I'm looking for a way to manage many IPSEC Site-to-Site VPNs.
The sites will NOT communicate with each other.
Each site has either an ASA5505 or a PIX501. My central firewall is a pair of ASA5520s.
My current setup is all of these VPNs concentrating to a 7206 with the VPN accelerator card in it. We really dont have any control over who has access. The actual VPN access is configured on the remote PIX by the crypto access-list (Split Tunneling). If there's a change for a particular customer, I have to touch each site for that customer, what a headache.
We have many sites that use an ISP with a dynamic IP, so statically definging the ISAKMP peers is not an option. We use a dynamic crypto map with a global key currently.
I'm looking at about 100 site-to-site VPNs, with more to come.
I'm thinking about using EasyVPN with Network Extension Mode for this. Would this be the best solution? I like the idea of being able to block a certain site or an entire customer at will as well as enhanced management functionality. I am able to make a change to a certain customer's VPN config from a central location.
Each customer will access a set of central services (10.1.1.0, 10.1.2.0) as well as customer specific networks (central site network, special hosted environment, etc).
I'm guessing if I do EasyVPN, I would need for each customer:
A. An access-list that uniquely defines the customer's networks (for the split tunneling
B. A Tunnel-group for each customer
C. A group policy for each customer.
All of the above would have to be defined on the firewall. I would also require a "User" that can be authenticated via Radius for Each site. Am I correct with this? I've done some testing with both a PIX501 and an ASA5505 as the EasyVPN clients, and it seems to work pretty slick. Would this solution be the ideal way to manager this many Site-to-Site VPNs? Is there somthing more suitable for this? Thanks in advance.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...