VPN for 15 sites: concentrators, routers, or PIX better?
I have to connect at least 15 sites with VPN using IPSec:
5 primary sites (300 - 600 users)
10 branch sites (50 - 300 users)
I need automatic failover/redundancy and simple management of tunnels as we will be adding additional sites in the near future. I've deployed 10 sites using one Concentrator and 10 PIXs before and Concentrator was very simple to configure and manage. I've also used PIX-to-PIX connections for a few sites, but they will be quite a pain to deal with especially when scaling to this many sites. A local Cisco rep told me that routers can do dynamic/on-demand VPN site-to-site connections, eliminating that extra hop in a hub and spoke configuration. But if I only used Concentrators and have a mesh config, I won't need the dynamic connections, right? Has anyone tried this many sites with all Concentrator-Concentrator links?
Re: VPN for 15 sites: concentrators, routers, or PIX better?
TED or Tunnel endpoint discovery is an IOS feature that alllows you to dynamically determine an IPSec peer (TED and on-demand VPN go together). This feature is useful in setups where a full mesh of VPN tunnels is required between a large numbers of routers. By using TED you avoid configuring a very large number of crypto statements on every router and insted configure only a single dynamic crypto map (with TED enabled). Your network seems to be a good candidate for configuring TED. However, TED only assists you in configuring VPN over large networks. You could always opt for manual confguration. Also, the VPN 3005 Concentrator can handle up to 100 simultaneous LAN-to-LAN Sessions (info from VPN 3000 Series Concentrator Data Sheet) and should meet your requirement.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...