Brian A Seklecki (Mobile) wrote:
On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote:
On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote:
Have you try openbsd 4.2 ? PF have been really improved in this
release.
pf(4) has nothing to do with isakmpd(8), except as it relates to recent
addition of routing tags.
- PIX/ASA is going to get you a default packet "ASA" forwarding based on
interface weights
- PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH
VPN Road-warrior clients
- PIX has functional object-groups/group-object inheritance
- PIX/ASA has proprietary serial console fail-over (which is marginally
faster than waiting for CARP)
- PIX/ASA has some magical black-box inline transparent protocol
"fixups"
- PIX has a 4 hour SmartNet support contract option
- PIX/ASA has a SNMP MIB tree (Which we are working to catch up on)
I don't know about ASA, but the 5xx PIX doesn't support IPv6
Otherwise they're both software-based stateful IP packet forwarding
engines running on i386 with NAT and IPSec and 802.1q support.
OpenBSD will always scale better because you can run it on the harwdare
platform of your choice.
~BAS
1. VPN is computationally heavy -- is your hardware fast enough?
2. Try playing with queueing in PF to handle some types of traffic
faster than others. AFAIK, it is normal to find this kind of
configuration in commercial, black-box solutions, disguised as buzzy
slogans like "Built-in QoS Super-Routing" :-)
Just my two cents.
Martin
Are you sure PIX 515 and above does not support IPv6. By that do you mean IPv6
routing, if that is the case, yes. But PIX 515E and ASA does support IPv6 fine
when you use 7.X and above version of image.
In addition to your 4th point, PIX and ASA support failover using LAN, only PIX
supports serial based failover.
To the OP:
We use ASA and OpenBSD in our production environment and we spent close to
$10,000 buying twin ASAs (using GigE) for failover, but only $2000 to buy two
dell boxes to put OpenBSD (using GigE) on them and use them as failover i.e. pf
+ pfsync + sasyncd and its being fine for past 11 months.
Where do you see OpenBSD lagging behind, if it is a transfer rate you can tweak
tcp settings using sysctl, you can upgrade to 4.2 as the other post indicated.
And are you willing to spend money to buy expensive gear that is the question?
