Network Computingwww.networkcomputing.com

AccessPoint QVPN is a hardware-based solution, meaning that each end point for a VPN will need an AccessPoint QVPN device, which can be configured as a router or as a bridge. One of the stellar features of AccessPoint QVPN is its bandwidth management technology. Xedia uses CBQ (class-based queuing) for fine-grain control of bandwidth utilization, letting AccessPoint QVPN deliver QoS (Quality of Service) control.

CBQ traffic classification is a matter of matching packets against a set of classes defined by the user. I could base classes on IP source or destination address, source or destination port, protocol, domain name, type of service or any combination thereof. And I could schedule traffic by assigning some amount of available bandwidth to each defined class. Once I had configured QVPN, I found that the product handled its scheduling in real time as packets were transmitted by the device. To configure the hardware, you can use a command line or Xedia's Java-based Access View, which runs in a Web browser. During tests I used both tools, which worked as well as any other router's configuration interfaces.

The product supports IPSec (IP Security) and IKE (Internet Key Exchange) for dynamic key management, and X.509v3 digital certificates for integration with a PKI (public key infrastructure). AccessPoint QVPN appears to be very scalable; Xedia claims its product can handle as many as 4,000 simultaneous L2TP/PPP sessions on a variety of network interfaces.

Tunneling Along
I used AccessPoint QVPN to build tunnels between my test network, my production network and a remote network. Each network runs a series of Windows NT 4.0 servers and workstations, with a few Windows 9x systems and one Linux server. AccessPoint QVPN was configured to allow connectivity between each of the three networks.

As with most devices that support routing, I had to define the usual TCP/IP parameters using a COM port connection. Once the TCP/IP configuration was set, I plugged the hardware into a hub, where I could then access the device's built-in Access View management software from a Web browser. Then I simply entered the IP address of the AccessPoint QVPN device. Logged in this way, I could quickly configure management of almost every aspect of the hardware's parameters, such as static and default routes, interface address and netmasks, and virtual tunnel transports. This functionality is as good as any other Web-based hardware configuration interface I've seen to date.

The real workhorse of this product--Xedia's Java-based application QVPN Builder--let me configure the tunnels between each of the three AccessPoint QVPN devices used during my tests. Building logic into QVPN Builder, Xedia has removed all the hair-pulling decision-making needed to construct tunnels. Instead, using simple parameters that I supplied, QVPN Builder erected all the necessary tunnel tables and loaded them onto each hardware device with a few mouse clicks.

Once tunnels are built and deployed, further tunnel additions and changes can be performed quickly and without network interruptions. While QVPN Builder isn't conducive to ongoing monitoring of the AccessPoint QVPN hardware, the hardware supports SNMP, so the job can be handed to any reputable SNMP management solution.

Time Is of the Essence
With ease, I established a fully meshed tunnel system where all three AccessPoint QVPN devices can pass traffic back and forth. In a nutshell, the task required that I open a new blank VPN template, enter all the necessary parameters (such as IP addresses and SNMP configuration) and then click on two buttons: one to generate the tunnel table and another to load the table onto the AccessPoint QVPN units.

This entire setup and configuration process was swift: about seven minutes on each device to configure the required TCP/IP parameters, for a total of about 21 minutes on the hardware itself. I then spent another 20 minutes configuring the three-way fully meshed VPN configuration using the QVPN Builder application.

With zero previous exposure to Xedia's solution, I spent approximately 40 minutes building my first VPN, and much of that time was dedicated to learning management interface navigation and parameter settings.

Xedia informed me that one of its large customers had established a very extensive VPN configuration that consisted of approximately 30 end points. Using other VPN solutions, this configuration was estimated to take close to 60 man-hours to complete and meant disrupting the network at each of the 30 end points. With QVPN Builder, the company completed the same setup in only 30 minutes. That's what I call real time savings.

Mark Joseph Edwards is a consultant, network engineer and technical writer. Send your comments on this article to him at mark@ntsecurity.net.