hey IT nerds! opinions on vpn concentrators for user->office vpns?

[rmd]

I've got an office full of people who like to work from home by VPNing in to the network, here. So, the cisco 3000 vpn concentrator is a nice enough box. Well, except for the fact that it's busted and old enough that the product line is end-of-life.

What are folks using? What's good out there, these days? I'd like a whole lot more flexibility in terms of configuration, and also the ability to do things like https tunnels instead of being limited to vpn client software on the user's machine.

thanks!

Comments

[mangosteen]

Obviously, Cisco and Juniper have something nice in that space, now, but you might also want to take a look at Array Networks devices. We evaluated them a while ago, but we weren't in a position to buy at the time.

[penk.livejournal.com]

I recommend taking a good hard look at OpenVPN. Opensource SSL based VPN software that can use a variety of authentication mechanisms.

I deployed it at a clients office where they have 20 or so remote users, all pointing at one of their random Linux boxes running the server. Runs like a champ.

[radioactiverich.livejournal.com]

We run OpenVPN here, but my less-than-savvy userbase has a lot of trouble with the set-up, key management, and config files, even when I give them everything in a package. How do you deal with this, or are your users more technical (i.e., they figure it out)?

[penk.livejournal.com]

I think their IT department sets up the laptops that use it - and it's just a matter of installing OpenVPN, dropping the keys into the keys dir, and starting the client. Then it shows up in the tooltray, and they just say "Connect to the VPN" - no muss, no fuss.

I can probably drop you the address of the windows admin who does this if you like.

[radioactiverich.livejournal.com]

Thanks for the info, but basically that's what I do now. It works okay if you know how to copy config files into the right place, but a mis-step results in a phone call usually. (Yeah, they're REALLY not savvy.)

[cme]

My former workplace had vpn 3000s which ran like a champs until the day when one of them stopped running at all (all of the tunnels on that concentrator died at once for no reason and couldn't be resuscitated). We had one problem with it ever up to that point- a month before it died, it spontaneously forgot the preshared secret to one of the tunnels and we had to reset it. (I include this in case you run into something similar.)

Someone made the decision to replace the busted one with one of the ASA 5500 series (sadly, I don't know which one). Dropped into the same (admittedly rather crazy) network environment with the same tunnel configs, we had no end of trouble with it- tunnels would drop randomly, packets would simply stop leaving the internal network space through any logical interface on the box- bizarre random network shit, basically. We still hadn't figured out that "packets can't leave the 10. address space" thing when I was laid off, but now that I look at the spec sheet and see that it's supposed to do fancy intrusion-detection stuff, I bet the ID stuff was interacting badly with the crazy-ass network layout. (I was not the vpn nerd in that shop and I didn't know what the box could do, so I hadn't put that theory together until now).

[rmd.livejournal.com]

yeah, i use the ASA's for plain old firewalls. since they are successors to the PIX, the primary rule of troubleshooting PIXen inherits down to the ASA: if something is failing to traverse the firewall, it's probably due to the NAT. because NAT is fuck-all complicated on those.