I need some help on changing my current configuration to add a Cisco 2821 for a site to site vpn architecture. I'll attempt to explain this as well as I can.
My current setup is a core 6509e that I have all my access layer devices and servers connected to. The default ip route specifies the next hop as our Nokia/Checkpoint firewall. All traffic goes through the firewall and either returns to the core for internal routing/switching and the external traffic goes to the internet link, which is an ISP we use. We do not have a public IP due to the dictation that we use this ISP without any choices.
So, traffic goes from our core 6509e to a Nokia/Checkpoint and then to our ISP as the default gateway. The Nokia's are currently performing the VPN portion for traffic going to a sister site.
We are going to be swapping out the Nokia's for Juniper firewalls and I need to figure out how to implement the Cisco 2821's to handle the VPN traffic. I was thinking of making a route statement to send all traffic destined for the sister site IP to the Cisco 2821 to perform the IPSEC VPN and then send it back through the core.
The Juniper firewalls will replace the Nokia's after I get the site to site VPN up and running. Since the Nokia's currently run the VPN portion as part of their capabilities, I need to change the VPN to the Cisco 2821's I have. We will not be configuring the vpn endpoins as part of our new Juniper firewall installation.
So my question is what is the best way to do this with my current topology.
I can get the configurations correct as I have configured vpn endpoints before, but I am unsure as to how to change my topology to have the 2821's as my endpoints. Do I make a trunk from the core 6509e to the 2821 and then run it back through the core on another trunk? Do I use two ports on the core and change them from switchport to layer III and put ip's on them to go to my 2821's? I know there's a few ways to do this but I keep getting stuck on which way to go.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :