Work-related firewall query

[nichomach]

It looks like it's the end of the road for my much beloved and hitherto un-problematic 3Com Superstack 3 Firewall. It's been a good little box, sat in the corner, not complained about anything, handled a shedload of VPN traffic, but...it's got to go. The reason? While the IETF and a load of other companies (including THAT one) went one way on handling IPSec NAT-Traversal, 3Com went another. Guess who won?

Anyway, I'm looking for a replacement. I could go Sonicwall - their 4060 looks a wonderful piece of kit for the purpose - and I'm considering Juniper's Netscreen range. I'm not antipathetic towards using a Cisco product, but here's the rub:

VPNs. Windows has a perfectly acceptable L2TP/IPSec VPN client; supports 3DES, SHA-1 or MD5, works with RADIUS authentication, all that. If you apply a registry hack, you can even get it back to the pre-SP2 state regarding NAT-Traversal. So I DON'T want to have to spend X grand on a firewall that only works with VPN software that costs another £100+ for every client that I enable. No, I'm not making this up; just have a look at the pricing for, say, SoftRemote. I want to use the functionality already built in to XP.

So, here's the rub; can anyone recommend a good firewall appliance that's up to handling a fair amount of usage from a moderately large company that'll support the XP VPN client natively?

The first person that says "go build a Linux box" gets shot, by the way - seriously, this isn't a home project where I've got time to do a load of mucking around, entertaining and interesting mucking around, but still mucking around .

Any OTHER ideas'd be greatly appreciated.

[Moby-Dick]

I'm not a big fan of Sonicwalls - their per user licencing annoys me.

for low cost , have a look at the zywall set of kit , if the piggybank is looking fatter , then go for a watchguard.

I@d like to play with cisco kit at some point too

[Moby-Dick]

I've not tried using the watchguard IPsec vpns with anything other than the supplied softrempote. ( licence required :/ )
however, they support pptp connections without any additional licences - I have one that holds 100+ clients at a time.

[nichomach]

Yep; the Firebox X2500 might be a good option dependent upon the VPN support - I'm keen on IPSec/L2TP since PPTP's a bit anaemic, and I've set up a RADIUS server and everything... *whines*. Thanks for the suggestion. I'm also supposed to hear from Juniper today or tomorrow, and their Netscreens look very nice. Apparently the X2500 comes bundled with 1,000 Mobile User VPN licenses (which would seem to remove the necessity for additional software purchase for IPSec), so could be a VERY good option. Cheers, Moby.

[Moby-Dick]

look what I have on my desk....

[Zak33]

/overwhelming desire to mention Zone Alarm and then run the hell away ever so ever so fast...but clearly its too childish to consider..so I'll leave !

Nice red box Moby...

[Moby-Dick]

it is its a watchguard firebox ( about £2k of firewall - going into our suite at tiscali )

[nichomach]

The X-series; I'm giving this a good hard look. Plus, as firewalls go, they look great. OK, that's a completely shallow and superficial criterion. But it's true all the same .

[Moby-Dick]

very much so - I think the older firebox III's looked cooler