at the features included for the price. At some
point I was visiting a customer, who had loads of them installed for home
workers, and they were very impressed with them, how reliable they seemed to
be, and how simple they were to install & configure.

Lets be brutally honest: cisco kit is excellent kit - if you understand it -
but a lot of the low end stuff is very dated, where the opposition have
leaped ahead in user-interface improvements etc.

I end by saying I have NOTHING at all to do with Draytek. We have several
cisco products at work... but are seriously considering a Draytek as it
seems to do what we want, and a very good price.



Paul Blitz
Centia
England

Thanks for your input

"paul blitz" <> wrote in message
news:415006ab$0$20250$. net...
> We are seriously considering a Draytek 2600 series device for a remote new
> site.
>
> Why?
>
> 1) user friendly web interface
> 2) easy to understand, step-by-step docs (which include notes for setting
up
> VPSns to Pix, MicroSoft VPN servers etc)
> 3) I've heard good things from other companies using them for VPNs from
home
> users
> 4) price
>
> If you are a die-hard cisco engineer, then you'll be able to set up a pix
in
> your sleep. The rest of us mere mortals have problems, and the Draytek
seems
> orders of magnitude easier to set up.
>
> The Draytek 2600 has inbuilt ADSL, inbuilt stateful-inspection firewall,
> NAT, VPN. Ok, maybe the firewall side is possibly NOT quite as good as a
Pix
> (of course, it COULD be better!), but for most uses, is that really likely
> to be a major issue?
>
>
> paul
>
> "Simon Watson" <> wrote in message
> news:sMK3d.3869$...
> > Hi Guys
> >
> > My Client has currently Pix 506 & 501's at their remote sites and are
> > looking to setup IPSEC VPN tunnels between the remote site (using xdsl)
> and
> > the central site that has a PIX 515.
> >
> > They have Five other sites that they want to connect to the main site
via
> > VPN, but they have been informed that instead of buying Pix 500's they
> > should buy DreyTek 2600 ADSL routers for the remote sites as they are a
> > fraction of the cost of a PIX & they can support 16 VPN tunnels.
> >
> > Has anyone used the Dreyteks ?? I'm trying to dig up dirt to try and
> disuade
> > them from buying these instead of PIX's. Do anyone knows of any
> performance
> > issues with these Dreytek boxes.
> >
> > Thanks
> >
> > Simon.
> >
> >
>
>