Archived from groups: comp.security.firewalls (
More info?)
In article <1127879920.913376.55840@g47g2000cwa.googlegroups.com>,
sergerivest@yahoo.com says...
> Here's my situation: I got this new job as sysadmin for a company. They
> have a network where there's a firebox III 700 as the main router and
> another CISCO router placed somewhere in the DMZ with a box behind it.
>
> When I asked why they had that CISCO 1711 they told me, because the
> Firebox III 700 didn't support GRE over IPsec, they had to buy this
> specific CISCO router to be able to do a "branch-to-branch" VPN with
> the provider.
>
> [p net]<==>[p router]<++>[o firebox]<++>[o cisco]<==>[o net]
>
> == IP
> ++ GRE/IPsec
> p Provider
> o Our
>
> what I would like (eliminate the cisco router):
>
> [p net]<==>[p router]<++>[o firebox]<==>[o net]
>
> Now it's the time to buy "spares" and I'm wondering if it's worth
> buying another CISCO 1711 or we're wasting our money since the firebox
> III 700 could do that VPN connection. I would like to test that
> before making a decision. I'm not really familiar with setting
> Branch-to-branch VPNs with GRE over IPsec with the Policy Manager. I'd
> appreciate an example.
The 700 will easily do a Branch to Branch VPN with every major appliance
out there, and even cheap little BEFVP41 units. You just setup a "Manual
Branch office VPN" and use IPSec, then create rules that permit access
between the two networks.
I have IPSec tunnels between Watchguard and the following: Netscreen,
Linksys BEFVP41, Linksys BEFSX41, WatchGuard, D-Link, Netgear, PIX,
Check Point FW1, and then remote user PPTP connections.
If your provider gives you a Fixed IP with a full connection, not
filtered, you don't need them to do the IPSec tunnels for you, you just
setup the WG unit to do a manual VPN tunnel to the remote location.
Also, if you get a WG unit for the other office, you can use the
Automated BOVPN setup and it will basically auto-configure between the
two - takes about 5 minutes to setup the first time.
--
spam999free@rrohio.com
remove 999 in order to email me