Firebox: GRE over IPsec

Here's my situation: I got this new job as sysadmin for a company. They have a network where there's a firebox III 700 as the main router and another CISCO router placed somewhere in the DMZ with a box behind it.

When I asked why they had that CISCO 1711 they told me, because the Firebox III 700 didn't support GRE over IPsec, they had to buy this specific CISCO router to be able to do a "branch-to-branch" VPN with the provider.

[p net][p router][o firebox][o cisco][o net]

== IP

++ GRE/IPsec p Provider o Our

what I would like (eliminate the cisco router):

[p net][p router][o firebox][o net]

Now it's the time to buy "spares" and I'm wondering if it's worth buying another CISCO 1711 or we're wasting our money since the firebox III 700 could do that VPN connection. I would like to test that before making a decision. I'm not really familiar with setting Branch-to-branch VPNs with GRE over IPsec with the Policy Manager. I'd appreciate an example.

We already have 2 VPNs connections with 2 other providers* using IPsec and it's not a problem. The problem is with "GRE" over IPsec. I've seen no mention of GRE on the whole interface. That's what I'm looking to setup.

• Not internet service provider, banking transactions type of provider that "forces" us to their setup.

No we are not but they still insist on using GRE for no reason. We are the little company they are the big one, we have to bend to their setup unfortunately.

I have a BUNCH of firebox units and I'm not having any problems with IPSec tunnels or PPTP tunnels - maybe you can explain what you are trying to do with a little more detail?

If you have GRE problems, I suspect that it's the other end of the VPN, not the WG unit. Many Linksys units have GRE issues, so if you're remote unit is a Linksys and you are trying to VPN INBOUND to a server behind the Linksys from the WG, then you are likely to have problems.

The 700 will easily do a Branch to Branch VPN with every major appliance out there, and even cheap little BEFVP41 units. You just setup a "Manual Branch office VPN" and use IPSec, then create rules that permit access between the two networks.

I have IPSec tunnels between Watchguard and the following: Netscreen, Linksys BEFVP41, Linksys BEFSX41, WatchGuard, D-Link, Netgear, PIX, Check Point FW1, and then remote user PPTP connections.

If your provider gives you a Fixed IP with a full connection, not filtered, you don't need them to do the IPSec tunnels for you, you just setup the WG unit to do a manual VPN tunnel to the remote location. Also, if you get a WG unit for the other office, you can use the Automated BOVPN setup and it will basically auto-configure between the two - takes about 5 minutes to setup the first time.

In article , wrote: :Here's my situation: I got this new job as sysadmin for a company. They :have a network where there's a firebox III 700 as the main router and :another CISCO router placed somewhere in the DMZ with a box behind it.

:When I asked why they had that CISCO 1711 they told me, because the :Firebox III 700 didn't support GRE over IPsec, they had to buy this :specific CISCO router to be able to do a "branch-to-branch" VPN with :the provider.

Are you perhaps running some layer 2 traffic between the branches? Either with both branches being in the same subnet, or sending something that is non-IP, such as IPX or Appletalk ?

I have never looked at the Firebox series, so I do not know if it can handle layer 2 traffic.

A need for layer 2 would explain why they didn't use a PIX -- PIX have only recently gained layer 2 transparency.

Have you called WatchGuard about it? It might be supported (as I don't know one way or the other) in a firmware update.