Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
dro
New Member

Best PIX Performance: Easy VPN Remote or Site-to-Site

Hi Folks,

I tried to look around to see if this has been discussed before, but I didn't find anything. If it has, please accept my appologies ;-)

I have a PIX to PIX VPN network currently running with around 50 501's and 506's which all terminate on a 515 at the headend. I'm expecting the number of remote connections to be increased by a few hundred. The 515 isn't doing any actual firewall tasks and is being used strictly as a VPN terminator. It also has the PCI Encryption card installed as well.

Is there a performance difference in using the Easy VPN Remote subset of commands (vpnclient/vpngroup) over the 'isakmp/crypto map' method? Are there certain benefits for going one way instead of the other? Does anyone have any experience in a large number of VPN connections using either method that they would like to comment on?

I'm trying to find out if one method will consume less resources on the 515 compared to the other to be able to support as many remote connections as possible with my current hardware.

Thanks,

-Joshua

1 REPLY
Silver

Re: Best PIX Performance: Easy VPN Remote or Site-to-Site

Using the two different commands sets themselves have no differences. A dynamic crypto client is the same as a vpngroup client.

Where you will see a difference is in when configuring a site-to-site tunnel on the Pix where the remote peer is identified in crypto map by an IP address. This will use Main Mode for Phase 1 negotiations.

Using the EZVPN/hardware client configuration will emulate a Unity client, which will use Aggressive mode for Phase 1.

Main Mode uses three two-way exchanges while Aggressive mode uses one three-way handshake. Aggressive mode is slight faster and requires less overhead, but it's also a little less secure.

Except for these Phase I negotiations when the tunnel is built, there should be no differences in resource utilization when comparing the EZVPN/hardware client with the site-to-site configuration. The encryption and maintenance of the tunnels should be the same after initialization.

There's another post close by this one with the details as provided by some other very helpful individuals.

95
Views
0
Helpful
1
Replies
CreatePlease to create content