Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site to Site VPNs 2

Status
Not open for further replies.
nix45

nix45

MIS
Nov 21, 2002
478
0
0
US
We currently have a frame relay network with 25 branch offices connected to the central site. I'm considering taking a few offices off the frame and setting up a site to site VPN connection over the Internet to our CO. I figured that I would just get a DSL connection to one of the branch offices and install a PIX 501 or a 1700 router to connect to our core router (3640, soon to be a 3700). I've never done a site to site VPN before, so I'm not sure exactly whats required. Can I have multiple site to sites with 1700's or PIX 501's at the branch offices connected to our core 3640 router? Are there any disadvantages of using site to sites than keeping the offices on the frame? The remote offices are currently using 1700 routers and are on fractional T's with about 256K of bandwidth. Is there a doc on Cisco website explaining how to do this?

Thanks,
Chris
 
Sort by date Sort by votes
I have a couple of customers doing this and it is working great for them. The DSL sites are a little smaller than the sites that remain on the frame.

Just watch the CPU utilization on the 3600.
 
Upvote 0 Downvote
Is a 3600 router a good router to do this on? What is required to set this up on a router? Do I need a special IOS feature set installed, or a VPN card or anything? I'm not sure if I can just take any two routers with the IP only IOS running on them or not? Would a PIX 501 provider better performance for this type of thing, than a 1700 router, for example?

Chris
 
Upvote 0 Downvote
To do it you will need the IPSec version of the IOS, DES and 3DES is available. There is a VPN accelerator available for the 3600. Look for the aim-vpn/bp or the aim-vpn/ep.

You will need to watch the processor utilization to determine if the 3640 will work. If you have the AIM you should be able to support your 25 remote sites easily.
 
Upvote 0 Downvote
We are currently evaluating encryption for about 400 offices connected via a frame. For the head-ends, we are looking at Cisco 3030 and above concentrators with Pix 501's at some sites and 3002 conecentrators at the others. The 3002 has a one-tunnel limit while the Pix can perform more tunnels, up to five I think. You need to evaluate the mesh of your frame. If the remote sites only communicate with the CO, the 3002 might be the way to go. If your remote sites talk to one another though then you need to look at the Pix 501. Also, even though this is the Cisco forum, we are strongly evaluating Checkpoint VPN solutions running on hardened appliances. Checkpoint has an easier to manage solution and their VPN-1 net product can handle up to 5 tunnels. There is a CA built in to the Checkpoint while with Cisco you are either going to have to learn CA's or you will use pre-shared secrets. With IPSec, you are only as secure as your keys so this is something to consider. DES is dead (cracked in a day), 3DES is a hog, AES is where market investment will go. AES runs much cleaner (300% better in software) than 3DES. I love Cisco for switching and routing but you should probably shop around for VPN because Cisco isn't necessarily the way to go for IPSec.
 
Upvote 0 Downvote
AES is the way to go and any Cisco platform that supports 12.2.13T will support AES. With PIX version 6.3 that supports AES as well.

If you go with AES you will probably want a different platform and it uses a different AIM card mentioned in a previous post. There is a new version.

There are several vendors of AES devices and they all have their pros and cons but stick with the leaders to ensure they will be around when problems arise.
 
Upvote 0 Downvote
We were actually about to order a Cisco 3015 Concentrator to allow home users to connect to our LAN through a VPN tunnel. We were also considering doing a few site-to-site's on the concentrator for a few branch offices. Adam, you would recommend a CheckPoint solution for this, rather than Cisco?

Thanks,
Chris
 
Upvote 0 Downvote
I'm actually new to setting up VPNs, so I have a stupid question....IPSec is used to create a tunnel between two devices while DES/3DES/AES provides the encryption, correct? If this is true, is any encryption provided if you don't use one of those three methods above?

If we decide to go with a Cisco solution and want to use AES encryption, will the 3015 Concentrator (at the CO) and PIX 501's (remote offices) work?

Chris
 
Upvote 0 Downvote
We are still evaluating our options with regards to going with Cisco or Checkpoint. I'm comfortable with both companies and we use both in our network so we have a level of experience using both. Your comfort level with the brand and your ability to support that brand are important too.
Cisco offers a free software client and so does Checkpoint. I've heard (but not seen) that the Checkpoint client allows you to be connected to the concentrator through one tunnel and still use the internet from the same PC which I haven't been able to figure out with the free Cisco client. I can currently connect from home with the Cisco Client to a 3030 Concentrator. I agree with mtashiro about picking a big vendor for long term support. IPSec is a set of standards for securing transmitted data at layer 3 of OSI. DES/3DES/AES are all encryption algorithms used within the IPSec framework to encrypt the data so you are correct Chris. There are other encryption algorithms but these three are typically what you will find in commercial products.
IPSec can create a tunnel between two networks or can function in "transport" mode which connects 2 hosts together. At this point, you will probably only use tunnels, either from a host to a network or network to network.

mtashiro has a better knowledge than I do of Cisco's line so I will defer the 3015/AES question to him/her.

You will probably wish to contact representatives from both Cisco and Checkpoint and explain what you want to do. They should be able to suggest offerings will best serve your needs and you can then choose between them and they may be willing to let you play with samples as well.

I'm not trying to imply that this isn't the right place for this topic but there is a VPN forum on here which may have more expert advice on the topic than the router forum.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
71
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
101
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
90
bdk76
bdk76
phonedudeSr
  • Locked
  • Question
Collaboration Cluster Force fallover to secondary site
Replies
0
Views
37
phonedudeSr
phonedudeSr
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
87
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top