General discussion


Why do i need to go for VPN concentrator

By kr_kirru ·

I need to decide whether i should migrate to VPN concentrator or stay with PIX for VPN setup.

Can any one advice regarding this and i additional features that i get when i opt for concentrator?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by joematus In reply to Why do i need to go for V ...

You'll be offloading CPu processing from the PIX. VPN processing is very CPU intensive because every single packet has to encrypted using a mathematic algorithm. If you have a lot of VPN users it can make a difference. You'll need to check the CPU usage on your PIX to figure out if it will make a difference. If you have a lot of CPU idle time on your PIX, then maybe you don't need a concentrator. But if you expect a lot of new VPN users, then maybe you'll need it for future growth.

Collapse -

by kr_kirru In reply to Why do i need to go for V ...

Thanks alot joematus.

Collapse -

by gavin In reply to Why do i need to go for V ...

vpn concentrator or aka vpn gateway is dedicated to perform vpn connections (encrypt/decrypt, key exchange ,etc), so it comes with vpn accelerator hardware that could support more vpn throughput (or more vpn tunnels) compare to your pix or any firewall with built-in vpn. If you have multiple vpn users, it is always best to have a vpn concentrator to do the job and let your firewall performs security alone, or your firewall would cause a bottleneck to your network.

Collapse -

by dplewis In reply to Why do i need to go for V ...

The main limit with PIX is that, if you're building site-to-site VPNs, you can't have packets come in on, and then route back out of the same interface. (For site-to-site VPNs use concentrator or, more likely, IOS routers with IPSec featureset).
Although the statements made about about VPN encryption overhead is true, many PIX firewalls have (or can have added) a VPN hardware accelerator - this offloads the excryption/decryption process from the main CPU.

I'd recommend a PIX for a simple remote access VPN, with relatively few users logging into a central network - it's easy to tie the VPN connections in with your firewall rules. If you have an off-board concentrator this is more complicated (and costly).


Related Discussions

Related Forums