Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
210
Views
0
Helpful
1
Replies

Best PIX Performance: Easy VPN Remote or Site-to-Site

dro
Level 1
Level 1

‎03-14-2003 08:11 AM - edited ‎02-21-2020 12:24 PM

Hi Folks,

I tried to look around to see if this has been discussed before, but I didn't find anything. If it has, please accept my appologies ;-)

I have a PIX to PIX VPN network currently running with around 50 501's and 506's which all terminate on a 515 at the headend. I'm expecting the number of remote connections to be increased by a few hundred. The 515 isn't doing any actual firewall tasks and is being used strictly as a VPN terminator. It also has the PCI Encryption card installed as well.

Is there a performance difference in using the Easy VPN Remote subset of commands (vpnclient/vpngroup) over the 'isakmp/crypto map' method? Are there certain benefits for going one way instead of the other? Does anyone have any experience in a large number of VPN connections using either method that they would like to comment on?

I'm trying to find out if one method will consume less resources on the 515 compared to the other to be able to support as many remote connections as possible with my current hardware.

Thanks,

-Joshua

Labels:
0 Helpful
1 Reply 1

shannong
Level 4
Level 4

‎03-14-2003 04:08 PM

Using the two different commands sets themselves have no differences. A dynamic crypto client is the same as a vpngroup client.

Where you will see a difference is in when configuring a site-to-site tunnel on the Pix where the remote peer is identified in crypto map by an IP address. This will use Main Mode for Phase 1 negotiations.

Using the EZVPN/hardware client configuration will emulate a Unity client, which will use Aggressive mode for Phase 1.

Main Mode uses three two-way exchanges while Aggressive mode uses one three-way handshake. Aggressive mode is slight faster and requires less overhead, but it's also a little less secure.

Except for these Phase I negotiations when the tunnel is built, there should be no differences in resource utilization when comparing the EZVPN/hardware client with the site-to-site configuration. The encryption and maintenance of the tunnels should be the same after initialization.

There's another post close by this one with the details as provided by some other very helpful individuals.

0 Helpful
Customers Also Viewed These Support Documents