I apologize if this question has been asked before. I have searched and the results did not lend what I was looking for, I have connected to my office VPN, the office is connected to the colo vpn. Is it possible to connect to our colo vpn from my current connection at home? I would think it is... perhaps I need some fancy routing/firewall rules? Anyone willing to field this one?
Background info: Home to Office is 3des ike preshared key Office to Colo is aes ike preshared key
Home & Office are different types of hardware Office & Colo are the same type of hardware
All VPN access is being performed by network devices and not software on a PC/Server.
It depends on the hardware and on the network topology, and on how it is all configured.
For example, the Cisco PIX devices running 6.x and before, will never send a packet out the same [virtual] interface it came in on, even if it arrived via one VPN and would leave via a different VPN. Your connection to your office is likely via the Internet, and the office to the colo is probably via the Internet, so unless special care were taken, you trying to go via the office to the colo would be refused by this PIX security measure.
PIX devices running 7.x [which most people would say is not ready for production deployment] can be specifically configured to allow in-and-out privileges when at least one of the endpoints is a VPN. The Cisco ASA5500 series of security appliances all run the 7.x series of code, but your office probably isn't running one of those.
Your office might, though, be running a Cisco VPN 3000 or 5000 series concentrator: if so then the topology configuration details determine whether you could do it or not.
With the Cisco PIX series running 5.x or later (most are 6.2 or 6.3 by now, if they haven't gone on to 7.x), the PIX administrator could specifically configure to allow your packets towards the colo to not travel via the connection to the office. You would then need to create a VPN to the colo directly from your home. The appropriate facility is named "split tunneling" for some kinds of VPN configuration, but as you mentioned a hardware VPN rather than a software VPN, the more likely scenario would be for the VPN administrator to configure the main tunnel to simply not accept packets for the other destination.
Cisco also handles VPNs in several available IOS releases for its routers: IOS is more flexible about which packets are allowed to go where, if it has been so configured.
*If* the Office and Colo just -happen- to be running Cisco PIX, then their use of AES would tell me that they are using 6.3 or later software. PIX can easily be configured to support different "transforms" -- e.g., the use AES256 if available, AES128 as second choice, 3DES as third choice. That part of the configuration is quite simple, and might well already have been done at the colo.
Unfortunately you didn't mention any brands or models, so if it isn't Cisco then you'll have to read the above as a form of generality about what might happen with the hardware that is there.
Again, unfortunate that you did not mention models. The Linksys BEFSX41 and BEFVP41 are both happy to talk to Cisco PIX, but at least in the rev I have, neither one supports AES. But as I indicated above, it'd be near trivial on a PIX or ASA for the colo to add a 3DES fallback.
I write about the Cisco devices because that's what I know about. I do not know what can or cannot be done with other brands.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.