Brian A Seklecki (Mobile) wrote:

quoted text
> On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote:

>> On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote:

>>> Have you try openbsd 4.2 ? PF have been really improved in this

>>> release.

>

> pf(4) has nothing to do with isakmpd(8), except as it relates to recent

> addition of routing tags.

>

> - PIX/ASA is going to get you a default packet "ASA" forwarding based on

> interface weights

> - PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH

> VPN Road-warrior clients

> - PIX has functional object-groups/group-object inheritance

> - PIX/ASA has proprietary serial console fail-over (which is marginally

> faster than waiting for CARP)

> - PIX/ASA has some magical black-box inline transparent protocol

> "fixups"

> - PIX has a 4 hour SmartNet support contract option

> - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on)

>

> I don't know about ASA, but the 5xx PIX doesn't support IPv6

>

>

> Otherwise they're both software-based stateful IP packet forwarding

> engines running on i386 with NAT and IPSec and 802.1q support.

>

> OpenBSD will always scale better because you can run it on the harwdare platform of your choice.

>

> ~BAS

>

>> 1. VPN is computationally heavy -- is your hardware fast enough?

>>

>> 2. Try playing with queueing in PF to handle some types of traffic

>>    faster than others. AFAIK, it is normal to find this kind of

>>    configuration in commercial, black-box solutions, disguised as buzzy

>>    slogans like "Built-in QoS Super-Routing" :-)

>>

>> Just my two cents.

>>

>> Martin

>

> 

Are you sure PIX 515 and above does not support IPv6. By that do you mean IPv6

routing, if that is the case, yes. But PIX 515E and ASA does support IPv6 fine

when you use 7.X and above version of image.
In addition to your 4th point, PIX and ASA support failover using LAN, only PIX

supports serial based failover.
To the OP:

We use ASA and OpenBSD in our production environment and we spent close to

$10,000 buying twin ASAs (using GigE) for failover, but only $2000 to buy two

dell boxes to put OpenBSD (using GigE) on them and use them as failover i.e. pf

+ pfsync + sasyncd and its being fine for past 11 months.
Where do you see OpenBSD lagging behind, if it is a transfer rate you can tweak

tcp settings using sysctl, you can upgrade to 4.2 as the other post indicated.
And are you willing to spend money to buy expensive gear that is the question?