Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
0
Helpful
8
Replies

Terminating IPSec VPN tunnels.

wares
Level 1
Level 1

‎01-27-2004 09:42 AM - edited ‎02-21-2020 01:00 PM

What would anyone recommend as far as terminating a remote office's IPSec VPN tunnel into a PIX versus terminating it into a VPN Concentrator?

Thanks

Labels:
0 Helpful
8 Replies 8

mostiguy
Level 6
Level 6

‎01-27-2004 11:30 AM

Should not make a difference either way. You might want to keep it pix to pix, if end user vpn management is a different person's responsibility from the site to site vpn tunnel person. No big deal using either

0 Helpful

wares
Level 1
Level 1
In response to mostiguy

‎01-27-2004 11:38 AM

I am thinking of using the PIX-506E at each remote office vs. using a 1751 router or something like that. Also, possibly not even using a VPN concentrator (to save money), and just have users that want remote access VPN into the PIX at the main location (515E)...along with the other IPSec tunnels from the 4 other offices.

Sound like a plan?

0 Helpful

mmandel
Level 1
Level 1
In response to wares

‎01-27-2004 12:40 PM

hmmm, you really don't need a PIX at the remote offices..you can terminate your vpn using the 1751s. That's what we do here, I've got 4 remote locations with 1720s, terminating into our PIX 550 at the central location. Just make sure you use the latest IOS with IPSec capabilities.

0 Helpful

wares
Level 1
Level 1
In response to mmandel

‎01-27-2004 01:15 PM

Thanks for the reply. I take it if I go that route (with the routers at the remote offices), then each remote office will still be able to communicate to the other ones via the hub (PIX 515E at the central location)?

Like remote office--->central location--->other remote office, and vice-versa.

Thanks again.

0 Helpful

wares
Level 1
Level 1
In response to wares

‎01-28-2004 06:48 AM

In addition to my last post...if I go with the 1721's at each location, would it be better to terminate on the 2651 router at the HQ that is before the PIX, then just allow the remote office's subnets to pass thru the PIX to the internal net?

0 Helpful

mmandel
Level 1
Level 1
In response to wares

‎01-28-2004 11:58 AM

OK, first, you can actually "map" your vpn tunnel between the remote offices. 1751 <--> 1751, like a mesh topology. That's what we do as well.

I would not reccomend termiating to the 2651 at HQ, the PIX can handle it better than the router.

You're going to get into some tricky ACLs on the 1751s, but it's manageable. How many sites are you talking about here?

0 Helpful

mmandel
Level 1
Level 1
In response to wares

‎01-28-2004 12:04 PM

one more thing...

For remote access VPN for traveling users, I would go with a concentrator, like the VPN3000, it's much more manageable, and flexible then trying to terminate vpn clients to the PIX. You can also use NT domain authentication, I don't think the PIX can do that, in fact, I know you can't.

0 Helpful

wares
Level 1
Level 1
In response to mmandel

‎01-30-2004 08:40 AM

There will be 4 remote offices. I've looked at using GRE IPSec tunnels for future use, right now, just IPSec tunnels will do. But in the event that we roll-out VoIP or something like that...I think that I would need to use GRE between the sites right? And I know that GRE tunnels cannot terminate on a PIX.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents