Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hardware vs. Software VPN

Status
Not open for further replies.
dibbkd

dibbkd

IS-IT--Management
Oct 12, 2002
100
0
0
US
I'm new to VPN's, but read that Windows Server 2003 has built-in VPN features.

I'm not too crazy about having Microsoft run my VPN, but has anyone used this, and how do they like it?

What hardware VPN's are good for a small LAN? I'm looking at D-Link, Netgear, Linksys, etc.

Any suggestions?

Thanks
 
Sort by date Sort by votes
VPN on Windows 2003 is flawless. A $1000 3.2 GHz 1U box running Win2003 RRAS will perform as well as a $30,000 "hardware" VPN concentrator. I've personally done some throughput testing to confirm it.

It will do Site to Site and Site to Client VPN just fine. I personally prefer doing the Site-to-Site stuff on Cisco FWIOS routers and PIX Firewalls, but there is nothing wrong with using a Win2003 box for it.




George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
I'm partial to hardware systems where possible. Higher availability and generally less maintenance. A Pix can be had starting around $400 for 10 users up to around $900 for unlimited. Truly high-end requirements take a truly high-end firewall, but either of the lower models should work great for you.

Plus, you don't lose network connectivity when the server needs rebooting.
 
Upvote 0 Downvote
I wasn't planning on spending anywhere $30,000 on a VPN box, more like $200 on a D-Link VPN that supports IPSec, PPTP, or L2TP.

And I already have a 3GHz Windows 2003 AD server, just wasn't crazy about using it for VPN.

Basically want to securely be able to map a drive on my office LAN from home.

 
Upvote 0 Downvote
dib,

One more hardware mfg to throw at you. ZyXEL makes a VPN device called the ZyWALL. It comes in a few flavors, (i.e. 10, 50, 75, 100, etc) and is reasonably priced. I'm currently replacing my Linksys units with these units because of reliabilty issues on the Linksys units. I think I paid $280 from CDW for a 10 tunnel unit.

Good luck.
 
Upvote 0 Downvote
Well dibbkd,

It looks like you answered your own question. If the $200 does what you need, then no point in building a new Win2003 box for Site-to-Site VPN or Site-to-Client VPN.


Lgarner,
Hey, I'm a huge PIX and FWIOS guy myself and I will generally run site-to-site VPN on either Cisco PIX or better yet a FWIOS Cisco router. However, there is nothing wrong with doing it on a Win2003 box and if you lock it down so that it really won't need much rebooting. Granted, Cisco IOS or PIX only needs to be updated every year where as Win2003 RRAS box probably needs to be updated once every 3 months (many of the critical updates don't apply if you shut all non-essential services down).

Still, I prefer to use the integrated XP VPN L2TP client because of it's ease of deployment (there is none :)) and that is why I like using Win2003 for Site-to-Client VPN. I've done it on PIX or FWIOS and it's perfectly good there too so long as you don't mind manually deploying digital certificates on the Cisco VPN client. The number of times you have to patch the Cisco box is less, but an automated update and reboot for Win2003 at night once a month is no problem for me. I just don't want to manually deploy the clients. It's all just a matter of preference of what you'd rather manage. The Win2003 box on commodity hardware does rule in terms of performance and price by a land slide.





George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
George:
like what kind of performance?
max tunnels vs. throuhput
which encryption
which hash
et
etc

i always wondered why Cicso sells the VAC at $2200


 
Upvote 0 Downvote
The testing I did was on IPSEC 3DES throughput. I was able to push the thing to around 60 mbits/sec @ 30% CPU utilization on a 3.2 GHz P4 800 MHz FSB with Hyperthreading. I didn't have the gigabit connections available to really test the throughput to see what the high end of the mark was, but 60 mbits/sec of 3DES traffic at around 30% CPU utilization is pretty impressive, considering that the top of the line Cisco VPN 3000 that sell for around $30K have a peak of 100 mbits/sec 3DES throughput. A commodity 3.2 GHz P4 1U box goes for around $1000. At 30% CPU, who cares if you offload 3DES or not. As for the number of IPSEC tunnels, how many tunnels do you think will fit inside a box with 512 or 2048 MBs of commodity SDRAM? It surprises me to no end that everyone knows what Moore’s law is but always forget that it actually applies in the real world.

But like I said, you won't need to patch the PIX, VPN3000, FWIOS router as much which is why I prefer FWIOS for my Site-to-Site stuff. For Site-to-Client stuff, I like to leverage the group policy deployment of Digital Certificates and OS integrated L2TP NAT-T client of the Windows platform.

I’m not saying which is the right answer or the right way to go. I just present the facts and you decide which is the easiest to manage, which fits in the budget, which meets your reliability requirements, and which meets your performance requirements.




George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
I agree
Its the same arguement i used when cicso first appeared
and people could use netware as a more powerful router.


But the PIX also has no moving parts....:)


 
Upvote 0 Downvote
The PIX sure doesn't. I love it's performance and the fact that the entire PIX OS fits on well under 16 MBs of flash. The PIX is rock solid and it is lean mean and super fast with it's per interface policy engine and turbo ACLs.

One thing I will say is that they really gotta fix the UI on that thing, and I talking about the CLI. How about some basic object management capabilities, sheeesh!

You can totally forget the PDM, that thing is totally useless even if it has no conflicts with your CLI configuration and you can get it to load in the first place.


Like I said however, there were other reasons I chose to use Windows 2003 RRAS for Site-to-Client VPN, not just the performance.




George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
Ok George, just surveyed your site.
Seems like you know what you are talking about...hehe

Not all guys who get published troll the boards like us working stiffs...

Question: on the PIX 501 10 user, what happens when the 11th user tries? Its tracking mac address like a bridge right?

I hear you have to clear xlate or reboot the box to clear the mac table.....
Does the 10 user limit affect multiple users using that 10th slot if its a VPN tunnel?

Thanks



 
Upvote 0 Downvote
Thanks.

The licensing is one of those things that annoy me about the PIX. I've got about 30 of those things deployed in the field (cus they were cheap) and the licensing restrictions cause problems when a user start testing multiple systems on it and run out of licenses. What seems to happen is that the systems that were working continue to work and the newly connected systems don't. A bunch of other limitations of the PIX versus Firewall IOS annoy me like the fact that you can't run auxiliary IPs, Policy based routing, QoS, or BGP. But, a router with Firewall IOS on it is more than double the price of a PIX 501.


George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
I dont know whether to use the built in VPN feature in win 2000 server or buy a hardware router. The setup is always as below:

from Client

XP
ADSL
Dynamic IP

to Server

Win 2000 Server
ADSL
Static IP

There will be as max of two users connected at the same time.

For my setup what is the best option hardware or software VPN?

If hardware is the best solution what is a good router to go for?

Any help would be greatly appreciated.

Thanks

Dan
 
Upvote 0 Downvote
If you already have a Windows 2000 server you can use, upgrade it to 2003 and use it's RRAS service. Otherwise, buy something like a cheap PIX501 or NetScreen 5GT or a Fortinet box for around $550. You need the firewall to protect your network anyways. The NetScreen and Fortinet boxes also have anti-virus gateways built in.



George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
Thanks for the help George.

Sorry to be a pain but there are a couple of questions that I dont know the answer to:

1) Can you use ICS and VPN server on win 2003 at the same time (we were unable to do so with win 2000)?
2) What is the fault with win 2000 VPN server(everyone is recommending win 2003 for VPN setup instead)?
3) I checked out the PIX501 and NetScreen 5GT, they look good however they are a bit expensive for the company. Would something like a Draytek router 2600 (or equivalent) be adequate for our needs? What benefits would you gain from spending more for a PIX501 and NetScreen 5GT?

Thanks loads for the help.

Dan
 
Upvote 0 Downvote
1. ICS will not work with RRAS, but RRAS has it's own "basic firewall" which works fine. You can use it to limit inbound ESP, GRE, UDP 4500, UDP 500, and PPTP (gotta look that up).

2. Windows 2003 has NAT-T capability for IPSEC and it has better security for PPTP and L2TP, not to mention the basic firewall.

3. A PIX501 or NetScreen 5GT are full blown firewalls. The router will only provide basic protection via NAT. The 5GT can also scan all inbound FTP and HTTP traffic for viruses. It's a better deal for the money.




George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
No, I only know Win2k, Win2003, ISA2004, NetScreen, Nortel, CheckPoint, PIX, Cisco Firewall IOS. As far as I'm concerned, IPSEC is IPSEC. Just make sure you're comfortable with what ever platform you choose.

I was going to try out the IPCOP ISO, but it's all just another derivative of IPChains as I understand it.

I did write a database app that allows you create mesh IPSEC tunnels between some of the above, but I'm trying to polish it up so that it will support everything including all the major derivatives of IPChains.



George Ou
Network Systems Architect

Get more powerful articles and tools from my webpage
 
Upvote 0 Downvote
Ok George

a tough one for you.

Ive got a PIX 501 10 user on 6.2.1

The Site to Site Tunnel works fine from VA to CA.

We just cant get the VPN Client 4 to connect.

We just changed ISPs from Verizon DSL to Comcast Cable and

Comcast gave us a Cisco uBR905 with a block og 8, 5 usable.

the pix is now behind the 905 on its own public IP.

STS works, Client does not.

Client error is NO_PROPOSAL_CHOSEN


thanks
George


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
306
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Question
Best vpn safe and fast
Replies
4
Views
198
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
169
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
127
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
222
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top