1720 vpn despite single etnernet ?

shux · ‎09-10-2000

Our customer has two sites (A & B) which join together at the heart of a third independent site (C).

A -> C <- B

A & B are each connected to C through fibre link.

We wish to implement a VPN solution to allow IPX to flow from A to B.

Obviously security is of the essence when traversing C.

Would two 1720s, configured with IPSec VPN and a GRE tunnel to encapsulate the IPX suffice ?

Since A & B are already connected via fibre, there is no link to which a 1720 interface could connect except to the site's local LAN.

Is the 1720 capable of providing the VPN services through that single LAN access for both inbound and outbound tunnel traffic ?

Would it not be more sensible to select a 1605 which incorporates two LAN interfaces which could be configured as Inbound / Outbound respectively ?

What IOS module should we select ? Is IP Plus IPSec 56 (DES) sufficient ?

Or should we select a module that also supports IPX routing ? (e.g. IP/IPX/AT/IBM/FW Plus IPSec 56 (DES))

shux

smalkeric · ‎09-18-2000

As long as Site C isn't firewalling or filtering at it's access point's you shouldn't have a problem building an ipsec tunnel across it. I have a few customers who use the 1720 router and they are really happy with it. How important is the data? Do you think 56 bit encryption will suit your needs?

jbohla · ‎09-20-2000

I ran into a similar issue and I know this much, in order to encapsulate IPX traffic in IPsec you'll need the IPX feature set. The only way you can get around this is if it arrives at the router encapsulated already (for example, gre). I'd like to know if anyone knows of any other ways this can be accomplished?