i am asking for some advice regarding what kind of VPN solution you would recommend. I have a Cisco 877M-K9 and a 24/3 ADSL2+ Annex M connection. The network is my family's at my parents house in Europe and it's used remotely by me (from the US) and some others mainly for a file server which is a backup plus e-mail and some other services. The network is behind a Cisco 877M-K9 router and has a DMZ between the Cisco and an OpenBSD firewall. We have an allocation for one /29 IP range plus two /64 IPv6 subnets. The DMZ uses our public IPs and the OpenBSD box runs NAT for the boxes behind it. The DMZ has also one IPv6 /64 block associated to it and another /64 block is for the LAN behind the OpenBSD box. Here's some kind of a chart
Internet --- Cisco 877 ---- DMZ (/29 + /64) --- OpenBSD (NAT + routing and firewalling for other /64)
The router was previously a ZyXeL box, but it was replaced by the Cisco due to some reliability issues. The OpenBSD box currently runs OpenVPN, but I'd like to switch to an IPsec based approach handled by the Cisco (mainly for latency issues). I would also like to be able to use Cisco's VPN client (we actually have a support plan, so I can download it), because I like its interface. I understand the CPU on the 877 is pretty limited, so I want to minimize the impact on the CPU.
My current design plans:
1. I understand that ESP requires a lot more CPU than AH. All our traffic is basically over already encrypted protocols, so ESP isn't really needed. I know that by listening to the traffic this would show the topology of the network behind the NAT box, but I don't think it's an issue in our case.
2. I would basically like the Cisco to block access to certain ports (like 22), but let through all authenticated AH traffic for e.g. remote administration and file server access (encrypted NFS + CIFS).
3. Computers accessing the VPN needs to be assigned to some tunneled network in e.g. the 10.0.0.0/24 address space. The OpenBSD firewall would then just route data to these addresses instead of using NAT, thus allowing access to the network behind the firewall.
4. We already have our own CA that's been used for e.g. OpenVPN, so certificates would be the ideal way to handle authentication.
5. The machines accessing the Cisco are all road warriors, so their IPs might change.
The actual problem:
1. I have 10+ years Unix experience, so I know the protocols and can handle the OpenBSD firewall, but I know only basics of IOS.
2. I have never configured a VPN with Cisco, but would like to get to know those parts of it well.
I would highly appreciate any criticism of my current network plans. If anyone could also provide some skeleton config for this it would at least help me get on the right track when looking at Ciscos manuals (and might help me figure out how to do the config by just guessing). Any pointers to articles/tutorials/books I should read would be appreciated too. I noticed that UPenn's library have some Cisco books, so I might find what I need if I'd know what to look at.
Thanks in advance.