Are the VPN Alternatives Enterprise Ready?

steve asks: "There has been some talk about the newer alternative to true VPN lately. Are products like Netilla or Neoteris enough to replace the typical 'extranet'. most are based on simple SSL technology and somewhat limited in what applications you can run or use them for but they do give a simple web based interface. Has anyone out there played with any of these? Are they truly worth a look yet? Would you be concerned about potential browser issues (security or otherwise) creating a back door on your nice firewall?"

Re:VTun, PPTP, Free/SWAN

[noahm]

I have Free/SWAN IPSec compiled and ready to test, but it seems like a bit of a nightmare to set up.

It has easily the most confusing documentation and configuration file layout of any VPN-type product i have tried.

Really? I found FreeS/WAN's docs to be amazingly helpful. The config file is certainly a bit different from some of the others out there, but it does work well.

In general IPsec is a great tool for creating VPNs, and since more and more operating systems are including it, it allows for a high level of interoperability (Win2k, Linux, and *BSD, and I think Solaris 8 all include it). The FreeS/WAN people have lots of interop documentation on their site, and as more is written a lot of the current voodoo will be eliminated.

I have recently been doing some interop testing of x.509 certificate-based IPsec authentication between Linux and the KAME implementation (NetBSD, FreeBSD, BDSI), and am writing a document describing the process right now (available at http://web.morgul.net/~frodo/docs/kame+freeswan_in terop.html, though it's not done yet). Certificate-based authentication is great because it eliminates the key distribution problem and makes large-scale deployment a possibility.

noah