Problem solve Get help with specific problems with your technologies, process and projects.

Building a VPN with losing your shirt

I have two different Cisco routers running different versions of the IOS firewall and operating system. I want to build a VPN without spending more money on hardware. One of the routers is a 3640 the other is a 2620.

The 2620 is using bootstrap ver 11.3(2)XA4. The 3640 has bootstrap 11.1(20)AA2. The 2620 IOS version is 12.0(7)T and the 3640 is version 12.1(3a).

I don't want to have to rebuild configurations on either of these routers. I'd upgrade the software if I were sure it wouldn't wipe out the current configs. I tried setting up gre tunnels with a shared key and failed. Any advice would be greatly appreciated.
It's possible to make everything you have work together, but may take a lot longer than it's worth and, at the end of the day, cost you more money. Rather than looking at the sunk costs in your Cisco gear, you might consider some alternatives that work through your Cisco gear.

There are lots of alternatives in the market including small network appliances like NetScreen, SonicWall and WatchGuard and low cost VPN services from companies like E-tunnels, Imperito and OpenReach.

For about $500 street price, you can get a VPN appliance that will do everything you want and not mess with your Cisco configuration. If you're just trying to connect two or three sites, this should work fine. You can use shared secrets for authentication and you won't need any kind of global management.

Alternatively, the low cost service providers may be more efficient if you're going beyond just a few locations or looking to add remote access services. These companies provide everything you need for the premises, but also offer authentication capabilities, configuration management, monitoring and alerting. One nice part about using these types of services is that they allow you to set up VPNs in environments where every location is on a broadband circuit with a variable address served up via DHCP. In some cases, the cost savings there more than pay for the VPN.

In either case, I would avoid messing around with my legacy gear. The processors are simply to slow to do all the packet and encryption processing at even T1 rates and in some instances, we've seen systems capable of high speed routing (more than 10Mbps) slow down to less than 100Kbps when the VPN was enabled. I've talked to many folks who started with a simple config change and ended up purchasing software upgrades, then more memory and then crypto processors only to chuck it all and pursue one of these other routes. We refer these folks as VPN burn victims.

This was last published in December 2002

Dig Deeper on WAN technologies and services

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.