Re: Router to Router VPN Config Guidance

fmatrine · ‎10-22-2004

Dear Sir,

we hv a network setup with Internet Leased Line terminating on a router.

Behind the router we hv a pix 506 firewall and then our office lan.

We hv same setup at our branch office in some other country.

We are planning to form a Site-to-Site VPN tunnel from our Corporate office router to branch office router over internet.Data flow will be in both the direction over the vpn tunnel.

Also Mail and webserver of our corporate office lan will be accessed from outside world. we will be doing a Nat'ing on the firewall for the same.

Sometimes corporate users may be required to browse the internet on the same internet leased link.Is split tunneling or any other configuration required on the corporate and branch router to differentiate between vpn and normal browsing traffic going out of the corporate Lan.

Will there be any problem in the proposed implementation.

Kindly advice /suggest with a working config for the same.

Topology..

Corporate Lan-Firewall-Router-Internet(ISP)-Branch Router-Firewall-Branch Lan.

Thanks&Regards

Deepak

charlieroffe · ‎10-22-2004

Hello,

From what I understand, you have in each location, from outside to in, the internet, a router, a pix, and then your lan. You have two locations, with the same setup, in different countries. You'd like data between the two different locations (networks) to be encrypted and tunneled. This is simple, and will work. Basically, if you establish a PIX-to-PIX tunnel, and define the encryption domain (data destined to what network should be encrypted), the PIX will automatically know that when you're sending to that remote network, it should encrypt and tunnel it. You will not need split-tunneling, since the PIX will automatically send anything not destined to that network according to your routes and default gateway to the Internet. Split-tunneling might come to play if you additionally set up home machines to VPN into either of these PIXes and you want them to access the Internet directly.

In addition, your mail and web server being accessed from the Internet will not change, as this will NOT be classified as VPN traffic by the PIX firewall.

So basically, the only different between the current topology, and the topology with the VPN, is that packets destined for the opposite network will be tunneled and encrypted on the PIX.

You only have to setup a simple PIX-to-PIX tunnel, according to this document:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

I hope this helps...

Regards,

Charlie Roffe

fmatrine · ‎10-23-2004

Dear Sir,

Thanks for the guidance given..

I need one more help..

As described in the topology we want to setup the VPN tunnel between our internet router and not firewall...

Firewall will be used only for firewalling purpose and not vpn.

Can u post me a working config for the same.

Also will there be any technical problem if we terminate the vpn tunnel on the internet router than firewall.

Kindly advice with sample config.

Regards

Deepak

charlieroffe · ‎10-23-2004

Hi Deepak,

Sorry, but I do not post sample configurations. They are custom to your solution, and I do that as my job as a consultant. Cisco's technical documentation on their website will have sample configurations for router to router VPNs.

Anyhow regarding your setup...

The router to router VPN will work fine, given you have good enough routers. One advantage you get from doing VPN tunnels in the routers is that you can actually route packets between different VPNs on the same interface (which the PIX will not do). The configuration will depend on which routers you have. Depending on how fast your lines are, and how much traffic you want to pass through the router to router tunnels, most routers should be able to handle it. Just take in mind that you will probably have to pay for and install a better version of the IOS, and maybe more memory on the routers as well.

Charlie