Re: Does Cisco make a SSL VPN router, with a "simple" GUI config?

Discussion in 'Cisco' started by Doug McIntyre, Oct 10, 2011.

  1. Peter <> writes:
    >I would like to replace a Draytek 2900 at a couple of installations
    >with something more reliable.


    You don't say how many users, which is important for Cisco licensing..

    Ie. for SSL-VPN on Cisco branch routers, you will need to license it
    with the FL-SSLVPN25-K9 part # which is for 25 users. That is about
    $500 street price. The newest of the 800 series boxes is the 892 at
    about $800-$900 street price. Although there are older ones in that
    line too for less.

    As to your GUI... Cisco keeps trying to make a GUI. They keep trying
    and trying, and making new products every 2-3 years.

    For earlier 8xx boxes, there was SDM.

    http://www.cisco.com/en/US/prod/collateral/routers/ps5318/product_data_sheet0900aecd800fd118.html

    For the 890 is seems there is a new one for it running at version 1.0 (whee).

    http://www.cisco.com/en/US/prod/collateral/routers/ps9422/data_sheet_c78_462210.html


    Perhaps you should look beyond Cisco though.

    I would go with Fortinet for a firewall/router/VPN box. It has a built
    in web GUI (not extra software running on Java on your workstation). The GUI
    works very well. The boxes are rock solid. Only complaint I have is
    that their support isn't always that great, but I almost never have to
    go to them. Street prices on something like a Fortigate 60c should be
    about $500.

    I would also look at the Juniper SRX, but I don't think they do SSL/VPN on
    this line yet, they want to do that on another box.
    Doug McIntyre, Oct 10, 2011
    #1
    1. Advertising

  2. Doug McIntyre

    Peter Guest

    Christian Hechelmann <> wrote

    >Doug McIntyre <> wrote:
    >> Peter <> writes:
    >>>I would like to replace a Draytek 2900 at a couple of installations
    >>>with something more reliable.

    >>
    >> I would also look at the Juniper SRX, but I don't think they do SSL/VPN on
    >> this line yet, they want to do that on another box.

    >
    >No they don't and in general just stay away from the SRX as the software
    >is buggy as hell, if its gonna be Juniper at all, go for the Netscreens/SSGs.
    >At least on the NetScreeen/SSGs PPTP is also supported, so there might
    >also be a smooth transition.
    >
    >The OP hasn't said for what he needs the VPN:
    >- Site to Site connectivity
    >- Roadwarriors connecting to the company network


    The answer is BOTH.

    >Both can be achieved with IPsec which all of the boxes support out of the
    >box. On the client side, you either use the on board means (e.g. on Windows
    >anything newer than XP is fine), or any of the various IPsec Clients you
    >can either buy or get free of charge.


    I don't think you can run IPSEC over GPRS/3G. I know of several people
    who have tried to make it work and don't know of anybody who has
    succeeded. PPTP (supported by both my old routers and by Windows as a
    client) at least works over most networks.

    > Ciao Chris
    Peter, Oct 12, 2011
    #2
    1. Advertising

  3. Doug McIntyre

    Peter Guest

    Christian Hechelmann <> wrote

    >Peter <> wrote:
    >>
    >> Doug McIntyre <> wrote:
    >>
    >>>Peter <> writes:
    >>>>I would like to replace a Draytek 2900 at a couple of installations
    >>>>with something more reliable.
    >>>
    >>>You don't say how many users, which is important for Cisco licensing..

    >>
    >> The VPN is used in two ways.
    >>
    >> There is a router-router VPN, which is presently done with IPSEC/AES.
    >> This provides access between two sites. Maximum one user.

    >
    >What does that mean? Does the Draytek Software limit this, or is there
    >just one guy using the site-2-site connection?


    The latter.

    >>
    >> There is what Draytek call a "teleworker" VPN i.e. access from
    >> outside, typically originating via GPRS/3G or hotel WIFI. Current
    >> maximum one user; might be two one day. This one is done using PPTP a)
    >> because the 2900 supports PPTP only and b) because Windoze supports
    >> PPTP VPNs natively.

    >
    >so there's not much load on the boxes it seems.


    Yes; very little.

    >For the sizing of the replacemtns boxes you should consider the following:
    >- technology used for the internet connection. Could be DSL, could be
    > cable modem, could be a leased line, or whatever
    >- bandwith going through the box
    >- redundancy needed?
    >- features used/needed: IPsec? SSL-VPN?
    >- budget :)
    >- Licensing costs
    >
    >And do yourself a favor and get a support plan for the boxes you buy.
    >they're ususally next to nothing compared to the cost of halting the
    >entire company because there is no Internet, eMail, etc pp...
    >
    >> I will have a look - thank you. I have never heard of them sold here
    >> in the UK though.

    >
    >:-D Juniper gear is sold and used all over the world, as is Cisco. In the
    >past Juniper comes from a carrier background, they only recently offer
    >"end-user" gear.
    >
    >> I have also looked at Sonicwall but they seem to be $3000+ for the SSL
    >> VPN box.

    >
    >Dedicated SSL-VPN boxes are usually not cheap at all. At least the Junper
    >SA's do more than just connecting networks together.
    >
    > Ciao Chris
    Peter, Oct 12, 2011
    #3
  4. Doug McIntyre

    Peter Guest

    alexd <> wrote

    >Peter (for it is he) wrote:
    >
    >> alexd <> wrote:

    >
    >>>Buy a firewall with it built in, rather than the dedicated SSL VPN box.
    >>>Much cheaper for fewer users, and does other things as well.

    >>
    >> Can you suggest any?

    >
    >Well yes, I think I suggested a TZ100 to you in uk.telecom.broadband a while
    >ago :)


    Your memory is better than mine :)

    Yes; I have visited this requirement before.

    I have just looked at the TZ100. It is very cheap.

    >Small firewall with 5 interfaces and a single concurrent SSL VPN
    >license, 5 site-to-site IPsec, 5 VLANs, unlimited devices on the LAN. Extra
    >SSL licenses are ~£30 each.


    I am trying to work out if it will do what the Draytek 2900 is
    currently used for.

    At the ADSL end we have a modem (D-link 300 on one site, Draytek 120
    on the other site).

    At the LAN end we have a 16-port ethernet switch.

    There is some port forwarding configured, because both LANs have a web
    server running. Yes, the server's performance is not stellar, being on
    the 448k ADSL UPlink ;) but it's fine for the purpose.

    There is also an email server at each site, getting an SMTP
    filtered-email feed from Messagelabs. The incoming email port is
    filtered by IP so that only the Messagelabs IP ranges (about 5 IPs)
    can make SMTP connections (we had massive spam problems before we went
    to ML).

    So we port forward Port 80 etc.

    Each router also has a DHCP server for the internal LAN.

    Each router has wifi enabled although I am getting away from this,
    towards wifi bridges (Draytek 800) because Iphone4/Ipad2 wifi crashes
    the Draytek 2900 wifi subsystem ;)

    The two sites are very similar in terms of router config.

    Assuming the TZ100 can do this, I would buy a couple of them and see
    if I can get them to work.

    >I have no definitive proof that a Sonicwall is better than anything else,
    >but I use this stuff every day and it seems to work, so that's why I'm
    >suggesting it. It's certainly more cost-effective than an ASA. If I were
    >forced to find fault with it, then I would say that I really do prefer
    >devices with a plain-text configuration and a decent CLI, but then maybe I'm
    >old-fashioned.
    >
    >> I was after a complete router with the SSL VPN functionality,

    >
    >When does a router become a firewall and vice versa? Cisco ASA and Sonicwall
    >both support dynamic routing protocols and Sonicwalls will do policy-based
    >routing [send, say, the boss's web browsing down line one and the minion's
    >web browsing down line two] and in my book those are "router" features.
    >Cisco IOS, the quintessential router OS, supports firewally stuff like
    >protocol inspection. A fully-featured firewall is indistinguishable from a
    >fully-featured router, IMO.


    Sure; understood.

    >> not just an SSL VPN terminating box.

    >
    >OK. Sonicwall, amongst others, also make standalone SSL VPN termination kit,
    >which is more appropriate for where you have tens or hundreds of users you
    >want to give SSL VPN access to. I guess if you google "ssl vpn" you'll end
    >up looking at dedicated stuff, rather than finding a lower-end all-in-one
    >affair.
    Peter, Oct 12, 2011
    #4
  5. Doug McIntyre

    Rob Guest

    Peter <> wrote:
    > I don't think you can run IPSEC over GPRS/3G. I know of several people
    > who have tried to make it work and don't know of anybody who has
    > succeeded. PPTP (supported by both my old routers and by Windows as a
    > client) at least works over most networks.


    Why do you think that?
    We have used PPTP a long time over GPRS/3G but we have switched to
    L2TP/IPsec and we have experienced no problem at all, on two different
    providers.
    We use the standard VPN facility in Windows XP. You need to select
    L2TP, not Automatic, because Automatic means it will try PPTP first.

    (we use a generic Cisco router with IOS)

    The only problem is that connectivity is so flakey, resulting in
    frequent loss of the VPN connection. Automatic reconnect usually does
    not work because there is a stack of connections that need to be made,
    first from the laptop to the mobile network and then a VPN on top of that,
    and the correct sequencing is important. But that is true for any
    protocol. It only may be that certain custom VPN software would handle
    the problem more smoothly than bare Windows does.
    Rob, Oct 12, 2011
    #5
  6. Doug McIntyre

    Rob Guest

    Peter <> wrote:
    >
    > Rob <> wrote:
    >
    >>Peter <> wrote:
    >>> I don't think you can run IPSEC over GPRS/3G. I know of several people
    >>> who have tried to make it work and don't know of anybody who has
    >>> succeeded. PPTP (supported by both my old routers and by Windows as a
    >>> client) at least works over most networks.

    >>
    >>Why do you think that?
    >>We have used PPTP a long time over GPRS/3G but we have switched to
    >>L2TP/IPsec and we have experienced no problem at all, on two different
    >>providers.
    >>We use the standard VPN facility in Windows XP. You need to select
    >>L2TP, not Automatic, because Automatic means it will try PPTP first.

    >
    > That's interesting. I have never tried that.
    >
    > Does L2TP offer better compatibility with mobile networks? AIUI, PPTP
    > requires the specific protocol support to be enabled in all the
    > routers along the line.


    You may experience trouble due to NAT.
    Do you get a private address on your GPRS/3G? Some 10.x.x.x address
    usually? This means there is a NAT between you and the internet, and
    most VPN protocols do not like that.
    On the subscriptions I have used, a public IP address is assigned to
    the mobile system. Then there usually still is some filtering, e.g.
    blocking of incoming TCP traffic, but it is OK for VPN.
    Sometimes you can switch between private and public addresses by selecting
    a different APN in the configuration of your modem. Ask your provider
    about it.

    > I have found many WIFI networks which don't pass through PPTP (maybe
    > the AP has just got the ports blocked) and quite a lot of GPRS/3G
    > networks which do likewise, though this is less of a problem nowadays.


    WIFI networks usually have NAT

    > Why did you go to L2TP?


    Because it looks like L2TP copes better with links with packet loss
    than PPTP does. I have no hard evidence but some testing points out
    that the VPN performed better and was more stable in situations where
    the reception was marginal (and hence packet loss occurs, visible when
    you run a ping)

    It is also more secure.
    Rob, Oct 12, 2011
    #6
  7. Doug McIntyre

    Peter Guest

    Rob <> wrote

    >Peter <> wrote:
    >>
    >> Rob <> wrote:
    >>
    >>>Peter <> wrote:
    >>>> I don't think you can run IPSEC over GPRS/3G. I know of several people
    >>>> who have tried to make it work and don't know of anybody who has
    >>>> succeeded. PPTP (supported by both my old routers and by Windows as a
    >>>> client) at least works over most networks.
    >>>
    >>>Why do you think that?
    >>>We have used PPTP a long time over GPRS/3G but we have switched to
    >>>L2TP/IPsec and we have experienced no problem at all, on two different
    >>>providers.
    >>>We use the standard VPN facility in Windows XP. You need to select
    >>>L2TP, not Automatic, because Automatic means it will try PPTP first.

    >>
    >> That's interesting. I have never tried that.
    >>
    >> Does L2TP offer better compatibility with mobile networks? AIUI, PPTP
    >> requires the specific protocol support to be enabled in all the
    >> routers along the line.

    >
    >You may experience trouble due to NAT.


    Why would that be?

    If a client device needs to connect to a VPN server, the server's
    router needs to have port forwarding enabled on the VPN port(s).

    With a VPN router, this is already done implicitly when you
    enable/configure the VPN.

    >Do you get a private address on your GPRS/3G? Some 10.x.x.x address
    >usually? This means there is a NAT between you and the internet, and
    >most VPN protocols do not like that.
    >On the subscriptions I have used, a public IP address is assigned to
    >the mobile system. Then there usually still is some filtering, e.g.
    >blocking of incoming TCP traffic, but it is OK for VPN.
    >Sometimes you can switch between private and public addresses by selecting
    >a different APN in the configuration of your modem. Ask your provider
    >about it.


    One does not have that option when travelling. You end up on whichever
    3G network you find.

    I am not talking about the *server* end of the VPN being on 3G. That
    would be very tricky, unless you were given a fixed IP.
    >
    >> I have found many WIFI networks which don't pass through PPTP (maybe
    >> the AP has just got the ports blocked) and quite a lot of GPRS/3G
    >> networks which do likewise, though this is less of a problem nowadays.

    >
    >WIFI networks usually have NAT


    Comments as above, however. NAT is not a problem.

    It is like if e.g. you run a web server behind a NAT router. You have
    to port forward Port 80 to the web server's internal IP.

    >> Why did you go to L2TP?

    >
    >Because it looks like L2TP copes better with links with packet loss
    >than PPTP does. I have no hard evidence but some testing points out
    >that the VPN performed better and was more stable in situations where
    >the reception was marginal (and hence packet loss occurs, visible when
    >you run a ping)


    That's interesting; worth a try.

    >It is also more secure.


    Can you give more details?

    A lot of people say PPTP is insecure but at the same time nobody seems
    to have developed a straightforward attack on it.
    Peter, Oct 12, 2011
    #7
  8. Doug McIntyre

    Rob Guest

    Peter <> wrote:
    >>You may experience trouble due to NAT.

    >
    > Why would that be?
    >
    > If a client device needs to connect to a VPN server, the server's
    > router needs to have port forwarding enabled on the VPN port(s).
    >
    > With a VPN router, this is already done implicitly when you
    > enable/configure the VPN.


    Please study the matter more carefully.
    Protocols like PPTP do no use "ports". They are a protocol on their
    own, not using TCP or UDP but running directly on top of IP.

    The "NAT model" does not cleanly apply to such protocols.
    Workarounds are possible, but with limitations.

    > One does not have that option when travelling. You end up on whichever
    > 3G network you find.


    Our workers only travel within the country and are always on the same
    network. Your situation may be different.

    > Comments as above, however. NAT is not a problem.


    I think NAT is your problem. But maybe it isn't, and I am wrong.
    I cannot help you with that.

    >>It is also more secure.

    >
    > Can you give more details?
    >
    > A lot of people say PPTP is insecure but at the same time nobody seems
    > to have developed a straightforward attack on it.


    L2TP has an additional "shared secret" or PKI certificate in addition
    to the username/password authentication of PPTP.

    Anyone knowing the username/password of one of your users can get in
    the PPTP server, and such information usually leaks out easily e.g.
    because workers share it with colleagues or it is overlooked when they
    enter it. With L2TP/IPsec you basically authenticate the machine in
    addition to the user.
    Rob, Oct 12, 2011
    #8
  9. Peter <> writes:
    >>L2TP has an additional "shared secret" or PKI certificate in addition
    >>to the username/password authentication of PPTP.
    >>
    >>Anyone knowing the username/password of one of your users can get in
    >>the PPTP server, and such information usually leaks out easily e.g.
    >>because workers share it with colleagues or it is overlooked when they
    >>enter it. With L2TP/IPsec you basically authenticate the machine in
    >>addition to the user.


    >If that's the only issue, that's no problem for me because I am the
    >only person using the VPN.


    The earlier versions of PPTP were also notoriously very insecure and
    easily cracked (easier than brute forcing the end users' password).

    Certificates also comply with required enterprise policies (ie. two
    factor authentication required for VPN connections) from policy
    drivers like sarbox & PCI-DSS.
    Doug McIntyre, Oct 13, 2011
    #9
  10. Doug McIntyre

    Rob Guest

    Peter <> wrote:
    > From vague memory, UK mobile networks which blocked PPTP were Orange
    > and T-Mobile, though T-M has been OK for the last 2 years or so. And
    > many others abroad also blocked it and do now.


    We use T-Mobile and KPN in the Netherlands and both are OK for PPTP
    and for L2TP/IPsec.

    On KPN we use the APN that provides transparent access, but I think it
    works on the default (firewalling) APN as well.
    Rob, Oct 13, 2011
    #10
  11. Doug McIntyre

    Rob Guest

    Peter <> wrote:
    >
    > Rob <> wrote:
    >
    >>Peter <> wrote:
    >>> From vague memory, UK mobile networks which blocked PPTP were Orange
    >>> and T-Mobile, though T-M has been OK for the last 2 years or so. And
    >>> many others abroad also blocked it and do now.

    >>
    >>We use T-Mobile and KPN in the Netherlands and both are OK for PPTP
    >>and for L2TP/IPsec.

    >
    > That is a very useful data point - thank you.
    >
    > Incidentally, on one of the Youtube videos on how to set up the VPN on
    > an Ipad, it shows PPTP, L2TP, or IPSEC. It appears to have 3 tabs.
    > Does that make sense?


    It is also possible to use bare IPsec for a VPN.
    In a roaming user scnenario, it is probably better to use L2TP on top
    of that, but for fixed VPN setups it is usually not used.
    Rob, Oct 13, 2011
    #11
  12. Peter <> writes:
    >Incidentally, on one of the Youtube videos on how to set up the VPN on
    >an Ipad, it shows PPTP, L2TP, or IPSEC. It appears to have 3 tabs.
    >Does that make sense?


    One of the toughest things about VPNs, is that there are many
    technologies, and people call them different items depending on how
    they are using/defining things.. There is nothing too universal about it.

    In the Apple iOS case, PPTP is straight up. L2TP is L2TP over IPSec
    like normal, although needing some specific requirements on the backside.
    But the IPSec option is actually 'Cisco Anyconnect VPN client'.
    It can't connect to anything but a Cisco VPN server. Furthermore, the
    design of the OS and sandboxing prevents any other VPN client "Apps"
    to be written and be used effectively.

    Your best universal case on Apple iOS is L2TP.
    Doug McIntyre, Oct 13, 2011
    #12
  13. Doug McIntyre

    Peter Guest

    Doug McIntyre <> wrote

    >Peter <> writes:
    >>Incidentally, on one of the Youtube videos on how to set up the VPN on
    >>an Ipad, it shows PPTP, L2TP, or IPSEC. It appears to have 3 tabs.
    >>Does that make sense?

    >
    >One of the toughest things about VPNs, is that there are many
    >technologies, and people call them different items depending on how
    >they are using/defining things.. There is nothing too universal about it.
    >
    >In the Apple iOS case, PPTP is straight up. L2TP is L2TP over IPSec
    >like normal, although needing some specific requirements on the backside.
    >But the IPSec option is actually 'Cisco Anyconnect VPN client'.
    >It can't connect to anything but a Cisco VPN server. Furthermore, the
    >design of the OS and sandboxing prevents any other VPN client "Apps"
    >to be written and be used effectively.
    >
    >Your best universal case on Apple iOS is L2TP.


    Many thanks for that explanation.

    My latest Ipad2 also has only those three options, so I have no idea
    how anybody manages to get SSL VPNs running on it, despite this

    http://www.apple.com/ipad/business/software-update/
    https://discussions.apple.com/thread/2431531?start=0&tstart=0
    Peter, Oct 14, 2011
    #13
  14. Peter <> writes:
    >My latest Ipad2 also has only those three options, so I have no idea
    >how anybody manages to get SSL VPNs running on it, despite this


    >http://www.apple.com/ipad/business/software-update/
    >https://discussions.apple.com/thread/2431531?start=0&tstart=0


    Again, SSL VPN means many things to many people.

    In some instances, it just is a tunnel to an internal web site.

    Other implementations have tunnelling software they download to the
    client over the web link. Others have full desktop clients that
    communicate over "SSLVPN".

    I recommended Fortinet earlier. They do all three of these scenarios.
    They also have an iOS SSLVPN App. All it is able to do is the first
    case, browse an internal web site. Ie. you start up the FortiVPN
    App. You bring up the VPN, and then you can see a website beyond the
    VPN gateway with the web browser the SSLVPN App presents.

    I don't know of anything specific Juniper or Cisco have done with
    SSLVPN Apps. I think that is just Marketing getting ahead of themselves..
    Doug McIntyre, Oct 14, 2011
    #14
  15. Doug McIntyre

    Peter Guest

    Doug McIntyre <> wrote

    >Peter <> writes:
    >>My latest Ipad2 also has only those three options, so I have no idea
    >>how anybody manages to get SSL VPNs running on it, despite this

    >
    >>http://www.apple.com/ipad/business/software-update/
    >>https://discussions.apple.com/thread/2431531?start=0&tstart=0

    >
    >Again, SSL VPN means many things to many people.
    >
    >In some instances, it just is a tunnel to an internal web site.
    >
    >Other implementations have tunnelling software they download to the
    >client over the web link.


    Ok; that's very clever.

    >Others have full desktop clients that
    >communicate over "SSLVPN".
    >
    >I recommended Fortinet earlier. They do all three of these scenarios.
    >They also have an iOS SSLVPN App. All it is able to do is the first
    >case, browse an internal web site. Ie. you start up the FortiVPN
    >App. You bring up the VPN, and then you can see a website beyond the
    >VPN gateway with the web browser the SSLVPN App presents.


    Can you suggest a product? Their website is highly opaque, with stupid
    categories like 'big business ' 'small business' etc.

    I have emailed them too.

    >I don't know of anything specific Juniper or Cisco have done with
    >SSLVPN Apps. I think that is just Marketing getting ahead of themselves..


    Many thanks for another very useful reply.

    This is a good learning experience because in the long run I have to
    manage this myself - even if I get somebody to initially set it up for
    me. That rules out Cisco ;) Even their silly old PCMCIA WIFI adaptors
    have proven opaque in their implementation of supposedly trivial stuff
    like WEP, and I never managed to make WPA work.
    Peter, Oct 15, 2011
    #15
  16. Doug McIntyre

    Peter Guest

    Christian Hechelmann <> wrote

    >Sadly SSLvpn (aside from e.g. OpenVPN) seems to be mostly geared towards
    >roadwarriors and not site-2-site connectivity, I personally only know the
    >Juniper SA series and they are not suitable for site-2-site.


    I currently run IPSEC/AES for the site-site VPN. That's not an issue.

    >> I don't think you can run IPSEC over GPRS/3G. I know of several people
    >> who have tried to make it work and don't know of anybody who has
    >> succeeded. PPTP (supported by both my old routers and by Windows as a
    >> client) at least works over most networks.

    >
    >There's nothing inherently to GPRS/3G that would make IPsec fail, though.
    >But carriers often (always?) like to NAT the "internal" portion of the
    >network towards the mobile device, and don't care if it breaks IPsec
    >(since its not an advertised feature). Also some carriers might outright
    >block it. YMMV.


    From my very limited digging, the only people I found who are running
    IPSEC over GPRS/3G are using high-end-administered systems e.g. Cisco
    employees ;) And they will be accessing a private APN.

    AIUI, if you are on GPRS/3G, and are abroad, your data goes **in the
    phone network packets** all the way to your home country, all the way
    to the APN there. It does not get connected to the internet where you
    are locally. So a private APN should work wherever you are in the
    world.

    >Hmm, from a technical stnadpoint, if PPTP works, so should IPsec. PPTP
    >does connection setup via tcp/1723 and then sends the traffic via GRE
    >which is even more easily broken by (Hide)NAT. IIRC there is no
    >encapsulation available at all form PPTP. L2TP however goes via udp...


    If L2TP uses UDP for everything, it should work a lot better on mobile
    networks, because they lose packets fairly frequently, and suffer
    sometimes long delays. TCP/IP does not handle this too well. At the
    extreme end you have satellite phones which are truly rubbish and I
    suspect most of the professional service providers (e.g. aviation
    weather) on those just use UDP.
    Peter, Oct 17, 2011
    #16
  17. Doug McIntyre

    Peter Guest

    alexd <> wrote

    >Well yes, I think I suggested a TZ100 to you in uk.telecom.broadband a while
    >ago :) Small firewall with 5 interfaces and a single concurrent SSL VPN
    >license, 5 site-to-site IPsec, 5 VLANs, unlimited devices on the LAN. Extra
    >SSL licenses are ~£30 each.


    As one of my 3 Draytek 2900 routers has just blown up ;) I will have
    to move on this.

    Not one router supplier has responded to my questions on capabilities
    so I will probably just have to buy a TZ100 and see what it can be
    configured for...
    Peter, Oct 17, 2011
    #17
  18. Peter <> writes:
    >Doug McIntyre <> wrote
    >>I recommended Fortinet earlier. They do all three of these scenarios.


    >Can you suggest a product? Their website is highly opaque, with stupid
    >categories like 'big business ' 'small business' etc.


    The FortiGate line is their all-in-one firewall/VPN solution.

    They just scale up from small to huge (ie. 40Gbps solutions).

    I think you've said you have a small office. I'd look at the FGT-60C
    or FGT-80C products. All the products act much the same, you are only
    buying capacity (or some higher end feature like LAPD/LAG
    capabilities, available on the 200B and up).

    There are extra add-on subscription for anti-virus/IPS/SPAM filter updates.
    Or just the bare "unbundled" box.

    I'd stay far away from the Fortigate 30. The 50B works alright, but is
    almost the same price as the 60C, and the 60C has much more capacity.
    Doug McIntyre, Oct 17, 2011
    #18
  19. Peter <> writes:
    >If L2TP uses UDP for everything, it should work a lot better on mobile
    >networks, because they lose packets fairly frequently, and suffer
    >sometimes long delays. TCP/IP does not handle this too well. At the
    >extreme end you have satellite phones which are truly rubbish and I
    >suspect most of the professional service providers (e.g. aviation
    >weather) on those just use UDP.


    L2TP doesn't use pure UDP. The most common implementations is L2TP
    over IPSec. (unlike say, an L2TP tunnel from cisco router to router).

    L2TP encapsulates the tunnel into UDP packets (port 1701), which are
    then encapsulated in IPSec ESP protocol packets (protocol 50, the port
    of the packets inside is opaque to the outside).

    So, you'd be back to seeing if the cell data network let you use
    protocol 50 across it or not..
    Doug McIntyre, Oct 17, 2011
    #19
  20. Doug McIntyre

    Peter Guest

    Doug McIntyre <> wrote

    >So, you'd be back to seeing if the cell data network let you use
    >protocol 50 across it or not..


    OK.

    There seems to be a big variation in the way that different mobile
    networks are configured.

    Even on non-internet stuff there are differences. For example, I found
    in the development of a fairly obscure product, that Virgin supports
    GSM FAX whereas T-Mobile doesn't - despite V running *over* the T-M
    network ;)

    Currently, I am getting adequate results running PPTP (which
    historically often failed to work) on T-M, both UK and abroad.
    Vodafone is also OK.
    Peter, Oct 18, 2011
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,656
    Olivier PELERIN
    Aug 30, 2004
  2. jtjanos
    Replies:
    7
    Views:
    19,249
    jtjanos
    Jan 20, 2005
  3. Replies:
    1
    Views:
    6,259
  4. jenny
    Replies:
    0
    Views:
    939
    jenny
    Nov 30, 2006
  5. Peter
    Replies:
    0
    Views:
    1,181
    Peter
    Oct 18, 2011
Loading...

Share This Page