Wouldnt ipsec wallop a 2500 cpu?? Brian "Sonic" Whalen Success = Preparation + Opportunity
On Tue, 15 Jan 2002, the-other-jason wrote: > Henry - > > Absolutely right, the "dynamic" keyword for crypto maps solves the > problem, but our Cisco SE and quite a few others at work are quite sure > that we can't run IPSec on a 2500. I thought the 2500s could be used > just to provide cleartext encapsulation (to keep the vpn appliances > happy) .... the link you ref. specifies the 2500 platform and the IOS > feature navigator _does_ show IPSec support on a 2500 (with the right > image, of course). Guess I'll have to call our SE ... thanks for the tip! > > Hey, if this works we can toss the IPSec appliances! > > Jason > > Henry D. wrote: > > > If I get this correctly you can use dynamic-map feature > > as seen in the example here: > > > > http://www.cisco.com/warp/customer/707/ios_804.html > > > > ""the-other-jason"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>Help, I can't think of a way to do this ..... :-( > >> > >>We have two IPSec "appliances" at work that require known, routable > >>addresses on their "non-secure" ethernet interfaces. > >> > >>We want to create a kit engineers can take home for remote IPSec access > >>into the network from personal cable/dsl connections. Our typical home > >>networks have a cheapo router running NAT. The router is getting a real > >>"outside" address from a service provider via DHCP (point "C" in the > >>drawing). On the inside, we use private addressing (point "B"). > >> > >>The problem is to configure an IPSec appliance with a real address but > >>connect it via the private address LAN at home. The obvious way to do > >>this is with a tunnel, so we've managed to scavenge a couple of old > >>2500s for this purpose... > >> > >> > >>IPSec cheapo IPSec > >>appliance -->2500-->router-->ISP-->Internet-->3660-->2500-->appliance > >> A B C D > >> > >>Ideally, we want a tunnel from the left side of the left 2500 to either > >>the 3660 or the right 2500 .... so that we can give the left IPSec > >>appliance some of our address space. With GRE, however, you have to > >>specify the endpoint addresses in advance, and of course we don't know > >>what address the ISP will give one via DHCP .... > >> > >>After some reading, I _think_ PPPoE, L2F, PPTP, and L2TP won't help us > >> > > much > > > >>Does anyone have any ideas? > >> > >>Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32121&t=32057 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]