Most VPN equipment manufacturers claim standard features like 3DES encryption, MD5/SHA_1 hash algorithm, DH or RSA Public/Private key exchange mechanisms. Very difficult to choose a product that satisfies all requirements. However, the following should be relevant.
1. Compliance with IPSec standards.
2. Should be scalabe. ( pre-shared keys are not scalable and introduces admin overheads ).
3. Should terminate IPSec tunnels from routers that get variable IP addresses ( ex. an ISDN router that uses a normal account to login to ISP. Cisco PIX firewall does it with Dynamic Crypto Maps ).
4. Should support Tacacs+, Radius and SecurID authentication. Should force authentication on any TCP port.
5. The VPN client software should be fully functional through PAT.
The VPN solution that I designed and which is working presently has both Cisco PIX firewall and ETrust VPN from Computer Associates. The combination has been working great for the company.
1. Encryption throughput using 3DES during high utilization:
Cisco uses ASIC's and produces true hardware encryption whereas appliances like the Nortel Extranet Switch 4500 use general purpose processors like the Intel Pentium and even have hard drives that are not hot swappable. This requires that you have to decommission the device in order to field repair it during outages. The Pentium processor architecture has a bottleneck in the cache and this should be considered. Further, the Nortel appliance performs alright using DES encryption but Cisco leads in 3DES encryption.
2. Failover between VPN gateways in a cluster:
Cisco VPN Concentrators failover to the remaining SEP's within the device if a SEP engine fails. If for example, all four SEP engines fail in the Cisco 3080 VPN Concentrator then the software encryption will kick in and if the device fails the cluster will elect a master.
3. Cost of client and client security:
Checkpoint charges a fee for its client but Cisco and Nokia have unlimited client licensing. The Cisco client is something worth taking a look at further Cisco plans to release a future client with integrated personal firewall and this can prevent subversions during split-tunnelling.
4. IPSec over NAT:
This is a functional concern that has to be addressed. Currently, Cisco supports IPSec over UDP and this is a workaround that will enable IPSec through NAT. During a NAT overload scenario IPSec packets will be dropped by the VPN gateway as the packet checksums will not match the NATted packet because the VPN gateway thinks that packet integrity and authenticity has been compromised.
5. Cluster Management - Cost and Functionality:
Cisco VPN Concentrator cluster management does not cost you extra but the Nortel charges an unreasonable fee like $12,000 for this software. Without this you will be in misery if you have multiple Nortel VPN gateways in the cluster.
6. Technical Support:
Cisco TAC leads the industry in reliable and dependable technical support.
7. Product Reliability, Redundancy, Serviceability and Compatibility of Features with organization's Infrastructure and Planned Implementation:
This is self-explanatory you need to look out for caveats that may hamper your rollout. It is easy to have oversight in this regard so care must be taken in the evaluation process.
The Cisco 3060 Concentrator, for example can be scaled to by merely inserting SEP engines.
Hope the above get you thinking. Feel free to contact me with any questions.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :