[c-nsp] Re: VPN Solutions

[Joel Snyder]

George He wrote:
> Hi Joel,
> 
> <Quote>
> 
> Unfortunately for Cisco fans, they have never been able to successfully 
> put site-to-site IPsec and remote access IPsec into the same box.  But 
> They're both there, but Altiga's site-to-site is awful, and IOS/PIX 
> remote access is double awful.  So you have to buy two boxes if you like
> the all-Cisco solution.
> 
> </Quote>
> 
> I'm not sure the exactly meaning of your message. I know that IOS/PIX
> remote access VPN is not good, but Remote VPN and Site-to-Site VPN can
> work on PIX at same time without any problem. 

Sorry, I wasn't very clear.  Yes, you can do site-to-site & remote 
access on IOS, you can do them on PIX, and you can do them on Altiga. 
they both do work (for some definition of "work" which often means "can 
be made to work with compromises.")  What I meant is that if you want 
good remote access, you buy a Cisco 3000 (Altiga) box; if you want to do 
site-to-site, you buy an IOS box or perhaps a PIX.  But you cannot do 
large deployments of both successfully from the same box, because while 
the Altiga scales beautifully for large numbers of remote access users, 
the same is not true of site-to-site.  And, while you can coerce the IOS 
or PIX boxes into doing site-to-site pretty well, they are absolutely 
unmanageable/unscalable for remote access except in the most trivial of 
deployment environments.

So it's not that it doesn't work; it's just that it doesn't "work."  If 
you've got 3 sites and 12 remote access users, you won't notice the 
difference very much, but if you have 30 or 300 sites and 1200 or 12,000 
remote access users, it's another case entirely.  Unless you buy two 
different boxes, in which case you'll probably be able to construct a 
happy solution.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms at Opus1.COM    http://www.opus1.com/jms    Opus One