Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Best VPN Remote Solution?

Status
Not open for further replies.
kushalpa

kushalpa

MIS
Feb 21, 2003
7
0
0
US
I have a Netscreen 50 that I am configuring to be a NAT based Firewall with site to site VPN and 50 "Dial-Up VPN" users.

What is the most efficient way to setup 50 remote Auto-IKE users? I want to use the least policies and have control over each users pre-shared key individually? Has anyone found this task cumbersome? Is there a good solution (besides buying Global Pro)?
 
Sort by date Sort by votes
Even thinking about it I would find it cumbersome! Why do you want individual pre-shared keys? The user won't know the pre-shared key in the first place so there is nothing to compromise, is there? Configure the setup using one set of policies on the NS50. Once they have authenticated on the VPN then they will have to authenticate again to use services - I assume?
 
Upvote 0 Downvote
What if a user is fired? (Disgruntled mail delivery employee... maybe)

If a universal pre-shared key and policy is used, once someone get's there hands on it, there is no way to deny them access. It is true that you do have to authenticate again to use services, but the person has a secure tunnel to the INSIDE of the network. I need to be able to grant/deny individual people access. Isn't this standard practice? Thanks for your quick response ;-)
 
Upvote 0 Downvote
The user should never see the pre-shared key - that is distributed by yourself? I haven't worked with Netscreen Remote but I am sure the pre-shared key is not distributed in clear text. Although, thinking about it, it is in clear text in the config of our Netscreens so it might be in clear-text on the Netscreen Remote box as well - yeuch.

BUT - These users will still need to be authenticated before they get onto the network using netscreen or RADIUS authentication. So the tunnel ain't gonna happen until this occurs. Password sharing would be a problem but it always is.

Remember that there are a limited number of policies that you can apply to a netscreen and that is hard-coded. For a NS50 that's 1000 policies. If you persist on being granular you may end up catching a whole heap of trouble later.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
129
AvivBes
AvivBes
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
73
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
175
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top