On Sun, 5 Mar 2000, Bennett Samowich wrote:
> Where does the VPN box typically go? Is it an additional IOS that get
> loaded onto the 1417 DSL router? Is it an IOS that gets loaded on a 2600
> that sits between the 1417 and the firewall? Is it something altogether
> different? I should also note that they are NATing the entire address from
> the 1417 DSL router to their existing, external, firewall which is
> supporting a perimeter network.
You can install an additional VPN box if you want to, but that's more
hardware to maintain if you've already got a Cisco 2600 in place.
It really depends on what you're trying to achieve with the VPN; if you're
trying to connect two networks together, then it's simple because you can
use a pre-shared secret and not deal with a certificate server.
If you're trying to assign and manage certificates for individual users,
then the way it works is this (someone correct me if this is wrong because
I haven't implemented it yet, and we're going to implement this in a week
or so):
1) You get a certificate server (i.e. NAI's PGP PKI Server)
2) You install the signing CA's certificate on the router
3) You tell the router where the PKI server is on the internal network
4) You create keys for people and load the certs (now signed by your CA)
into the client software (PGPNet, Cisco's VPN Client, etc.)
5) You create cryptomaps to map VPN traffic from the outside clients into
the NAT.
You'll need to add memory to the 2600 and install the IPSec version of IOS
12.0 in order to make any of this work.
-jon
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
