VPN router w/ client software

[rustynails]

Ive been using watchguards 6tc with the safenet vpn client to connect some of my customers remotely. I was wondering what others are using out there. Recently it has come to light that the 6tc from watchguard has compatibility problems with motorola SB5120 cable modems, I can not receive DHCP nor will a static address work on the wan port. Ive tried to different modems and 2 different 6tc. Both funtion correctly when indepent of each other, in other words i can get a DHCP address from a linksys, i can also get the linksys to supply a DHCP address to the 6tc. Any suggestions out there?

~n

 

[DarkJuJu]

If all your customers are using WG soho's i would buy a cheap used fireboxII or III and setup
DVCP VPNs to your customers and a PPTP to the Firebox so you would have access from anywere. I have a few older fireboxes if your interested.

 

[Crusty]

We use a Firebox III/700 with a combination of SOHO 6's for our branch offices and for at home support people. We also have a few laptops that use the WinXP vpn client, and we have an IPSEC tunnel to another Firebox that we use for CCA

 

[Woodie]

Nortel client & switch, migrating to Cisco client & concentrator. The endpoints are >95% clients, while the rest are gateways to concentrator.

 

[cmetz]

Watchgard is garbage. I can't rip that stuff out fast enough. Most times I'm able to do so, the people who own the gear won't let me give it the violent destruction it so richly deserves. Get rid of it, destroy it, make your life easier.

Anyway, I digress...

Cisco's Windows VPN client is the best by a lot. It's the most compatible client I've seen, and it gets things right like handling Windows login after the VPN connects. I can't strongly enough recommend the Cisco VPN client for Windows.

Head-ends are a bit trickier. The PIX 501/506E are cheap and get the job done at the low end, though they've got a lot of quirks. They're also now a dead platform. The Cisco VPN Concentrator series is interesting if you have a really huge budget, but if you have a really huge budget you also have a lot of other good options to consider (every vendor loves the customers with really huge budgets . In the middle, any router with IOS can run the firewall/IPsec image, but you really want a crypto accelerator too. And only a few of their accelerators support AES encryption, which I consider a mandatory feature in any new VPN purchase. The Cisco ISR 800/1800/2800/3800 series is the official Cisco answer to the problem, and they have good specs and good pricing. What they're bad at is QA, I've seen a whole lot of bugs on that platform that never ever should have made it out the door, and I'm not seeing Cisco make enough progress towards getting those boxes where they need to be. So the moral of this story is, with Cisco, you have to pick your pain on the head-end.

My personal experience is that I'd rather have my pain on the server side and the client side be smooth. One of those is a lot easier for me to debug, and there's a whole lot fewer of them to debug, too.

 

[rustynails]

Thanks for your responses.

Anyhow I finally convinced Cox to come out and take a look, the tech happened to have another cable modem (webstar) to put in place. The watchguard took just fine. So there is a hardware compatiblity issue with new SB5120 (these enable the 1mb upstream). The cox tech stated that they had tier 1 support to motorola and will submit this issue. We'll see...

 

[cmetz]

If the 5120 is just a modem (and not also a SOHO router), it's very odd that it would be the culprit. This would lead me to believe that the Motorola cable modem folks are still clueless. (I know they sure were in the past...)

 

[rustynails]

Well,

That just it. 2 5120 and 2 watchguards and still no go. Independently of each other they both seemed to work fine. Additionally, when the tech came out he mentioned that the last time, a couple of months ago, he saw the soho they could not get it to work either. I convinced him to try another modem (since they would not let me activate my own on a business account) and bam functioning perfectly. Luckily my client only has a 512 up.

This is one of those thing that is very hard to troubleshoot, because it not some programming issue, fixed by some clicking on a web gui.

~n

 

[DarkJuJu]

Originally posted by: cmetz
Watchgard is garbage. I can't rip that stuff out fast enough. Most times I'm able to do so, the people who own the gear won't let me give it the violent destruction it so richly deserves. Get rid of it, destroy it, make your life easier.

Anyway, I digress...

Cisco's Windows VPN client is the best by a lot. It's the most compatible client I've seen, and it gets things right like handling Windows login after the VPN connects. I can't strongly enough recommend the Cisco VPN client for Windows.

Head-ends are a bit trickier. The PIX 501/506E are cheap and get the job done at the low end, though they've got a lot of quirks. They're also now a dead platform. The Cisco VPN Concentrator series is interesting if you have a really huge budget, but if you have a really huge budget you also have a lot of other good options to consider (every vendor loves the customers with really huge budgets . In the middle, any router with IOS can run the firewall/IPsec image, but you really want a crypto accelerator too. And only a few of their accelerators support AES encryption, which I consider a mandatory feature in any new VPN purchase. The Cisco ISR 800/1800/2800/3800 series is the official Cisco answer to the problem, and they have good specs and good pricing. What they're bad at is QA, I've seen a whole lot of bugs on that platform that never ever should have made it out the door, and I'm not seeing Cisco make enough progress towards getting those boxes where they need to be. So the moral of this story is, with Cisco, you have to pick your pain on the head-end.

My personal experience is that I'd rather have my pain on the server side and the client side be smooth. One of those is a lot easier for me to debug, and there's a whole lot fewer of them to debug, too.

another clueless koolaid drinking cisco clone.

 

[rustynails]

Darkjuju,

Are you able to connect mobile users to the 6tc using only the windowXP vpn client. Ive tried and had no success, the parameters just dont seem to be the same; for what the 6tc is requiring.

 

[DarkJuJu]

no pptp on 6tc but it does support moblie user client but i believe you need a license.

 

[SaigonK]

Nortel Contivity box, you name the model and I have it setup somewhere.
Mostly 1100 series units for our branch office tunnels, our major sites have either 1740's or 2700's.