01-23-2003 09:37 AM - edited 02-21-2020 12:18 PM
Hi All
I have discussed with my reseller about creating VPN intranets, and he said that if we needed to route between spoke sites, implement GRE with IPSEC. We was going to use a pix515e to terminate RAS VPN's, Intranet VPN's and extranet VPN's but I beleive that you cant route from one spoke site to another spoke site through a hub pix. Hence the recommendation of GRE/IPSEC into a 3600 router at the hub site. Is this the correct recommendation for Intranet VPN's or can we get it done through the pix, we are using EIGRP on the WAN and for corporate remote sites would like to integrate the RP over VPN/3DES.
We will also be implementing extranet VPN's, and I beleive these would be better connecting to the pix?.
Thanks in advance
KJ
01-23-2003 05:40 PM
The PIX won't do GRE/IPSec, nor will you be able to use the PIX as a hub and have spoke-to-spoke communication thru it, so a 3600 is probably the better option in your case.
If by "extranet VPN's" you mean external VPn connection across the Internet, you can terminate these into either the PIX or the 3600, doesn't really matter. If you need routing over these though, you'll have to use the 3600 with GRE/IPSec.
01-26-2003 12:17 PM
Hi
Thanks for reply. I beleive you can terminate the GRE tunnel between a spoke router and a router at the CO behind the hub pix, so the pix is essentially allowing passthru of the gre tunnel. If this is the case, If I am creating gre tunnels from spoke routers to the router behind the hub pix, will the spoke routers be able to communicate going through the pix. If no, how come?
I am sure I need a router here but am confured as to why
Regards
01-26-2003 07:53 PM
No problem communicating spoke router through hub pix to hub router through hub pix to another spoke router. The PIX just sees two GRE tunnels running through its IPsec tunnels and has no idea what the real destination of any of the tunneled traffic is. What you cannot do is go from spoke router to hub pix back out the same interface on the PIX. You have go through the PIX and make the "U turn" in an inside router.
You've already read the white paper on redundant VPN routing on my web site (you seem to be doing a lot of VPN routing, or at least posting lots of questions, so I will not repeat answers I've already posted to your prior questions). But in this environment, the BGP approach would only work if you implemented a full mesh of IPsec tunnels (so the spokes could communicate directly). To get a good handle on what is happening, walk through a packet going from site to site and see what each box sees, including source and destination address of the packets going into and out of each box. With an hour or two of effort, you'll see that the rules are really quite simple and the consequent limitations are "obvious."
Good luck and have fun!
Vincent C Jones
01-27-2003 02:19 AM
Thankyou for your answers,
Best regards
KJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide