[c-nsp] PIX VPN Mesh w/ OSPF

Rodney Dunn rodunn at cisco.com
Sat Jan 15 19:26:46 EST 2005 

On Sat, Jan 15, 2005 at 02:22:04PM -0500, su1droot wrote:
> You will have to watch out the PIX will not route traffic between VPN
> tunnels in the current 6.x release.  I've seen note that this feature
> will be in the upcoming 7.0 release, but i don't hold my breath.

I've helped troubleshoot some issues similar to this
lately.  I asked this same question for a deployment
we were doing yesterday and I was told the same thing about
7.0 that it should have the ability to route traffic between
VPN's.

> 
> Also to support a routing protocol across the the tunnels (since IPSec
> doesn't support multicast or broadcast)  you should run GRE across the
> IPSec tunnels.  We are doing a similar setup at a customer who is
> doing IPSec PIX to PIX and GRE from and internal router over the IPSec
> to an internal route at the remote end.  You will have to play with ip
> mtu and mss values on the GRE tunnel tho.

I also helped troubleshoot two issues like this last week.
One was with a PIX as the IPSEC termination box and the
other was with a VPN3000.  The hardest thing to get working
was the routing over the tunnels and at the same time
make sure you do not have a recursive routing problem.
Especially between the IPSEC termination box and the router
sitting behind it doing the GRE termination.

Just an fyi..

Rodney

> 
> On Tue, 11 Jan 2005 09:55:49 -0800, Dave Breiland
> <superdave at dynamicis.com> wrote:
> > I want to make sure I'm on the right track and haven't set myself up for
> > failure...
> > I have 4 offices around the US.  Each site has a different ISP...
> > connected with a T1.  My plan was to have a PIX-515 at each site.  I
> > would use the PIX's to create VPNs between each and every site.  My
> > guess is that there will be times that the ISPs will have routing issues
> > between each other.  To get around this, I would think that...
> > -Route between Site A and Site B fails
> > -Site B re-routes data to Site C which still has VPN to Site A.
> > Presumably this would require EIGRP or OSPF.  Unfortunately it looks
> > like the PIX only supports OSPF.
> > Is this the right direction/steps I should be taking?
> > Am I just over complicating things?
> > Has anyone had success with OSPF and the PIXs?
> > 
> > Thanks for any input.
> > 
> > Dave
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list