WAN Encryption

dchristm09 · ‎08-21-2011

Hello, we have remote sites using 1841 routers coming back to a 2821 router at headquarters across the WAN. We also have an ASA 5510 at headquarters. What would be the best way to configure an encrypted WAN? Would additional equipment be needed?

Sent from Cisco Technical Support iPad App

Mohamed Sobair · ‎08-21-2011

Hello,

with the current hardware you can have supported IPsec over your WAN links, you just need to make sure you have the correct IOS Software feature set on the 1841 that supports IPsec.

If its, then you can terminate many LAN-to-LAN IPsec tunnels between your ASA and 1841 Spokes.

Regards,

Mohamed

dchristm09 · ‎08-22-2011

Thanks for the info Mohamed. From what I read the 1841's basic specifications have Onboard VPN encryption acceleration-IP Security (IPSec). I did a sh vers on one of the 1841's and this is what I have:

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

System image file is "flash:c1841-advipservicesk9-mz.124-15.T7.bin"

Does that look like the correct IOS software?

Mohamed Sobair · ‎08-22-2011

Hi Dave,

Yes that IOS is the correct one and it should support IPsec.

Regards,

Mohamed

dchristm09 · ‎08-22-2011

Thanks Mohamed

Collin Clark · ‎08-22-2011

How many remote sites do you have? There may be better options for you like DMVPN or possibly GETVPN.

dchristm09 · ‎08-22-2011

I have 17 remotes sites now. They all have 1841's which come back across the WAN to a 2821 at headquarters. We also have our routers doing failover with our DR site so if I change the WAN I may need another failover option.

Collin Clark · ‎08-22-2011

With that many remote sites definitely look into DMVPN and GETVPN. GETVPN is not supported by the ASA so you would need to use another router at the head end.

DMVPN

http://www.cisco.com/en/US/products/ps6658/index.html

GETVPN

http://www.cisco.com/en/US/products/ps7180/index.html

dchristm09 · ‎08-22-2011

Thanks Collin, I will take a look at that.