On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote:
quoted text
> On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote:
> > Have you try openbsd 4.2 ? PF have been really improved in this
> > release.

pf(4) has nothing to do with isakmpd(8), except as it relates to recent
addition of routing tags.

- PIX/ASA is going to get you a default packet "ASA" forwarding based on
interface weights 
- PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH
VPN Road-warrior clients
- PIX has functional object-groups/group-object inheritance
- PIX/ASA has proprietary serial console fail-over (which is marginally
faster than waiting for CARP)
- PIX/ASA has some magical black-box inline transparent protocol
"fixups"
- PIX has a 4 hour SmartNet support contract option
- PIX/ASA has a SNMP MIB tree (Which we are working to catch up on)

I don't know about ASA, but the 5xx PIX doesn't support IPv6


Otherwise they're both software-based stateful IP packet forwarding
engines running on i386 with NAT and IPSec and 802.1q support.

OpenBSD will always scale better because you can run it on the harwdare platform of your choice.

~BAS

quoted text
> 1. VPN is computationally heavy -- is your hardware fast enough?
> 
> 2. Try playing with queueing in PF to handle some types of traffic
>    faster than others. AFAIK, it is normal to find this kind of
>    configuration in commercial, black-box solutions, disguised as buzzy
>    slogans like "Built-in QoS Super-Routing" :-)
> 
> Just my two cents.
> 
> Martin