+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 28
  1. Senior Member mattsthe2's Avatar
    Join Date
    Nov 2005
    Location
    Michigan, US
    Posts
    304
    #1

    Default IPSec going away?

    I heard that the Cisco Road Map is to do away with IPSec and move towards there SSL VPN, anyConnect etc? Anyone heard this?


    Is there a shift towards Anyconnect, whats its down side?
    Reply With Quote Quote  

  2. SS -->
  3. sporadic member shednik's Avatar
    Join Date
    Feb 2007
    Location
    Pittsburgh, PA
    Posts
    2,005

    Certifications
    CCNP, JNCIP-ENT, JNCIS-SP, JNCIA, JNCDA, CCNA, CCNA:Security, MCP, A+, N+, L+, MST:InfoSec, CNSS 4011-4015
    #2
    Site to Sites will definitely stay IPSec for sure.

    I know Cisco is pushing SSL VPN for remote access, but I don't see IPSec going away ever really. SSL VPNs are just going to be used a lot more I think, I really like the webvpn on the ASA personally which runs over SSL.
    Reply With Quote Quote  

  4. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #3
    IPV6 has IPSEC deeply integrated with it..IPSEC is here to stay....

    insert IT foot into mouth!
    Last edited by itdaddy; 01-15-2010 at 03:12 PM.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2008
    Location
    Illinois
    Posts
    115

    Certifications
    A+, Server+, Security+, MCTS: Vista, MCSE 2003
    #4
    I've been getting emails about this from SonicWall lately. I wonder why there's such a big push all of the sudden?
    Reply With Quote Quote  

  6. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #5
    I think it is due to IPSEC is so hard to implement. Yeah it works and is secure, but can be hit or miss or cause many network issues..
    VPN/SSL is bam it works 99.9% perfect connections..freaking awesome.
    logmein.com uses it and other alike it is very reliable and stress free.
    I have worked mildly with it and I have seen others work with and pull their teeth out..too much stress. plus it is an old technology that
    needs a major makeover. the world is going faster and old technology
    needs to move out of the way! Once you have used vpn/ssl
    after using IPSEC you just say holy crap that's all there is too it?
    and you kind of scratch your head and say WT??? hahhah haha
    Reply With Quote Quote  

  7. sporadic member shednik's Avatar
    Join Date
    Feb 2007
    Location
    Pittsburgh, PA
    Posts
    2,005

    Certifications
    CCNP, JNCIP-ENT, JNCIS-SP, JNCIA, JNCDA, CCNA, CCNA:Security, MCP, A+, N+, L+, MST:InfoSec, CNSS 4011-4015
    #6
    Quote Originally Posted by itdaddy View Post
    I think it is due to IPSEC is so hard to implement. Yeah it works and is secure, but can be hit or miss or cause many network issues..
    VPN/SSL is bam it works 99.9% perfect connections..freaking awesome.
    logmein.com uses it and other alike it is very reliable and stress free.
    I have worked mildly with it and I have seen others work with and pull their teeth out..too much stress. plus it is an old technology that
    needs a major makeover. the world is going faster and old technology
    needs to move out of the way! Once you have used vpn/ssl
    after using IPSEC you just say holy crap that's all there is too it?
    and you kind of scratch your head and say WT??? hahhah haha
    itdaddy its not that difficult to setup an ipsec vpn, I think for remote access vpns it will move more towards ssl but for hardware based vpns via site to site or ezvpn I don't see them going away from ipsec. I haven't done any research yet but what would you use in a hardware base vpn solution then? SSL vpns for end users via a client or web browsers are great thought don't get me wrong.

    EDIT: so you tweaked my interest now...have a look at this page at cisco http://www.cisco.com/en/US/prod/coll...0801f0a72.html moving fully away from ipsec you would lose some of the other features such as dmvpn and such. I only skimmed the page but it looks like SSL still has some development to take everything over.
    Last edited by shednik; 08-28-2009 at 09:36 PM.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jan 2006
    Location
    USA
    Posts
    585

    Certifications
    CISSP
    #7
    Don't forget that IPsec is a mandatory component for IPv6.
    Reply With Quote Quote  

  9. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #8
    I guess what I should of said was not everyone is on the same ban wagon whent it comes to IPSEC protocols and it is dependent on who is using what. Some ISPs use this and some ISPs use that and some companies use this protocol..and or block these ports....It is just very picky, but I agree with what you are saying you have valid points and valid questions.
    I mean it just seems to be a lot of work sometimes. We have IPSEC vpns at my work here and believe me, it gets crazy when someone changes something so small it wacks it out! And with vpn/ssl type technology
    it does the job and is efficient that is what I mean..

    and Yes, I agree vpn/ssl is very young yet!
    but I still love it hee hee
    I know I am lazy, but I like stuff that is not so time wasting let us get on to other stuff.

    WastedTime, explain how you mean IPSEC is mand. with IPV6 I dont get it
    I have set up IPV6 at home and I dont need IPSEC??? Explain please
    thanks....
    Reply With Quote Quote  

  10. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #9
    wasted time,

    IPv6.com - IPv6 and IPSec - Securing the Next Generation Internet

    i see, but I hopethey can clean this technology up cause it is going to cause so many issues....we have all heard or seen how wishy washy it can be.....
    Reply With Quote Quote  

  11. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #10
    D
    E
    C
    A
    F



    No offense but you obviously have never tried setting up an SSL VPN, it doesn't just magically work with the press of a button. IPSec is much more straightforward, learn it's phases and the config necessary for the appliance and it's the same every time. There's a reason Cisco urge SSL configs to be done from the GUI (and have even removed the CLI versions of some functions/not included the new ones), it is a lot more complex to configure when compared to IPsec counterparts if you want to do it right. It's not wishy-washy, or flakey, just the implementations on some devices can be flawed but as a VPN set it's pretty damn good (which is why it has stood the test of time). Also SSL is less efficient, getting better but still not on par.
    The only advantage it offers over IPSec (and it is a fair one) is convenience for the end use and then ONLY when you're talking about clientless vs. thick client installs . It's advantages for through PAT are only down to using TCP as the transport and you can encapsulate ESP inside UPD or TCP easily enough.
    Reply With Quote Quote  

  12. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #11
    Thanks no offense taken(but thanks for caring), I really havent done much with it but
    I have used vpn/ssl and its is slick. And I have never had nor have I heard anyone with issues with it. I am not talking site-to-site (we have site-to-site ipsec vpns that have never had issues) only remote client to server type.

    I have just seen guys have so many issues with vpn/IPSEC due to everyone in the loop not using the exact this and exact that where vpn/ssl is universal. But I am sure there are flaws but from a purely customer stand-point it is freaking awesome.

    I would rather use something much easier and reliable. I am sure IPSEC has its applications. I guess I need to specify apples to apples and oranges to oranges.
    Thanks for you help. I appreciate your help.
    Last edited by itdaddy; 08-29-2009 at 05:17 AM.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Aug 2008
    Posts
    2,666

    Certifications
    MCSE: Security, MCTS x 5, P+, S+, N+, A+, HIT
    #12
    I doubt IPSec is going away anytime soon. It is a complex protocol, but if you configure it properly, its a great way to secure your network.
    Of course, you should do extensive testing before deploying in a production network.
    I think its a good protocol to secure small areas of your network, but I'd never use it on the entire network.
    Reply With Quote Quote  

  14. The Colosus of Clout Paul Boz's Avatar
    Join Date
    Oct 2006
    Location
    Baton Rouge, LA
    Posts
    2,607

    Certifications
    CCNP, CCIP, CCDP, CCDA, CCNA, CCNA Security, NSTISSI 4011, GSEC, GCFW, GCIH, GCIA
    #13
    Technology isn't meant to be easy, its meant to work and work well. IPSec isn't going anywhere and its foolish to think that it is.
    Reply With Quote Quote  

  15. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #14
    it isnt foolish to think anything is going away. It is a balance between convenience and security and sometimes the people in charge want convenience.. It is possible for any older technology to be by the way side, but I understand your point big guy!

    I think Cloud technology sucks! too many middle-men and many issues as a result. But there is nothing we can do but to work together even more.

    But like all new things, they are are derived from the old..


    Reply With Quote Quote  

  16. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #15
    Quote Originally Posted by itdaddy View Post
    it isnt foolish to think anything is going away. It is a balance between convenience and security and sometimes the people in charge want convenience..
    IPSEC isn't going anywhere because there are still advantages to using it. Just because you don't like it doesn't mean its going anywhere :P
    Reply With Quote Quote  

  17. Questionably Benevolent Moderator Slowhand's Avatar
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    5,074
    Blog Entries
    1

    Certifications
    A+, Linux+, Server+, Security+, MCSA 2003, MCSA 2008, MCSA 2012, CCNA(expired), ITIL Foundation v3 (2011), VCP5-DCV, VCA-Cloud, VCA-DCV, VCA-WM
    #16
    Quote Originally Posted by Ahriakin View Post
    D
    E
    C
    A
    F

    Never!!!
    Quote Originally Posted by Ahriakin View Post
    No offense but you obviously have never tried setting up an SSL VPN, it doesn't just magically work with the press of a button. IPSec is much more straightforward, learn it's phases and the config necessary for the appliance and it's the same every time. There's a reason Cisco urge SSL configs to be done from the GUI (and have even removed the CLI versions of some functions/not included the new ones), it is a lot more complex to configure when compared to IPsec counterparts if you want to do it right. It's not wishy-washy, or flakey, just the implementations on some devices can be flawed but as a VPN set it's pretty damn good (which is why it has stood the test of time). Also SSL is less efficient, getting better but still not on par.
    The only advantage it offers over IPSec (and it is a fair one) is convenience for the end use and then ONLY when you're talking about clientless vs. thick client installs . It's advantages for through PAT are only down to using TCP as the transport and you can encapsulate ESP inside UPD or TCP easily enough.
    Having just finished a project that involved setting up an IPSec VPN tunnel to another company and an SSL VPN gateway for remote access on a Cisco 2811 router, I definitely agree with some of the limitations of the newer technology. It is a bit slower, it definitely needs a bit more TLC to get working right, and there are some other performance issues. However, the benefits are also very enticing: the WebVPN web interface is very handy, especially for doling out AnyConnect clients and giving access to internal pages and browsing the network. (I wasn't too keen on the thin-client functionality, but that's just my own preference.) I also agree that getting IPSec up and running was a very straightforward process, but I had done the SSL VPN gateway first and was used to that, so I felt like the IPSec config was a little counter-intuitive for that reason.

    One of the things, though, that forced our hand in moving to SSL VPN was the fact that there isn't an IPSec VPN client (to my knowledge) for Windows Vista/7 or Mac OS X. We also needed support for Linux, which is available both in IPSec and SSL VPN format. What I really liked, though, is the ability to load all four clients - Windows, Mac (PowerPC), Mac (x86), and Linux - and the router will automatically select the proper client for the user's operating system. I'm also digging the idea that, since I set up the router to use RADIUS that authenticates against AD, any user in our network with proper access to use the VPN can log on to the dedicated web page and download the client to any machine they like.

    In any case, I think IPSec is here to stay a good, long while, especially while SSL VPN has drawbacks and performance issues, and SSL VPN will slowly but surely become more and more popular as time goes on. Soon, I think most places will be doing the same thing we did at our company: SSL VPN for remote users, and IPSec for VPN tunnels.

    -------------------------------------------------------
    ITHumidor.net - "Futuaris nisi irrisus ridebis"
    -------------------------------------------------------

    Free Microsoft Training: Microsoft Virtual Academy
    Free PowerShell Resources: Top 50 PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
    Reply With Quote Quote  

  18. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #17
    tiersten , slowhand,

    boys now now. I didnt mean it was gone forever or didnt have a great application or use. I was just saying seems to me and many others that
    the world demands speed and security and sometimes speed wins somewhat even Cisco you can see is going that route since many vendors are moving that direction. And old technology can be obsolete in the future or the new ones derived from it. That is all I am saying.
    I really love faster and secure stuff anyways..but who am I right?

    But tiersten, below is my exact point I am trying to say. Dont get me wrong
    IPSEC is cool but to me it will be eventually faded out or modified/morphed..just my 2.3 cents


    One of the things, though, that forced our hand in moving to SSL VPN was the fact that there isn't an IPSec VPN client (to my knowledge) for Windows Vista/7 or Mac OS X. We also needed support for Linux, which is available both in IPSec and SSL VPN format. What I really liked, though, is the ability to load all four clients - Windows, Mac (PowerPC), Mac (x86), and Linux - and the router will automatically select the proper client for the user's operating system. I'm also digging the idea that, since I set up the router to use RADIUS that authenticates against AD, any user in our network with proper access to use the VPN can log on to the dedicated web page and download the client to any machine they like.

    Last edited by itdaddy; 09-25-2009 at 05:26 PM.
    Reply With Quote Quote  

  19. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #18
    slow hand

    i just saw the bottom of your messages ahahha
    that is great

    tweat me, face me, etc..

    that is so cool. great idea man! hahhahaah I get a kick out of stuff like that. That must mean I need a life aahahaha ahah
    Reply With Quote Quote  

  20. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #19
    Quote Originally Posted by itdaddy View Post
    boys now now. I didnt mean it was gone forever or didnt have a great application or use. I was just saying seems to me and many others that
    the world demands speed and security and sometimes speed wins somewhat even Cisco you can see is going that route since many vendors are moving that direction. And old technology can be obsolete in the future or the new ones derived from it. That is all I am saying.
    Whilst technology does move on and certain system will become obsolete, I don't see IPSEC going away anytime soon. You can't decide to just not learn about IPSEC. It is still used extensively for end user VPN connections and tunneling over other networks.

    Quote Originally Posted by itdaddy View Post
    But tiersten, below is my exact point I am trying to say. Dont get me wrong
    IPSEC and SSL VPN clients for Windows 7.
    Reply With Quote Quote  

  21. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #20
    tiersten

    hey bud, we are both almost on the same page.I agree with you that the old standbyes work like IPSEC with w7 and vista but it still looks like IPSEC is going on its way out...but I agree with you and great website you supported what you said..You can see all the vpn/ssl as much if not more than IPSEC..but

    dude I agree I am not arguing even though it seems like it. Although I love a good discussion..You my friend are speaking from your great expereince and I on the other hand am speaking from some basic experience and as a customer and as one who sees the trends..but dude you are right....
    it cool man! cheers! have a fun weeknd!
    Reply With Quote Quote  

  22. Senior Member ilcram19-2's Avatar
    Join Date
    Jan 2008
    Posts
    432

    Certifications
    A+,Net+,Server+,Sec+, MCP,MCSA:M/MCSE 2k3, CCNA,CCNA SEC,CCDA,CCDP, CCNP, MCTS, MCITP
    #21
    thats why i like to keep uptodate, for example gre/ipsec, dmvpn, GETVPN, sslvpns,
    i've not use an ipsec site to site vpn for a while thanks to the flexibility that the technologies above offer
    Reply With Quote Quote  

  23. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #22
    Don't forget IPSec is a fundamental part of IPv6 too, it will be easier to implement on a host-host basis as it is an available extension header.
    Reply With Quote Quote  

  24. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #23
    Ahriakin

    When you say fundamental part you do you mean it has to work with IPSEC or it IPV6 won't work at all. Can you explain basics or point me in the right direction on what you mean. It is hard to believe this but I am open to your expertise. And I would like to know..thanks man!
    -Robert
    Reply With Quote Quote  

  25. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #24
    IPv6.com - IPv6 and IPSec - Securing the Next Generation Internet

    this is what you are talking about great found it now I understand.
    but to the guy who gave me a bad rap for not knowing anything about IPSEC
    phewy on you man! Whatever happen to good dicussions??

    And isn't this site to educate or what? I am here to help others and get education myself. I never said I knew it all. I have been honest. But this article makes sense..Thanks for your help. But vpn/ssl is good for some things, and I love it, but I can see IPSEC is here to stay and will be at the root of IPV6 technology cool...Now that is how I like to learn thank you everyone. Hope we learned something new. I know I did...
    thank you!
    Last edited by itdaddy; 09-29-2009 at 04:25 PM. Reason: i f'd up writing
    Reply With Quote Quote  

  26. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #25
    It was a good discussion, there should be no aspersions cast on anyone involved.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks