Showing results for 
Search instead for 
Did you mean: 

Route-Based Site-to-Site VPN License Requirements

New Contributor

Route-Based Site-to-Site VPN License Requirements

Dear all

First off, please accept my apologies should this topic have been covered previously. However, as of this moment I am unable to find any clear reference.


We have a customer who would like to implement a site-to-site VPN solution between head office and remote office. There are only two offices with approximately 20 clients in branch and 50 in head office.

Both offices are connected to internet by ADSL connections. There are no intentions to purchase additional leased line for the sake of VPN.

We are designing a VPN solution wich would possibly include the purchase of either Netscreen 5GT or SSG5.

I am in the middle of designing a solution using a Route-Based site-to-site VP when I stumbled across few posts which advised to purchase the extended license from beginning.

Obviously, the client would like to spend as little as possible and we would like to earn as much as possible, but I am doubtful if extended license is necessary in this situation.

The solution in question is Route-Based or Policy-Based VPN which would forward packets between offices depending on the request. Clients in both offices would still be able to access the internet and shared resources in both offices.

However, and this is what I don`t clearly understand - would this mean that 10 tonnel (5GT) and 20 Tonnel (SSG5) default license would allow only 10/20 simultaneous sessions making it necessary to purchase the extended licenses? Or does it mean that only 1 tonnel will be made thus making extended license obsolete?

There is no clear information on the subject available, and so I am flying in the dark here.

Would like to thank you very much for taking your time on the matter.

Yours Faithfully

Occasional Contributor

Re: Route-Based Site-to-Site VPN License Requirements

Hi sourherring,

First of all, this forum addresses SSL VPN and not IPSEC VPN's in FW's so your post will only reach a fraction of your intended audience.

Anyhow, the tunnel spec on the SSG devices relates to the number of simultaneous tunnels you can create, regardless of the type and amount of traffic sent through them. In your scenario, you will use one tunnel in each device only.

You would do fine with two SSG5's, or perhaps SSG20's with ADSL PIM cards if you would like to get rid of the existing modems at your customer sites. The SSG's have no "extended" license AFAIK.

Best regards,


New Contributor

Re: Route-Based Site-to-Site VPN License Requirements


My complements on your Swedish language skills and apologies for posting in a wrong forum.

Thank you very much for the info - just what I was looking for. We will now consider the PIM cards in order to get rid of 3rd party HW in between end points

As far as I know there is an extended license for SSGs (Netscreen`s license was called Plus), nevertheless we will skip it this time.

Best Regards and thank you once again!


Re: Route-Based Site-to-Site VPN License Requirements

On the 5GT there where two addional licenses: the plus for more users with base functionality and the extended for adding DMZ zone etc.

SSG (5 and 20) doesn't have the user count restriction. You can add more functionality with the advanced license. Increases some counters (VPN tunnels, VLAN's see fact sheet) and add A/P NSRP to the box.