I tested a beta version of the Contivity software on two switches--the Contivity Extranet Access Switch 2000 and 4000--at Syracuse University in one of Network Computing's Real-World Labs® and was amazed at the improvements in the client and LAN-to-LAN VPN capabilities. This new version works well for both the enterprise network and the SOHO (small office/home office) environment.

What the User Sees With previous versions of the Contivity software, accessing secured and public resources meant connecting and disconnecting your VPN. But version 2.0, which comes in configurations with varying key lengths (domestic, international and French), adds Split Tunneling. This intelligent VPN support enables simultaneous connections through the VPN and to the Internet. Split Tunneling is configured through the user's access policy on the server; users have no control over it, and this restriction helps protect their VPN connections to the corporate network from attack.

In the lab, I set up a policy that routed traffic to the 192.168.0.0 network over the VPN, with all other traffic sent across the Internet (see Split-Tunnel Routing diagram, below). When I connected to my ISP, I could surf the Web and access the protected network. You can configure any number of networks and hosts for Split Tunneling.

LAN-to-LAN VPN Earlier versions of the Contivity Extranet Switch Software were designed as VPN concentrators for remote users. However, corporate enterprises need both user-to-LAN VPNs and LAN-to-LAN VPNs to accommodate remote users and sites. The Contivity 2.0 software can do both.

Like setting up remote users, hooking up the LAN-to-LAN VPN is a snap. Supporting both preshared secret and certificate-based IKE (Internet Key Exchange), the Contivity software fits well into any network scenario. To set security parameters, you need to create groups, so I established an international group with 40-bit encryption key lengths and a domestic group with longer key lengths. Then I quickly added VPNs sharing similar encryption requirements; a change to the group policy modifies all VPNs in that group.

I initially set up the Contivity software with preshared secrets. After grouping the networks that were protected by the local Contivity switch, I visited each Contivity switch and configured the tunnels by defining the local networks, along with the remote network VPNs and addresses. I tested the tunnel setups by pinging devices behind each Contivity switch.

Setting up the certificate-based IPSec (IP Security) VPNs involved more work. I used Entrust Technologies' Enterprise PKI with Web Connector, which is sold separately. After creating a Web user in Entrust, I pointed the Contivity switch to the Entrust Secure Web server. I then needed to request the certificate and cut and paste the key into the Contivity--a somewhat cumbersome extra step. Once the CA was configured, I successfully checked tunnel connectivity.

In the next version of the Contivity software, I would like to see centralized device management and event report filtering. To manage version 2.0, I needed to make individual connections to each device. And while the Contivity software has great event logging, it is a flat file with no real event-filtering facilities. Using the syslog of SNMP events will facilitate better filtering.

Send your comments on this article to Mike Fratto at mfratto@nwc.com.