Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Does Cisco make a SSL VPN router, with a "simple" GUI config?

Reply
Thread Tools

Re: Does Cisco make a SSL VPN router, with a "simple" GUI config?

 
 
Rob
Guest
Posts: n/a
 
      10-13-2011
Peter <(E-Mail Removed)> wrote:
>
> Rob <(E-Mail Removed)> wrote:
>
>>Peter <(E-Mail Removed)> wrote:
>>> From vague memory, UK mobile networks which blocked PPTP were Orange
>>> and T-Mobile, though T-M has been OK for the last 2 years or so. And
>>> many others abroad also blocked it and do now.

>>
>>We use T-Mobile and KPN in the Netherlands and both are OK for PPTP
>>and for L2TP/IPsec.

>
> That is a very useful data point - thank you.
>
> Incidentally, on one of the Youtube videos on how to set up the VPN on
> an Ipad, it shows PPTP, L2TP, or IPSEC. It appears to have 3 tabs.
> Does that make sense?


It is also possible to use bare IPsec for a VPN.
In a roaming user scnenario, it is probably better to use L2TP on top
of that, but for fixed VPN setups it is usually not used.
 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      10-13-2011
Peter <(E-Mail Removed)> writes:
>Incidentally, on one of the Youtube videos on how to set up the VPN on
>an Ipad, it shows PPTP, L2TP, or IPSEC. It appears to have 3 tabs.
>Does that make sense?


One of the toughest things about VPNs, is that there are many
technologies, and people call them different items depending on how
they are using/defining things.. There is nothing too universal about it.

In the Apple iOS case, PPTP is straight up. L2TP is L2TP over IPSec
like normal, although needing some specific requirements on the backside.
But the IPSec option is actually 'Cisco Anyconnect VPN client'.
It can't connect to anything but a Cisco VPN server. Furthermore, the
design of the OS and sandboxing prevents any other VPN client "Apps"
to be written and be used effectively.

Your best universal case on Apple iOS is L2TP.

 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      10-14-2011

Doug McIntyre <(E-Mail Removed)> wrote

>Peter <(E-Mail Removed)> writes:
>>Incidentally, on one of the Youtube videos on how to set up the VPN on
>>an Ipad, it shows PPTP, L2TP, or IPSEC. It appears to have 3 tabs.
>>Does that make sense?

>
>One of the toughest things about VPNs, is that there are many
>technologies, and people call them different items depending on how
>they are using/defining things.. There is nothing too universal about it.
>
>In the Apple iOS case, PPTP is straight up. L2TP is L2TP over IPSec
>like normal, although needing some specific requirements on the backside.
>But the IPSec option is actually 'Cisco Anyconnect VPN client'.
>It can't connect to anything but a Cisco VPN server. Furthermore, the
>design of the OS and sandboxing prevents any other VPN client "Apps"
>to be written and be used effectively.
>
>Your best universal case on Apple iOS is L2TP.


Many thanks for that explanation.

My latest Ipad2 also has only those three options, so I have no idea
how anybody manages to get SSL VPNs running on it, despite this

http://www.apple.com/ipad/business/software-update/
https://discussions.apple.com/thread...art=0&tstart=0

 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      10-14-2011
Peter <(E-Mail Removed)> writes:
>My latest Ipad2 also has only those three options, so I have no idea
>how anybody manages to get SSL VPNs running on it, despite this


>http://www.apple.com/ipad/business/software-update/
>https://discussions.apple.com/thread...art=0&tstart=0


Again, SSL VPN means many things to many people.

In some instances, it just is a tunnel to an internal web site.

Other implementations have tunnelling software they download to the
client over the web link. Others have full desktop clients that
communicate over "SSLVPN".

I recommended Fortinet earlier. They do all three of these scenarios.
They also have an iOS SSLVPN App. All it is able to do is the first
case, browse an internal web site. Ie. you start up the FortiVPN
App. You bring up the VPN, and then you can see a website beyond the
VPN gateway with the web browser the SSLVPN App presents.

I don't know of anything specific Juniper or Cisco have done with
SSLVPN Apps. I think that is just Marketing getting ahead of themselves..

 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      10-15-2011

Doug McIntyre <(E-Mail Removed)> wrote

>Peter <(E-Mail Removed)> writes:
>>My latest Ipad2 also has only those three options, so I have no idea
>>how anybody manages to get SSL VPNs running on it, despite this

>
>>http://www.apple.com/ipad/business/software-update/
>>https://discussions.apple.com/thread...art=0&tstart=0

>
>Again, SSL VPN means many things to many people.
>
>In some instances, it just is a tunnel to an internal web site.
>
>Other implementations have tunnelling software they download to the
>client over the web link.


Ok; that's very clever.

>Others have full desktop clients that
>communicate over "SSLVPN".
>
>I recommended Fortinet earlier. They do all three of these scenarios.
>They also have an iOS SSLVPN App. All it is able to do is the first
>case, browse an internal web site. Ie. you start up the FortiVPN
>App. You bring up the VPN, and then you can see a website beyond the
>VPN gateway with the web browser the SSLVPN App presents.


Can you suggest a product? Their website is highly opaque, with stupid
categories like 'big business ' 'small business' etc.

I have emailed them too.

>I don't know of anything specific Juniper or Cisco have done with
>SSLVPN Apps. I think that is just Marketing getting ahead of themselves..


Many thanks for another very useful reply.

This is a good learning experience because in the long run I have to
manage this myself - even if I get somebody to initially set it up for
me. That rules out Cisco Even their silly old PCMCIA WIFI adaptors
have proven opaque in their implementation of supposedly trivial stuff
like WEP, and I never managed to make WPA work.
 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      10-17-2011

Christian Hechelmann <(E-Mail Removed)> wrote

>Sadly SSLvpn (aside from e.g. OpenVPN) seems to be mostly geared towards
>roadwarriors and not site-2-site connectivity, I personally only know the
>Juniper SA series and they are not suitable for site-2-site.


I currently run IPSEC/AES for the site-site VPN. That's not an issue.

>> I don't think you can run IPSEC over GPRS/3G. I know of several people
>> who have tried to make it work and don't know of anybody who has
>> succeeded. PPTP (supported by both my old routers and by Windows as a
>> client) at least works over most networks.

>
>There's nothing inherently to GPRS/3G that would make IPsec fail, though.
>But carriers often (always?) like to NAT the "internal" portion of the
>network towards the mobile device, and don't care if it breaks IPsec
>(since its not an advertised feature). Also some carriers might outright
>block it. YMMV.


From my very limited digging, the only people I found who are running
IPSEC over GPRS/3G are using high-end-administered systems e.g. Cisco
employees And they will be accessing a private APN.

AIUI, if you are on GPRS/3G, and are abroad, your data goes **in the
phone network packets** all the way to your home country, all the way
to the APN there. It does not get connected to the internet where you
are locally. So a private APN should work wherever you are in the
world.

>Hmm, from a technical stnadpoint, if PPTP works, so should IPsec. PPTP
>does connection setup via tcp/1723 and then sends the traffic via GRE
>which is even more easily broken by (Hide)NAT. IIRC there is no
>encapsulation available at all form PPTP. L2TP however goes via udp...


If L2TP uses UDP for everything, it should work a lot better on mobile
networks, because they lose packets fairly frequently, and suffer
sometimes long delays. TCP/IP does not handle this too well. At the
extreme end you have satellite phones which are truly rubbish and I
suspect most of the professional service providers (e.g. aviation
weather) on those just use UDP.
 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      10-17-2011

alexd <(E-Mail Removed)> wrote

>Well yes, I think I suggested a TZ100 to you in uk.telecom.broadband a while
>ago Small firewall with 5 interfaces and a single concurrent SSL VPN
>license, 5 site-to-site IPsec, 5 VLANs, unlimited devices on the LAN. Extra
>SSL licenses are ~30 each.


As one of my 3 Draytek 2900 routers has just blown up I will have
to move on this.

Not one router supplier has responded to my questions on capabilities
so I will probably just have to buy a TZ100 and see what it can be
configured for...
 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      10-17-2011
Peter <(E-Mail Removed)> writes:
>Doug McIntyre <(E-Mail Removed)> wrote
>>I recommended Fortinet earlier. They do all three of these scenarios.


>Can you suggest a product? Their website is highly opaque, with stupid
>categories like 'big business ' 'small business' etc.


The FortiGate line is their all-in-one firewall/VPN solution.

They just scale up from small to huge (ie. 40Gbps solutions).

I think you've said you have a small office. I'd look at the FGT-60C
or FGT-80C products. All the products act much the same, you are only
buying capacity (or some higher end feature like LAPD/LAG
capabilities, available on the 200B and up).

There are extra add-on subscription for anti-virus/IPS/SPAM filter updates.
Or just the bare "unbundled" box.

I'd stay far away from the Fortigate 30. The 50B works alright, but is
almost the same price as the 60C, and the 60C has much more capacity.

 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      10-17-2011
Peter <(E-Mail Removed)> writes:
>If L2TP uses UDP for everything, it should work a lot better on mobile
>networks, because they lose packets fairly frequently, and suffer
>sometimes long delays. TCP/IP does not handle this too well. At the
>extreme end you have satellite phones which are truly rubbish and I
>suspect most of the professional service providers (e.g. aviation
>weather) on those just use UDP.


L2TP doesn't use pure UDP. The most common implementations is L2TP
over IPSec. (unlike say, an L2TP tunnel from cisco router to router).

L2TP encapsulates the tunnel into UDP packets (port 1701), which are
then encapsulated in IPSec ESP protocol packets (protocol 50, the port
of the packets inside is opaque to the outside).

So, you'd be back to seeing if the cell data network let you use
protocol 50 across it or not..


 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      10-18-2011

Doug McIntyre <(E-Mail Removed)> wrote

>So, you'd be back to seeing if the cell data network let you use
>protocol 50 across it or not..


OK.

There seems to be a big variation in the way that different mobile
networks are configured.

Even on non-internet stuff there are differences. For example, I found
in the development of a fairly obscure product, that Virgin supports
GSM FAX whereas T-Mobile doesn't - despite V running *over* the T-M
network

Currently, I am getting adequate results running PPTP (which
historically often failed to work) on T-M, both UK and abroad.
Vodafone is also OK.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Does Cisco make a SSL VPN router, with a "simple" GUI config? Peter Cisco 0 10-18-2011 09:59 PM
VPN client with sertificate or SSL VPN John Cisco 0 12-18-2008 08:34 PM
AIM-VPN/BPII-PLUS AIM-VPN/SSL-1 dt1649651@yahoo.com Cisco 0 05-15-2008 02:00 PM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM
VPN 3005 SSL "clientless" and VPN client performance Evan Wagner Cisco 2 04-06-2004 03:30 PM



Advertisments