Setting Up A VPN on CISCO 2600 / 2500 / PIX520?

Haakon asks: "I'm considering setting up a VPN across our USA offices by upgrading the existing 2600 / 2500 routers to FW / VPN feature set. My question relates to some 'Cisco' advice passed on by our supplier: to establish a VPN link between the USA and an existing PIX520 in Europe apparently we have to use another PIX520 in the USA -- Why is this?"

trustworthy advice?

[StandardDeviant]

Is the 'supplier' you mention the place that supplies your networking hardware? If so, I'd trust their advice about as much as I would the answer resulting from asking a car salesman "do I need a new car?" or "is leasing wiser than buying financially?". At the very least you should get a second opinion (e.g. usenet, other sysadmins in the area, etc) from somebody who doesn't stand to gain $$$ from your buying new networking kit.

--

Linux

[danpbrowning]

Do the VPN on linux boxes until Cisco open source's their code. :-)

PIX-to-PIX VPN

[pugfantus]

Actually, we are in the process of setting up PIX-to-PIX VPN's from Coast to Coast here in the US. On the Corporate side of things it's just two PIX's (515-to-520) with VPN accelerators (which are on back order at the moment). And then we have server farms that are going to be talking to each other coast to coast (using PIX 520's), and in CoLo's in between. It's very intereresting goings on. I'll let you know how things go if you like. I haven't heard much info about Router-to-PIX VPN. But I'd still give Cisco TAC a call, or check them out online. Good Luck!

Ask Cisco

[dago]

Why don't you check yourself on CCO ?

Or better, why don't you ask a question on the Cisco Open Forum [cisco.com] ?

Cisco VPN

[amorphis519]

It sounds like your vendor is trying to milk you for a buck or they don't know what they are talking about. The only exception to this is if your 2500/2600 is under heavy load already that it can't handle the CPU overhead of the encryption. The 2600's have hardware DES accelerators for the NAM slot that can greatly improve VPN performance. You would still have to bump up your RAM and Flash to the IOS specs of choice.

A few notes for the fray:
A PIX-to-IOS-Firewall is fairly easy. You can use 3DES on both ends (if you can legally get it offshore) or DES for other stuff. To my knowledge the PIX doesn't support Cisco proprietary encryption so IPSec would be the way to go. Setup the connections with the same group key on ISAKMP and IPSec tunnel parameters and you should be ready to roll.

The only caveat is that your router should have IOS 12.1 or higher (12.1(4) has a NAT bug) - the 12.0 series has troubles with VPN key negotiation. The other option is to manually exchange the keys and SPIs on a 12.0 IOS version but that is difficult to get right and not recommended for the weak at heart.

User interfaces for PIX or IOS-Firewall configuration are lacking at best. The Cisco tools available are difficult to follow, rather unintuitive, and lagging behind in the development cycle from the firmware releases by about 6 months. The command line isn't too difficult for those with some router experience although the PIX is sorta unique. Just remember "the PIX is not a router" - it does not support routing protocols (other than simplified RIP) or many interfaces other than Ethernet. It also has a wierd arrangement for access-lists. Check this Cisco page for command notes:

http://www.cisco.com/univercd/cc/td/doc/product/ia abu/pix/pix_v42/pix42cfg/pix42cmd.htm [cisco.com]

You would be better off monitoring with a syslog stream on the secure fringes of your VPN and a server-side script to parse out violations.

Hope this helps...

Re:Linux

[anticypher]

Doh! I've got intel on the brain lately. Does that qualify me for mental disability? :-)

There were some early cisco routers that used intel boards in the multibus chassis, but then when the MGS/CGS line came out, cisco had completely switched to a motorola architecture. That was when IOS really started. The earliest boxes ran a stripped down variant of M$ Xenix, they were quite fun to play around with.

The AGS+ boxen in my workshop have CSC/3 boards, with 68030 running at 25MHz, and a CSC/4 board with a 68040 at 50MHz. I was certain I had seen a 386 board somewhere in my pile of spares, perhaps one of the peripherals used it. The TR and FDDI boards use an AMD processor. Some cisco acquisitions used intel, such as the Combinet ISDN routers, rebranded as the 700 series. But the more recent 800 series switch to a motorola controler.

Never post before the first 3 cups of coffee have taken effect

the AC

We did it in the states

[moosemilk]

We had a 2600 router and a PIX 520 doing the vpn thing in the USA, but I can't think of why you couldn't do that in Europe. We had to up the RAM in the router, and could only get about 512kbs until we saturated the router, which is not good if you're actually trying to route at the same time.

Onlu if you have extensive IOS experience

[free779]

We purchased a PIX for employee and contractor access to our network, not for connecting two networks. While the unit itself is not bad, we found it difficult to configure, there are no tools that come with the unit to help you administrate the PIX.

While this isn't too bad for us since our networking guy has IOS experience, it can get really irritating when he's out and one of us has to set up new firewall rules for testing. I think ipchains is more flexible and easier to use then the PIX!!

The client software sucks. This is really where admin becomes a bear. There is no easy way to change authentication methods, as a matter of fact, I believe the PIX only supports shared tokne authentication. Only the high-end models support RADIUS.

While I'm sure the PIX is a good product, it has not worked well for what we needed it for, and if I had to do it a second time, I would definitely shop around.

Perhaps it's due to export controls?

[lil_billy]

You're talking about VPNs, which use encryption unless I'm mistaken. Perhaps exported versions use different strength encryption, and the two are incompatible. As someone else suggested, call Cisco.

Re:Linux

[Aunt Mable]

Old and possibly useful cisco hardware is rendered useless by not having the sourcecode.

-- Eat your greens or I'll hit you!

That doesn't sound right to me.

[lazlo]

We're currently doing about what you want to, with a few exceptions. We've got worldwide offices all doing VPN between Cisco 2600/3600's. We also aren't using it as our "production" network. It's just a backup in case the WAN fails (except for a few offices where we can get internet, but not frame relay. Those just get VPN) We have PIX's in a few locations, but the only thing we use them for (besides firewalls) is what we call "client" VPN's - not between sites, but between the PIX and someone with a laptop. The reason we do that is because the Cisco IOS doesn't handle using SecurID cards for authentication very well (it'll work, but some features are missing) and the PIX's are OK with it. IOS-IOS IPSec is easy and fun. OK, maybe that's stretching it, but it certainly isn't bad. The way I do it is to just run GRE tunnels between all the sites, and then encrypt the GRE. (I know that means that I'm running a tunneling protocol inside of a tunneling protocol, but IOS doesn't abstract the IPSec tunnel mode into virtual interfaces the way it does with GRE, so GRE makes it a lot easier to do things like run multicast-based protocols (read: OSPF))It Makes a great network of virtual point-to-point links. And if for some reason the internet is broken between two of your sites, but not between others, the routing protocols will route around the problem.

But the short answer to your question is that it should work fine without any PIX's anywhere. We're running IOS 12.1.3a. It seems to work well.(and, if you've got memory spewing out your orifices, you can try the T images, and you can ssh into your router, if you so desire)

PIX

[BeefyBoy]

It looks like your supplier just wants you to spend more $$$. Take 15 minutes and call Cisco TAC. They will tell you if another PIX is needed.

GRE

[joedumb]

Kinda unrelated, but has anyone here gotten GRE to work between a *BSD (NetBSD) and a Cisco router or even another BSD machine? I've had a hell of a time trying to figure it out and the online docs are only slightly helpful. Thanks

Re:Ask Cisco

[revision1_1]

I've done IPSEC tunnels between 7200's and PIX 520s. It can be a little hairy the first time, but the example configs on CCO are a huge help. And for God's sake, be careful with the ACLs.

Re:Linux

[anticypher]

I've got some old and definitely useful cisco hardware, and it still works even though I don't have the source code. It just runs the last IOS update for that hardware, 11.0. The CPU is a 12 MHz 80386, I wouldn't want to load it up with something like 3DES encryption or BGP4 connected to the internet :-)

I am just using the boxes to do frame relay switching for testing routing protocols, and this hardware still supports old interfaces like FDDI and token ring so I can study for CCIE renewals. It chugs along, and except for drawing enough power to dim the lights in the neighborhood, its enough.

I suspect much of cisco's code has been quietly forked into the open source community, because so many of the networking features available on Linux and BSD work surprisingly well with cisco routers, with the possible exception of ISAKMP protocols which are still being thrashed about and generally don't work well. I know of several /. posters and open source authors who work for cisco.

the AC

The supplier might not know how

[chrismcc@netus.com]

Hello...

Over the last weekend I setup a test VPN using the same exact hardware you have. Cisco has a lot of documentation on seting up VPNs with there products. But almost all is IOS -to- IOS or PIX -to- PIX , there is only _one_ example document that shows how to setup a IOS -to- PIX VPN. But like another poster stated, The first time is a bear, after that it is easy. So, your vendor might not know how to do a IOS -to- PIX VPN, only PIX -to- PIX. That is why they state that you must have a PIX.
And on cisco equipment in general, I have cisco routers, switches, firewalls, and localdirectors. They all rock! All my servers are linux, all the network hardware is cisco. It is a hard combination to beat.

--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@localhost.pricegrabber.com
http://www.pricegrabber.com

"Linux: Because rebooting is for adding new hardware"

Re:Linux

[doogles]

I've got some old and definitely useful cisco hardware, and it still works even though I don't have the source code. It just runs the last IOS update for that hardware, 11.0. The CPU is a 12 MHz 80386,

I'm racking my brain here, what Cisco equipment uses a 386? I know some of the more off-the-wall stuff like Localdirector, Cache Engine, etc. run on Intel gear, but I'm not aware of any IOS-based routers that do.