You will have to watch out the PIX will not route traffic between VPN
tunnels in the current 6.x release. I've seen note that this feature
will be in the upcoming 7.0 release, but i don't hold my breath.
Also to support a routing protocol across the the tunnels (since IPSec
doesn't support multicast or broadcast) you should run GRE across the
IPSec tunnels. We are doing a similar setup at a customer who is
doing IPSec PIX to PIX and GRE from and internal router over the IPSec
to an internal route at the remote end. You will have to play with ip
mtu and mss values on the GRE tunnel tho.
On Tue, 11 Jan 2005 09:55:49 -0800, Dave Breiland
<supe...@dynamicis.com> wrote:
I want to make sure I'm on the right track and haven't set myself up for
failure...
I have 4 offices around the US. Each site has a different ISP...
connected with a T1. My plan was to have a PIX-515 at each site. I
would use the PIX's to create VPNs between each and every site. My
guess is that there will be times that the ISPs will have routing issues
between each other. To get around this, I would think that...
-Route between Site A and Site B fails
-Site B re-routes data to Site C which still has VPN to Site A.
Presumably this would require EIGRP or OSPF. Unfortunately it looks
like the PIX only supports OSPF.
Is this the right direction/steps I should be taking?
Am I just over complicating things?
Has anyone had success with OSPF and the PIXs?
Thanks for any input.
10 messages in net.nether.puck.cisco-nsp[c-nsp] PIX VPN Mesh w/ OSPF
