Help requested - Netscreen IP Sec VPN over DSL
Can anyone please give me a pointer as to why I am having big problems with using a Safenet VPN client (conecting to) -> Netscreen VPN/FW appliance via Jetstart / UBS / Jetstream ? This is happening on multiple disassociated / unrelated networks. I am using mostly Dynalink RTA300 DSL Modems, and Netscreen 5XT / GT boxes. I believe it is something to do with the NZ DSL network as this type of VPN setup has worked well for over 1/2 years until it start to become more and more unreliable. Can anyone help or suggest a solution? Thanks for your time. Cheers Felix Tsang ULTRATECH Ltd Cell Phone: (64) 29 241 0185 Phone: (64 9) 309 8393 Fax: (64 9) 309 8393 Email: felix(a)ultratech.co.nz
Felix Tsang wrote:
Can anyone please give me a pointer as to why I am having big problems with using a Safenet VPN client (conecting to) -> Netscreen VPN/FW appliance via Jetstart / UBS / Jetstream ? This is happening on multiple disassociated / unrelated networks.
I am using mostly Dynalink RTA300 DSL Modems, and Netscreen 5XT / GT boxes. I believe it is something to do with the NZ DSL network as this type of VPN setup has worked well for over 1/2 years until it start to become more and more unreliable. Can anyone help or suggest a solution?
I've recently been doing some research trying to isolate a problem with a clients multiple Linux-based IPSec VPNs running through consumer-grade ADSL routers. (I would guess that your Safenet/Netscreen devices are using some form of IPSec VPN). My findings were unusual; the more recent the model of ADSL router used, the more unreliable the VPNs became when under load. For me, this was only the case when running multiple VPNs. Older model ADSL routers performed admirably (the Nokia M1122 was fantastic) while later model ADSL routers ranged from some models reliably crashing after 30 seconds of load to other models seeming ok on the bench but performing very badly in the field. Some brands actually got worse with more recent firmware upgrades or chipsets. Some googling revealed that there may be problems routing ESP traffic for multiple IPSec VPNs through cheaper, less well engineered ADSL routers. I am guessing that modern consumer grade ADSL routers fall into the "less well engineered than they used to be" category. Its just barely possible that this also applies to the hardware used in the exchanges and ISPs. Just a guess. For what its worth, we are moving away from IPSec to openvpn. Unfortunately, once you've bought into a hardware VPN solution, it becomes somewhat harder to make that sort of change...
I've recently been doing some research trying to isolate a problem with a clients multiple Linux-based IPSec VPNs running through consumer-grade ADSL routers.
(I would guess that your Safenet/Netscreen devices are using some form of IPSec VPN).
My findings were unusual; the more recent the model of ADSL router used, the more unreliable the VPNs became when under load.
For me, this was only the case when running multiple VPNs.
Older model ADSL routers performed admirably (the Nokia M1122 was fantastic) while later model ADSL routers ranged from some models reliably crashing after 30 seconds of load to other models seeming ok on the bench but performing very badly in the field. Some brands actually got worse with more recent firmware upgrades or chipsets.
Some googling revealed that there may be problems routing ESP traffic for multiple IPSec VPNs through cheaper, less well engineered ADSL >routers.
I am guessing that modern consumer grade ADSL routers fall into the "less well engineered than they used to be" category.
Its just barely possible that this also applies to the hardware used in the exchanges and ISPs.
Just a guess.
For what its worth, we are moving away from IPSec to openvpn. Unfortunately, once you've bought into a hardware VPN solution, it becomes somewhat harder to make that sort of change...
Thanks Steve, We have noticed the same thing, we have been using Dynalink RTA300's with no problems. However the RTA770's that replaced them used a completely different chipset and we ran into the same issues you discribed. We have ever since trying to find a good modem to replace it. We have also contacted Dynalink to try to resolve the problem, they have been helpful but there weren't a whole lot they can really do. Re other types of VPN, we have been looking at other solutions as well. Something along the lines of SSH. Has anyone used any sorts of software based SSH VPN products? Cheers
participants (2)
-
Felix Tsang -
Steve Wray