Average Reviews:
(More customer reviews)I purchased a Zywall 5 VPN server to replace an older Linux Freeswan solution. It took about a month to set up in my corporate environment, which likely differs greatly from the Zywall's intended configuration.
The Zywall 5 assumes that it is the default gateway to the Internet, and thus lacks the capability of answering ARP requests for its connected VPN clients (which are configured with virtual IP addresses in the same subnet as the LAN). The Linux Freeswan solution could be configured to answer ARP requests for connected VPN clients. Working around this problem required adding an additional network card to the internal LAN firewall, attaching the Zywall to that LAN card, and configuring the internal firewall to forward packets destined to the connected VPN clients directly to the Zywall. This was not as clean as the Linux Freeswan solution, but it worked.
The Zywall 5 supports X.509 VPN certificates, but requires that a certificate authority be set up on a Windows 2000 server to generate the appropriate certificates for the Zywall and VPN clients. This is a bit awkward to accomplish, considering that the same was possible with just a couple command line entries on the Linux Freeswan box.
It is easy to accidentally misconfigure the Zywall, such that the web and telnet interfaces are no longer accessible, requiring a connection with a serial cable to undo the settings. This happened more than once when trying to make the Zywall send packets back to attached VPN clients.
While the Zywall supports up to 10 simultaneous clients, there are severe limitations. Preshared keys cannot be used with road warrior connections (where the client's IP address changes with each connection). X.509 certificates can be used with road warrior connections, but the same client X.509 certificate must be used for all road warriors (this makes it hard to revoke a certificate should a laptop be stolen). The Zywall supports RADIUS authentication in addition to certificates, so that somewhat resolves the need to share certificates. Multiple road warriors can simultaneous connect using the same VPN rule configured in the Zywall.
The Zywall at my site sits behind an external routing firewall. Some of the Zywall's NAT features appear to be buggy in this configuration, directing return VPN packets at the external routing firewall, rather than to the connected VPN client's IP address.
Bandwidth limitation capabilities help prevent attached VPN clients on high speed cable or DSL connections from completely saturating the corporate Internet connection.
Based on my experience with configuring Linux IPTABLES firewalls on the Freeswan box, the firewall on the Zywall is a challenge to set up correctly. Instead of referring to the encrypted network interface connection as IPSEC0 as on the Freeswan box, the Zywall uses verbose descriptions such as (LAN to LAN / Zywall), (LAN to WAN), (LAN to DMZ), (WAN to LAN), (WAN to WAN / Zywall), (WAN to DMZ), (DMZ to LAN), (DMZ to WAN), and (DMZ to DMZ / Zywall) - determining which setting to use in order to restrict traffic between the corporate LAN and a connected VPN client based on the documentation is difficult (even though the manual is 500+ pages). I had to disable the Zywall's firewall to resolve connectivity issues, and rely on the internal firewall to control traffic destined to connected VPN clients. Maybe if one of the verbose descriptions were labeled (LAN to VPN Client) it would be easier to set up the firewall.
The Zywall 5 supports time synchronization to Internet time servers, which is a required feature to keep the time from rapidly drifting from the correct time. Time synchronization is not always successful, nor does it always use the specified time server.
Once the device's limitations are determined, and it is set up to work around those limitations, the Zywall 5 performs very well for its intended purpose with clients using Safenet SoftRemote VPN software.
Click Here to see more reviews about: ZyXEL ZyWALL 5 Internet Security Firewall Appliance With 4 10/100 Fast Ethernet Ports and 10 IPSec VPN Tunnels
Get 51% OFF
No comments:
Post a Comment