IPSec going away?

mattsthe2mattsthe2 Member Posts: 304
I heard that the Cisco Road Map is to do away with IPSec and move towards there SSL VPN, anyConnect etc? Anyone heard this?


Is there a shift towards Anyconnect, whats its down side?

Comments

  • shednikshednik Member Posts: 2,005
    Site to Sites will definitely stay IPSec for sure.

    I know Cisco is pushing SSL VPN for remote access, but I don't see IPSec going away ever really. SSL VPNs are just going to be used a lot more I think, I really like the webvpn on the ASA personally which runs over SSL.
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    IPV6 has IPSEC deeply integrated with it..IPSEC is here to stay....

    insert IT foot into mouth! ;)
  • 120nm4n120nm4n Member Posts: 116
    I've been getting emails about this from SonicWall lately. I wonder why there's such a big push all of the sudden?
    WIP: MCITP: EA
    70-620 - Done
    70-647 - In Progress
    70-649 - Soon.
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    I think it is due to IPSEC is so hard to implement. Yeah it works and is secure, but can be hit or miss or cause many network issues..
    VPN/SSL is bam it works 99.9% perfect connections..freaking awesome.
    logmein.com uses it and other alike it is very reliable and stress free.
    I have worked mildly with it and I have seen others work with and pull their teeth out..too much stress. plus it is an old technology that
    needs a major makeover. the world is going faster and old technology
    needs to move out of the way! icon_thumright.gif Once you have used vpn/ssl
    after using IPSEC you just say holy crap that's all there is too it?
    and you kind of scratch your head and say WT??? hahhah haha
  • shednikshednik Member Posts: 2,005
    itdaddy wrote: »
    I think it is due to IPSEC is so hard to implement. Yeah it works and is secure, but can be hit or miss or cause many network issues..
    VPN/SSL is bam it works 99.9% perfect connections..freaking awesome.
    logmein.com uses it and other alike it is very reliable and stress free.
    I have worked mildly with it and I have seen others work with and pull their teeth out..too much stress. plus it is an old technology that
    needs a major makeover. the world is going faster and old technology
    needs to move out of the way! icon_thumright.gif Once you have used vpn/ssl
    after using IPSEC you just say holy crap that's all there is too it?
    and you kind of scratch your head and say WT??? hahhah haha

    itdaddy its not that difficult to setup an ipsec vpn, I think for remote access vpns it will move more towards ssl but for hardware based vpns via site to site or ezvpn I don't see them going away from ipsec. I haven't done any research yet but what would you use in a hardware base vpn solution then? SSL vpns for end users via a client or web browsers are great thought don't get me wrong.

    EDIT: so you tweaked my interest now...have a look at this page at cisco http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72.html moving fully away from ipsec you would lose some of the other features such as dmvpn and such. I only skimmed the page but it looks like SSL still has some development to take everything over.
  • wastedtimewastedtime Member Posts: 586
    Don't forget that IPsec is a mandatory component for IPv6.
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    I guess what I should of said was not everyone is on the same ban wagon whent it comes to IPSEC protocols and it is dependent on who is using what. Some ISPs use this and some ISPs use that and some companies use this protocol..and or block these ports....It is just very picky, but I agree with what you are saying you have valid points and valid questions.
    I mean it just seems to be a lot of work sometimes. We have IPSEC vpns at my work here and believe me, it gets crazy when someone changes something so small it wacks it out! And with vpn/ssl type technology
    it does the job and is efficient that is what I mean..

    and Yes, I agree vpn/ssl is very young yet!
    but I still love it hee hee ;)
    I know I am lazy, but I like stuff that is not so time wasting let us get on to other stuff.

    WastedTime, explain how you mean IPSEC is mand. with IPV6 I dont get it
    I have set up IPV6 at home and I dont need IPSEC??? Explain please
    thanks....
    icon_study.gif
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    wasted time,

    IPv6.com - IPv6 and IPSec - Securing the Next Generation Internet

    i see, but I hopethey can clean this technology up cause it is going to cause so many issues....we have all heard or seen how wishy washy it can be.....
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    D
    E
    C
    A
    F

    ;)

    No offense but you obviously have never tried setting up an SSL VPN, it doesn't just magically work with the press of a button. IPSec is much more straightforward, learn it's phases and the config necessary for the appliance and it's the same every time. There's a reason Cisco urge SSL configs to be done from the GUI (and have even removed the CLI versions of some functions/not included the new ones), it is a lot more complex to configure when compared to IPsec counterparts if you want to do it right. It's not wishy-washy, or flakey, just the implementations on some devices can be flawed but as a VPN set it's pretty damn good (which is why it has stood the test of time). Also SSL is less efficient, getting better but still not on par.
    The only advantage it offers over IPSec (and it is a fair one) is convenience for the end use and then ONLY when you're talking about clientless vs. thick client installs . It's advantages for through PAT are only down to using TCP as the transport and you can encapsulate ESP inside UPD or TCP easily enough.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    Thanks no offense taken(but thanks for caring), I really havent done much with it but
    I have used vpn/ssl and its is slick. And I have never had nor have I heard anyone with issues with it. I am not talking site-to-site (we have site-to-site ipsec vpns that have never had issues) only remote client to server type.

    I have just seen guys have so many issues with vpn/IPSEC due to everyone in the loop not using the exact this and exact that where vpn/ssl is universal. But I am sure there are flaws but from a purely customer stand-point it is freaking awesome.

    I would rather use something much easier and reliable. I am sure IPSEC has its applications. I guess I need to specify apples to apples and oranges to oranges.
    Thanks for you help. I appreciate your help.
  • PsoasmanPsoasman Senior Member Member Posts: 2,687 ■■■■■■■■■□
    I doubt IPSec is going away anytime soon. It is a complex protocol, but if you configure it properly, its a great way to secure your network.
    Of course, you should do extensive testing before deploying in a production network.
    I think its a good protocol to secure small areas of your network, but I'd never use it on the entire network.
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    Technology isn't meant to be easy, its meant to work and work well. IPSec isn't going anywhere and its foolish to think that it is.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    it isnt foolish to think anything is going away. It is a balance between convenience and security and sometimes the people in charge want convenience..;) It is possible for any older technology to be by the way side, but I understand your point big guy!

    I think Cloud technology sucks! too many middle-men and many issues as a result. But there is nothing we can do but to work together even more.

    But like all new things, they are are derived from the old..


    icon_thumright.gif
  • tierstentiersten Member Posts: 4,505
    itdaddy wrote: »
    it isnt foolish to think anything is going away. It is a balance between convenience and security and sometimes the people in charge want convenience..;)
    IPSEC isn't going anywhere because there are still advantages to using it. Just because you don't like it doesn't mean its going anywhere :P
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    Ahriakin wrote: »
    D
    E
    C
    A
    F

    ;)
    Never!!! icon_lol.gif
    Ahriakin wrote: »
    No offense but you obviously have never tried setting up an SSL VPN, it doesn't just magically work with the press of a button. IPSec is much more straightforward, learn it's phases and the config necessary for the appliance and it's the same every time. There's a reason Cisco urge SSL configs to be done from the GUI (and have even removed the CLI versions of some functions/not included the new ones), it is a lot more complex to configure when compared to IPsec counterparts if you want to do it right. It's not wishy-washy, or flakey, just the implementations on some devices can be flawed but as a VPN set it's pretty damn good (which is why it has stood the test of time). Also SSL is less efficient, getting better but still not on par.
    The only advantage it offers over IPSec (and it is a fair one) is convenience for the end use and then ONLY when you're talking about clientless vs. thick client installs . It's advantages for through PAT are only down to using TCP as the transport and you can encapsulate ESP inside UPD or TCP easily enough.

    Having just finished a project that involved setting up an IPSec VPN tunnel to another company and an SSL VPN gateway for remote access on a Cisco 2811 router, I definitely agree with some of the limitations of the newer technology. It is a bit slower, it definitely needs a bit more TLC to get working right, and there are some other performance issues. However, the benefits are also very enticing: the WebVPN web interface is very handy, especially for doling out AnyConnect clients and giving access to internal pages and browsing the network. (I wasn't too keen on the thin-client functionality, but that's just my own preference.) I also agree that getting IPSec up and running was a very straightforward process, but I had done the SSL VPN gateway first and was used to that, so I felt like the IPSec config was a little counter-intuitive for that reason.

    One of the things, though, that forced our hand in moving to SSL VPN was the fact that there isn't an IPSec VPN client (to my knowledge) for Windows Vista/7 or Mac OS X. We also needed support for Linux, which is available both in IPSec and SSL VPN format. What I really liked, though, is the ability to load all four clients - Windows, Mac (PowerPC), Mac (x86), and Linux - and the router will automatically select the proper client for the user's operating system. I'm also digging the idea that, since I set up the router to use RADIUS that authenticates against AD, any user in our network with proper access to use the VPN can log on to the dedicated web page and download the client to any machine they like.

    In any case, I think IPSec is here to stay a good, long while, especially while SSL VPN has drawbacks and performance issues, and SSL VPN will slowly but surely become more and more popular as time goes on. Soon, I think most places will be doing the same thing we did at our company: SSL VPN for remote users, and IPSec for VPN tunnels.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    tiersten , slowhand,

    boys now now. I didnt mean it was gone forever or didnt have a great application or use. I was just saying seems to me and many others that
    the world demands speed and security and sometimes speed wins somewhat even Cisco you can see is going that route since many vendors are moving that direction. And old technology can be obsolete in the future or the new ones derived from it. That is all I am saying.
    I really love faster and secure stuff anyways..but who am I right?icon_redface.gif

    But tiersten, below is my exact point I am trying to say. Dont get me wrong
    IPSEC is cool but to me it will be eventually faded out or modified/morphed..just my 2.3 cents ;)

    One of the things, though, that forced our hand in moving to SSL VPN was the fact that there isn't an IPSec VPN client (to my knowledge) for Windows Vista/7 or Mac OS X. We also needed support for Linux, which is available both in IPSec and SSL VPN format. What I really liked, though, is the ability to load all four clients - Windows, Mac (PowerPC), Mac (x86), and Linux - and the router will automatically select the proper client for the user's operating system. I'm also digging the idea that, since I set up the router to use RADIUS that authenticates against AD, any user in our network with proper access to use the VPN can log on to the dedicated web page and download the client to any machine they like.

  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    slow hand

    i just saw the bottom of your messages ahahha
    that is great

    tweat me, face me, etc..

    that is so cool. great idea man! hahhahaah I get a kick out of stuff like that. That must mean I need a life aahahaha ahah;)
    icon_thumright.gif
  • tierstentiersten Member Posts: 4,505
    itdaddy wrote: »
    boys now now. I didnt mean it was gone forever or didnt have a great application or use. I was just saying seems to me and many others that
    the world demands speed and security and sometimes speed wins somewhat even Cisco you can see is going that route since many vendors are moving that direction. And old technology can be obsolete in the future or the new ones derived from it. That is all I am saying.
    Whilst technology does move on and certain system will become obsolete, I don't see IPSEC going away anytime soon. You can't decide to just not learn about IPSEC. It is still used extensively for end user VPN connections and tunneling over other networks.
    itdaddy wrote: »
    But tiersten, below is my exact point I am trying to say. Dont get me wrong
    IPSEC and SSL VPN clients for Windows 7.
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    tiersten

    hey bud, we are both almost on the same page.I agree with you that the old standbyes work like IPSEC with w7 and vista but it still looks like IPSEC is going on its way out...but I agree with you and great website you supported what you said..You can see all the vpn/ssl as much if not more than IPSEC..but

    dude I agree I am not arguing even though it seems like it. Although I love a good discussion..You my friend are speaking from your great expereince and I on the other hand am speaking from some basic experience and as a customer and as one who sees the trends..but dude you are right....
    it cool man! cheers! have a fun weeknd!
    icon_cool.gif
  • ilcram19-2ilcram19-2 Banned Posts: 436
    thats why i like to keep uptodate, for example gre/ipsec, dmvpn, GETVPN, sslvpns,
    i've not use an ipsec site to site vpn for a while thanks to the flexibility that the technologies above offer
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Don't forget IPSec is a fundamental part of IPv6 too, it will be easier to implement on a host-host basis as it is an available extension header.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    Ahriakin

    When you say fundamental part you do you mean it has to work with IPSEC or it IPV6 won't work at all. Can you explain basics or point me in the right direction on what you mean. It is hard to believe this but I am open to your expertise. And I would like to know..thanks man!
    -Robert;)
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    IPv6.com - IPv6 and IPSec - Securing the Next Generation Internet

    this is what you are talking about great found it now I understand.
    but to the guy who gave me a bad rap for not knowing anything about IPSEC
    phewy on you man! Whatever happen to good dicussions??

    And isn't this site to educate or what? I am here to help others and get education myself. I never said I knew it all. I have been honest. But this article makes sense..Thanks for your help. But vpn/ssl is good for some things, and I love it, but I can see IPSEC is here to stay and will be at the root of IPV6 technology cool...Now that is how I like to learn ;) thank you everyone. Hope we learned something new. I know I did...icon_cheers.gif
    thank you!
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    It was a good discussion, there should be no aspersions cast on anyone involved.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • TurgonTurgon Banned Posts: 6,313
    itdaddy wrote: »
    I guess what I should of said was not everyone is on the same ban wagon whent it comes to IPSEC protocols and it is dependent on who is using what. Some ISPs use this and some ISPs use that and some companies use this protocol..and or block these ports....It is just very picky, but I agree with what you are saying you have valid points and valid questions.
    I mean it just seems to be a lot of work sometimes. We have IPSEC vpns at my work here and believe me, it gets crazy when someone changes something so small it wacks it out! And with vpn/ssl type technology
    it does the job and is efficient that is what I mean..

    and Yes, I agree vpn/ssl is very young yet!
    but I still love it hee hee ;)
    I know I am lazy, but I like stuff that is not so time wasting let us get on to other stuff.

    WastedTime, explain how you mean IPSEC is mand. with IPV6 I dont get it
    I have set up IPV6 at home and I dont need IPSEC??? Explain please
    thanks....
    icon_study.gif

    IPv6 has native authentication support. OSPFv3 uses this rather than implementing it's own authentication mechanisms. It uses Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols for authentication. Because these are part of the IPsec protocol you must configure IPSec security policies to use. Haven't done this myself so would defer to Ahriakin if you want more details.

    SSL/VPN is making inroads. But everywhere I work I find site to site VPNs using IPSec. Some of these have been running for years between external companies. They can be a pain to set up between different companies using different vendors and if you are short on knowledge they most likely will not work right first time. But they are there, and regardless of what alternatives exist now and will emerge in the furture, they need to be supported today and migrated at some point. On a certification level I see useful technologies being dropped off exams and syllabus over time. While newer technologies may well be the direction the market wants to head off in, the direction in the field is often a few years behind. So (for example) a lot of folks struggle with ISDN or other dialers when a migration project is on the table or issues ensue with was already deployed in the field.
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Ahriakin wrote: »
    The only advantage it offers over IPSec (and it is a fair one) is convenience for the end use and then ONLY when you're talking about clientless vs. thick client installs . It's advantages for through PAT are only down to using TCP as the transport and you can encapsulate ESP inside UPD or TCP easily enough.

    Well put.

    SSL is more for ease of use for a client to access protected resources not for site to site security.

    IPsec is more efficient but doesn't have that clientless ability that SSL does. Just imagine if you had to download and install a IPsec application to access your banking info online. In that regards you would also have to do this with any site that needed it's users to gain secure access to it. This just isn't feasible.

    SSL takes this role with allowing the security to occur right in the browser. No messy client install necessary. But as with anything in this world, when you focus on ease of use efficiency goes out the window.

    SSL VPN's have their place but I don't seem them replacing IPsec VPN's anytime soon. I couldn't imagine setting up a SSL VPN for bulk data transfer between an HQ and a remote office. icon_wink.gif
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    hey thanks for all the information and help. We appreciate your input. really. I know I do. Thank you:D
Sign In or Register to comment.