I’m looking to replace the two aging Nortel 1700 VPN Routers (formerly Contivity). These VPN routers provide branch office tunnels to our remote offices, vendors and business affiliates. We utilize two VPN routers which are geographically disperse and connected to different tier 1 Internet Service Providers. This allows us to provide high availability and redundancy when used in conjunction with OSPF routing.
I’ve essentially boiled my options down to two possible solutions (vendors);
Juniper SRX 240
Cisco ASA 5550
So which do I choose and how to best evaluate the different products. The primary purpose of the device is to provide branch office IPSec tunnels. The product needs to support OSPF and it needs some limited support for Multicast over VPN.
This morning I was lucky enough to have one of our preferred vendors, who just happens to be a Juniper reseller, come on site and help setup 2 Juniper SRX 210 gateways for us to demo. I’ve never worked with a Junos based product and while the web based GUI was fairly straightforward the CLI interface is going to take some time to get use to. It’s not like Cisco, or Nortel or Brocade, or Blade Technologies. Thankfully I did find a quick start guide that helped get my feet wet with Junos.
Once I’m done with the Juniper SRX I’ll need to turn my attention to the Cisco ASA (Tom you know what I’ll be calling for soon – demo time).
I’ll post a summary once I have some thoughts about the Juniper SRX. Anyone care to comment regarding either the Juniper SRX or the Cisco ASA as it pertains to branch office VPN tunnels? As a note I’m already migrating our Nortel VPN end-users to our Juniper SSL VPN Secure Access 4000 appliances.
Cheers!
Just curious — why are you not sticking with Contivity, and which solution did you end up with?
Great blog by the way…
Hi Kyle,
The Nortel VPN Router (formerly the Contivity Extranet Gateway) was born out of the Bay Networks acquisition of New Oak Communications back in January 1998. It was an awesome killer product at the time and no one had anything that could stand up to it. That was a long time ago and the times have changed.
We’re now doing the majority of our end user VPN connections on a pair of Juniper Secure Access 4000 appliances providing true client-less SSL VPN. We’re also using Juniper’s Network Connect client to provide IPSec like VPN over SSL. We’ve found the Network Connect client to be much more forgiving and tolerant to various network variables (wireless was a big variable). The Network Connect client is also able to negotiate a connection over HTTPS/SSL in environments where IPSec is not possible and/or allowed.
So we were looking for a solution that would provide for traditional branch office VPN tunnels. It needed to be flexible and compatibly with the large majority of devices already in use. Looking at our existing configuration the prominent device in use by our vendors and business partners was Juniper so it only made sense to start our search there. There was a lot of positive feedback on the Internet and in reviews about the Juniper SRX product line.
I believe we’ve settled on the Juniper SRX650 although I have yet to write the purchase order. We’ll likely be deploying the SRX210H at our branch office sites to replace the EoL Nortel VPN Router 1010.
I’ll probably post some thoughts once we start moving forward with the project.
Cheers!
I, too, have been looking at the Juniper SRX650. It’s feature-loaded, and encrypts traffic at 1Gbps (untested)… great for large-scale off-site data replication.
Thanks for the reply.
The biggest concern we had was the speed (or lack thereof) in the web GUI. It was painfully and agonizingly slow trying to-do the most basic operations. Thankfully Juniper has acknowledged that issue and we were able to test a beta release of JUNOS on the SRX210 where the web GUI was much more responsive than previously (I’ll take a command line interface anyday over a GUI – but JUNOS is going to take sometime to learn).
I found the juniper folks to be very aggressive with their pricing when they heard I was also looking at the Cisco ASA product.
I’ll try to post some notes once we get going.
Cheers!
Did you ever come to a conclusion on the Juniper vs. Cisco solution?
I’ve been playing around with an SRX210 box this box, I too need to replace some aging CES1100 units and thought that an SRX might do the trick.
I haven’t been too impressed with the slow GUI and the learning curve on JunOS, however I think I’ve got it.
I’m trying to configure my 210 to create a tunnel back to my CES 1750’s … no luck so far. Do you have experience creating an ABOT with a Juniper and a Nortel?
Thanks
Scott
Hi Scott,
We chose the Juniper solution but I’m still waiting for the Juniper SRX650s to arrive. I have 3 SRX210Hs on the shelf but haven’t had the time to open the box forget starting to actually configure the equipment.
Unless someone else comments (not a really big SRX following here just yet – soon hopefully) I’ll try to open the box next week and post you my configuration settings. One of our tasks is to document the configuration and test interoperability between the two solutions so as we migrate we don’t have to change out both ends at the same time.
You might also want to check out Juniper’s website. I’ve heard that there’s some great information on there including some free web-based eLearning seminars on using JUNOS.
I’ll let you know what I find.
Cheers!