I purchased for testing
- a Linksys BEFVP41 "Ethernet Cable/DSL VPN Router" and
- a Linksys BEFSX41 "Broadband Firewall Router with 4-port Switch/VPN Endpoint"
I was hoping that the VPN capabilities of the FVP were sufficient to allow me to connect to our several PIXes from my SOHO, and hoping that the FSX VPN would be "good enough" to be able to recommend to potential telecommuting employees who do not need as many tunnels as I do.
I have now had a small amount of time to play with the FVP, but I have not had a chance to open the FSX as yet.
I had some initial problems with getting a wired connection to the FVP, with rather inconsistant results. Either there was a conflict with my wireless network connection having been activated first, or (more likely) the cable was too short and I was having some kind of physical wiring problems. Replacing the cable with a spare one I had around appeared to solve the problem; the ability of one of the4 LAN ports to be crossed-over helped. The LAN ports are -not- auto- MDI-X though.
Once I had a connection, the majority of the configuration screens on the FVP are immediately recognizable to users of a number of other Linksys products such as the BEFW11S4.
There is no obvious way to SYSLOG anything; it appears that the logging function is the Linksys non-standard one. I have read that there is linux source available for the logger; I will have to check that out.
One can, though, set SNMP community strings. I have not yet attempted to browse the tree.
It appears that I have a "version 1" FVP; there is a "version 2" as well, whose firmware has been touched more recently. [Now I'm going to have to investigate to find out whether I should have been more specific about what I was buying...]
There is a VPN configuration tab, with a choice of DES/3DES, HMAC/SHA, IKE auto or manual, PFS available, and key lifetime specifiable. On the Advanced tab, one has a bit of control over the proposal orders, and can configure groups of 768 or 1024 bits (i.e., group 1 or group 2, but given by size not number.) There are no Certificate Authority options on the FVP, just a shared key, which is limited to 24 bytes (which can be entered in ASCII or hex.)
This revision of the FVP does NOT offer AES, VPN over SSL, or groups 5 or 7, and also does not offer any way to turn on AH.
Each "tunnel" may be configured for source and destination and remote security gateway. The source may be specified as an IP, a subnet, or an IP range. The destination may be specified as an IP, subnet, IP range, 'any', or 'host'. When 'host' is chosen, the implied host is the remote security gateway. [Plausibly this connects in the other IPSec mode.] Selecting 'Any' produces a message that is not immediately clear: leads me to wonder about the ability to use the FVP as an IPSec server (i.e., destination endpoint)... something I had been thinking of at the time of the purchase, but which had slipped my mind since. The box outside documentation implies it is possible; I have not read the manual yet ;-)
Notice in the description of tunnels that each tunnel corresponds what PIX would call a "security association", instead of corresponding to an IKE peer (as per the peer limits on the PIX 501.) That will not be a problem for me for the FVP, but it will certainly influence my use of the FSX if the configuration mechanism is the same. When I popped for the extra FSX I was certainly thinking in terms of IKE peers, not in terms of SA's.
We have 4 different subnets that our employees could plausibly want to access, and as well we have a dozen or so systems at HQ that we would want to be able to relay traffic for. I will need to experiment with split ACLs, and with the 'any' destination, and I might end up needing to essentially go for a VPN concentrator solution, handling all user traffic and sending it onward through tunnels or not as appropriate. I'm not keen on relaying all user traffic, though -- I'm not interested in having their private non-work traffic ending up going through our equipment, so if I can't get split ACLs to work, users that want to telecommute will likely be told that the FSX is not an option. I might still be able to deploy the FSX within a small remote office, though.
A note on the internal differences between the FVP and FSX: the FVP has a hardware VPN coprocessor, whereas the FSX does not. Sites such as tomsnetworking.com have some speed comparisons: the FVP is a fast device considering the low price (slightly over $US100), with the FSX being slower but still "fast enough" for typical DSL/cable subscribers.
Ah, I nearly forgot to say how my VPN experiments came out: looking up our current crypto dynamic map shared secret took longer than configuring a simple tunnel. My first iteration, 3DES HMAC was rejected by our PIX (if I recall correctly, it said it was not supported), but after a simple modification to 3DES SHA, the connection went completely smoothly, and the VPN tunnel was up in seconds.
Considering the firmware age, there is likely no NAT-T support in the firmware for the FVP revision 1 [but there plausibly is on the newer FSX firmware]: I will need to check.
So... if you are looking for a VPN hardware endpoint with SPI, for SOHO use, and 24-byte preshared key 3DES Group 2 is acceptable, then indications so far are that the Linksys BEFVP41 has no difficulty talking to a PIX.