[c-nsp] PIX VPN Mesh w/ OSPF
su1droot
su1droot at gmail.com
Sat Jan 15 14:22:04 EST 2005
You will have to watch out the PIX will not route traffic between VPN
tunnels in the current 6.x release. I've seen note that this feature
will be in the upcoming 7.0 release, but i don't hold my breath.
Also to support a routing protocol across the the tunnels (since IPSec
doesn't support multicast or broadcast) you should run GRE across the
IPSec tunnels. We are doing a similar setup at a customer who is
doing IPSec PIX to PIX and GRE from and internal router over the IPSec
to an internal route at the remote end. You will have to play with ip
mtu and mss values on the GRE tunnel tho.
On Tue, 11 Jan 2005 09:55:49 -0800, Dave Breiland
<superdave at dynamicis.com> wrote:
> I want to make sure I'm on the right track and haven't set myself up for
> failure...
> I have 4 offices around the US. Each site has a different ISP...
> connected with a T1. My plan was to have a PIX-515 at each site. I
> would use the PIX's to create VPNs between each and every site. My
> guess is that there will be times that the ISPs will have routing issues
> between each other. To get around this, I would think that...
> -Route between Site A and Site B fails
> -Site B re-routes data to Site C which still has VPN to Site A.
> Presumably this would require EIGRP or OSPF. Unfortunately it looks
> like the PIX only supports OSPF.
> Is this the right direction/steps I should be taking?
> Am I just over complicating things?
> Has anyone had success with OSPF and the PIXs?
>
> Thanks for any input.
>
> Dave
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list