From: "Fred Langston" <[EMAIL PROTECTED]> wrote
>Although it is a standard, experience has shown that interoperability is
>easier said than done. Does anyone have any experience creating
>server-server tunnels between Firewall-1's v4/v5 IPSEC VPN module and
>Borderware v6.X's IPSEC VPN module? Are there any bugaboo's or gotcha's one
>attempting this should know before trying it?
Yes. I did a massive amount of interoperability testing of this
stuff and have a couple of points which might help. You can also see
the stuff at http://www.opus1.com/vpn, which doesn't deal with the
specific issue you're asking about, but has some other pointers.
1) Make sure you seriously understand all of the component pieces you're
dealing with. IPSEC + IKE parameters are fairly easy to spin off the
tongue, yet few people (including especially the folks they sent out
to my lab) really understand it. Get a copy of Dan Harkins' book
and make sure you figure out what the phases, modes, and such are.
2) Design your tunnel before you touch any software. Get all of the
variables in a row. There are, to my way of thinking, 12 variables
that have to be selected for the tunnel itself, plus two IP addresses,
and a set of protected LANs (which could be very large). Write out all
of this FIRST and then sit down at the GUI.
(For the record, I count them as ESP/AH/both; tunnel/transport; IKE
encryption; IKE authentication; IKE integrity; IKE DH group; IKE
lifetime/size; PFS on/off; possible IPSEC DH group; IPSEC encryption;
IPSEC integrity; IPSEC lifetime/size. If you don't understand how
each of those fits into a tunnel, you'll never get interoperability
except by accident)
3) Map the vendor's components and names to the tunnel attributes/variables.
You will have to grovel through the GUI quite a bit to do that for
BOTH FW-1 and BorderWare. (Actually, I don't know about the new
Borderware; the old one didn't work at all, so I never got far in
testing it. The new one, if it works, might have a better GUI). The
FW-1 GUI is particularly vile in this place---when I did the Network
World reviews, I commented that it was clear that their paradigm for
management GUI couldn't handle tunnels well, and they had shoe-horned
it in, poorly, just to get it out the door. I stand by that comment;
their tunnel configuration is a mass of different screens in non-intuitive
places which unfairly constrain the network manager to certain kinds of choices
which may inhibit interoperability in a more-than-two-vendor situation.
4) Get someone on the phone/email at EACH vendor who understands the
IPSEC stuff. Not a tech support droid who will either (a) read their
internal knowledgebase or (b) run back to a smarter one every time you
ask a question. Towards that way lies madness. Find someone who
UNDERSTANDS IPSEC (may be an existence proof problem) and get them to
work your case. Do this BEFORE you start. You may have to bitch up the
customer service or sales chain to get access to this person. You can
probably get them, though, if you promise to document what you did
so that they can have it as a tech note.
5) Figure out the debugs. FW-1 has a fairly poor IPSEC debug, but you
need to learn to turn it on, or more importantly the IKE debugs, and
read it. I don't know about BorderWare. Most vendors have learned
from the inteoperability bakeoffs to improve their debugging; this
often requires undocumented commands. Get those before you start
trying.
Once you do 1-5, go for it. Interoperability has been outstanding
the past year. Borderware is so new that they may not have any
bakeoff experience; they will probably work with Cisco & Nortel, since
everyone tests against those two. FW-1 generally can be made to work,
assuming that you have a 4.1 or LATER code base. 4.0 was the poop
and didn't work very well at all.
jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
[EMAIL PROTECTED] http://www.opus1.com/jms Opus One
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
