I am looking for input on what solution is better for implementing an IPSEC VPN for LAN-to-LAN connectivity. The remote sites will require dial backup. Any input regarding your experiences or research is appreciated.
If you need dial backup, then you are almost certainly going to be better off using IOS baed VPN's. I'd consider running GRE over IPSec, and run a dynamic routing protocol, so you can detect IPSec failure.
I would recommend a PIX if this is going to be right on the edge of the network (near/on the internet). Depending on the number of VPN's you will have you might consider something like a 515-e that comes with the hardware encryption card.
The PIX will afford you stateful inspection capabilities right off the back versus a router w/FW IOS that will use CBAC to gain this capability (utilizinf ACLs and inspect statements).
Since you need dial backup, I assume you mean ISDN. Is this going to be to an ISP or direct site to site ISDN DDR.
If it is going to be direct site DDR you could run BGP on the internet router, pass it through the PIX to a router on the internal network running BGP that is configured for ISDN DDR to the sites. You can then build a configuration that uses route-maps on the internal router to redistribute a different costed route for the networks that would normally run over the VPN if the serial interface to the ISP fails.
If you are going to dial an ISP just have the internet router or another router outside the PIX, firewall, concentrator dial the ISP and resume your VPN's.
It doesn't really matter what you use for the VPN's if this is the way you are going to go.
I am speculating and just proposed different ways from your description. I use IOS FW routers, PIXes, and VPN concentrators currently, but each has it's place.
Are you looking to use this as an internet firewall as well or just VPN's and what kind of dial backup are you talking about (ISP - VPN or Point to point DDR)?
The VPN Concentrator is the easiest to configure, it is secure and at the 3030 level utilizes the hardware encryption card "SEP" which is pretty fast. The PIX is the most robust, especially when using it as a true firewall and VPN device with the hardware encryption card. The IOS router with the encryption card also serves a purpose but I would not recommend it without other protection (i.e. firewall(s) in fromt&/behind ) in place.
The concentrators only minor drawback is that it does not support AH, it only supports ESP; while both the IOS and PIX support both. AH makes things a little easier if trying to form a VPN connection to other non Cisco Devices - Nortel Connectivity, Nokia, etc...)
In any of the devices, I would recommend the hardware encryption card functionality if you are going to have quite a few vpn's (Lan to Lan or Client).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :