Would you please advise the difference between an encrypted tunnel between two cisco routers ( crypto map namex 1 ipsec-isakmp; ....) and a vpn site to site between two cisco firewalls?
And which one u would prefer and why :) !
It seems to me that the original question was fairly straightforward and asked for comparison of IPSec tunnel configured between routers and between firewalls. I believe that the question was asking about implementing equivalent technologies on each platform and for that question I agree with previous answers that the results come out about the same. Given a choice I would prefer to do the site to site IPSec VPN on the router. I feel that the tools to manage and to troubleshoot the VPN are somewhat better on the router than on the firewall.
If we consider a slightly different version of the question and ask about implementing site to site VPN on routers and on firewalls without specifying the equivalent technology on each then I believe that we get a significantly different answer. The firewall has one way of implementing the site to site tunnel while the router gives us quite a few options. On the router we can do the traditional IPSec encryption (with no tunnel interface) and we can also do the GRE tunnel with IPSec encryption (using crypto map etc). We can also implement VTI for site to site VPN with the tunnel protection profile and also have options for GET VPN, and DMVPN. With these other technologies we also have the ability to run a routing protocol over the site to site VPN and the firewall does not give us this option. So in the more general form of the question I would prefer to do site to site VPN on the router because it gives so many more options to choose.
Thank you all guys for ur answers, i think to what i am looking for both are ok but i am looking for preference. As the tunnel is between 2 companies i would prefer it between two firewalls especially i am not looking for other options like gre or others...
Thus What option would you take assuming that a router and a firewall are already present on both sides for different reasons..
Maybe the firewall as a peer can help for better mgt like nat0, or building a kind of vpn peer profile for my company, or maybe benefit from the state-full fail-over we can implement on redundant firewalls.
Maybe it is better to reformulate my question to ask is there a kind of standard for establishing vpn site to site between companies?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...