I have a call coming up with Verizon for creating a VPN connection from our site over the Internet to a group of wireless devices that they have placed into a secure subnet which will be viewed as another remote site to our corporate lan. Verizon would not permit the use of an ASA for this (too bad, maybe feature support issues) and requested that we use a 19xx, 21xx router.
I have a 1921 and we have a call in a few days. I read that they want to use AES-256, BGP (BGP AS 65505) and the tunnel type is GRE/IPSEC transport mode. The local corporate network is 10.0.0.0 /8 and remote site is 10.250.250.0 /24. They have Nat traversal checked on on a form they sent me.
I want the remote site to simply have a default route to our corporate network. I did not want to use any routing protocol over the tunnel. So why is Verizon mentioning GRE/IPSEC and BGP??? I have asked them for a sample config and haven't heard from them or received anything yet. I am only using one router with no backup (don't want one but maybe on their end they have to implement a redundant link to meet their requirements?).
Anyone have sample config they have used for somethiimg similar to this type of connection with Verizon? I could spend a lot of time reading and wasting time if it turns out they BGP / GRE is not necessary but maybe the way they set these connections up it is a requirement by their network designs.
Resolved. I came up with a template config after reading several nights and was ready. On the call with Verizon engineers they actually build the commands for my router and sent them to me during the turn up call. Their commands were very close to mine so I was on the right track and understood the setup. Needed GRE for the BGP but only needed BGP for my tunneling router to theirs at their two sites. To integrate into my main network I simply used some static routes and a default route on the BDG/GRE/VPN router. Came up and worked in short period of time. Now we have our wireless devices in a Verizon private subnet that is actually just and entension of our main site...exactly like a branch office. Full ip connectivity to our entire corporate network and no end user software needed. Makes it simple for end users with little understandng of how to connect.
Verizon will basically walk you through it and give you all the commands to put into your router. They will create the config lines for you!. My process only took 1/2 hour but they had an hour or two allocated for my time slot. I had everything ready for them with test laptops to work with on the new subnet.
Here is my config with minor psw changes.
I've gone down this road myself with a 1921. Did you guys have any trouble with traffic once the VPN was all setup? I seem to be able to send ICMP from the wireless devices and get a response, but nothing else.
I have the same configuration except our routes differ, I have a setup where I can only ping towards verizon but verizon cannot send ping towards me waiting for them to show me a traceroute output.