Slashdot Mirror
Setting Up A VPN on CISCO 2600 / 2500 / PIX520?
Haakon asks: "I'm considering setting up a VPN across our USA offices by upgrading the existing 2600 / 2500 routers to FW / VPN feature set. My question relates to some 'Cisco' advice passed on by our supplier: to establish a VPN link between the USA and an existing PIX520 in Europe apparently we have to use another PIX520 in the USA -- Why is this?"
Is the 'supplier' you mention the place that supplies your networking hardware? If so, I'd trust their advice about as much as I would the answer resulting from asking a car salesman "do I need a new car?" or "is leasing wiser than buying financially?". At the very least you should get a second opinion (e.g. usenet, other sysadmins in the area, etc) from somebody who doesn't stand to gain $$$ from your buying new networking kit.
--
News for Geeks in Austin, TX
Do the VPN on linux boxes until Cisco open source's their code. :-)
Daniel
Actually, we are in the process of setting up PIX-to-PIX VPN's from Coast to Coast here in the US. On the Corporate side of things it's just two PIX's (515-to-520) with VPN accelerators (which are on back order at the moment). And then we have server farms that are going to be talking to each other coast to coast (using PIX 520's), and in CoLo's in between. It's very intereresting goings on. I'll let you know how things go if you like. I haven't heard much info about Router-to-PIX VPN. But I'd still give Cisco TAC a call, or check them out online. Good Luck!
Why don't you check yourself on CCO ?
Or better, why don't you ask a question on the Cisco Open Forum ?
#include "coucou.h"
It sounds like your vendor is trying to milk you for a buck or they don't know what they are talking about. The only exception to this is if your 2500/2600 is under heavy load already that it can't handle the CPU overhead of the encryption. The 2600's have hardware DES accelerators for the NAM slot that can greatly improve VPN performance. You would still have to bump up your RAM and Flash to the IOS specs of choice.
A few notes for the fray:
A PIX-to-IOS-Firewall is fairly easy. You can use 3DES on both ends (if you can legally get it offshore) or DES for other stuff. To my knowledge the PIX doesn't support Cisco proprietary encryption so IPSec would be the way to go. Setup the connections with the same group key on ISAKMP and IPSec tunnel parameters and you should be ready to roll.
The only caveat is that your router should have IOS 12.1 or higher (12.1(4) has a NAT bug) - the 12.0 series has troubles with VPN key negotiation. The other option is to manually exchange the keys and SPIs on a 12.0 IOS version but that is difficult to get right and not recommended for the weak at heart.
User interfaces for PIX or IOS-Firewall configuration are lacking at best. The Cisco tools available are difficult to follow, rather unintuitive, and lagging behind in the development cycle from the firmware releases by about 6 months. The command line isn't too difficult for those with some router experience although the PIX is sorta unique. Just remember "the PIX is not a router" - it does not support routing protocols (other than simplified RIP) or many interfaces other than Ethernet. It also has a wierd arrangement for access-lists. Check this Cisco page for command notes:
http://www.cisco.com/univercd/cc/td/doc/product/i
You would be better off monitoring with a syslog stream on the secure fringes of your VPN and a server-side script to parse out violations.
Hope this helps...
We had a 2600 router and a PIX 520 doing the vpn thing in the USA, but I can't think of why you couldn't do that in Europe. We had to up the RAM in the router, and could only get about 512kbs until we saturated the router, which is not good if you're actually trying to route at the same time.
We purchased a PIX for employee and contractor access to our network, not for connecting two networks. While the unit itself is not bad, we found it difficult to configure, there are no tools that come with the unit to help you administrate the PIX.
While this isn't too bad for us since our networking guy has IOS experience, it can get really irritating when he's out and one of us has to set up new firewall rules for testing. I think ipchains is more flexible and easier to use then the PIX!!
The client software sucks. This is really where admin becomes a bear. There is no easy way to change authentication methods, as a matter of fact, I believe the PIX only supports shared tokne authentication. Only the high-end models support RADIUS.
While I'm sure the PIX is a good product, it has not worked well for what we needed it for, and if I had to do it a second time, I would definitely shop around.
You're talking about VPNs, which use encryption unless I'm mistaken. Perhaps exported versions use different strength encryption, and the two are incompatible. As someone else suggested, call Cisco.
We're currently doing about what you want to, with a few exceptions. We've got worldwide offices all doing VPN between Cisco 2600/3600's. We also aren't using it as our "production" network. It's just a backup in case the WAN fails (except for a few offices where we can get internet, but not frame relay. Those just get VPN) We have PIX's in a few locations, but the only thing we use them for (besides firewalls) is what we call "client" VPN's - not between sites, but between the PIX and someone with a laptop. The reason we do that is because the Cisco IOS doesn't handle using SecurID cards for authentication very well (it'll work, but some features are missing) and the PIX's are OK with it. IOS-IOS IPSec is easy and fun. OK, maybe that's stretching it, but it certainly isn't bad. The way I do it is to just run GRE tunnels between all the sites, and then encrypt the GRE. (I know that means that I'm running a tunneling protocol inside of a tunneling protocol, but IOS doesn't abstract the IPSec tunnel mode into virtual interfaces the way it does with GRE, so GRE makes it a lot easier to do things like run multicast-based protocols (read: OSPF))It Makes a great network of virtual point-to-point links. And if for some reason the internet is broken between two of your sites, but not between others, the routing protocols will route around the problem.
But the short answer to your question is that it should work fine without any PIX's anywhere. We're running IOS 12.1.3a. It seems to work well.(and, if you've got memory spewing out your orifices, you can try the T images, and you can ssh into your router, if you so desire)
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
It looks like your supplier just wants you to spend more $$$. Take 15 minutes and call Cisco TAC. They will tell you if another PIX is needed.
Just because you have tinted windows, it doesn't mean that I can't see you picking your nose..!!
Kinda unrelated, but has anyone here gotten GRE to work between a *BSD (NetBSD) and a Cisco router or even another BSD machine? I've had a hell of a time trying to figure it out and the online docs are only slightly helpful. Thanks
Hello...
Over the last weekend I setup a test VPN using the same exact hardware you have. Cisco has a lot of documentation on seting up VPNs with there products. But almost all is IOS -to- IOS or PIX -to- PIX , there is only _one_ example document that shows how to setup a IOS -to- PIX VPN. But like another poster stated, The first time is a bear, after that it is easy. So, your vendor might not know how to do a IOS -to- PIX VPN, only PIX -to- PIX. That is why they state that you must have a PIX.
And on cisco equipment in general, I have cisco routers, switches, firewalls, and localdirectors. They all rock! All my servers are linux, all the network hardware is cisco. It is a hard combination to beat.
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@localhost.pricegrabber.com
http://www.pricegrabber.com
"Linux: Because rebooting is for adding new hardware"
Christopher McCrory "The guy that keeps the servers running" chrismcc@gmail.com http://www.pricegrabber.com