Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 807 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site Scenario and Issue

Quicksilver1663

Hi. Currently have 2 SG 210's at Site A and 2 SG210's at Site B and 2 SG210's at Site C. Here is my current scenario:

A<-->B IPSec using RSA

A<-->C SSL Site to Site

Site C has a requirement for higher bandwidth through the Site to Site for DR site at A. SSL is inherently slower than IPSec in my experience. From what I understand I cannot have 2 IPSec Site to Site connections using the same or different protocols(?) Certificate, RSA or Shared key. Would putting a RED 50 behind the Site C SG's help in this scenario?

Site B DOES NOT have to communicate with Site C ever.

Any suggestions on what I can do in this case?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi QS,

    You can have "have 2 IPSec Site to Site connections using the same or different protocols(?) Certificate, RSA or Shared key."  Unless you use OSPF, you can't have two identical tunnels (one or more of the same subnets in both tunnels).

    I would recommend using "AES 126 PFS" to get the best speed and security.  If you had newer, more powerful units with CPUs that have AES-NI, I would recommend cloning that policy and selecting "AES 128 GCM" as the IPsec encryption algorithm.

    Cheers - Bob

Reply
  • 0

    Hi QS,

    You can have "have 2 IPSec Site to Site connections using the same or different protocols(?) Certificate, RSA or Shared key."  Unless you use OSPF, you can't have two identical tunnels (one or more of the same subnets in both tunnels).

    I would recommend using "AES 126 PFS" to get the best speed and security.  If you had newer, more powerful units with CPUs that have AES-NI, I would recommend cloning that policy and selecting "AES 128 GCM" as the IPsec encryption algorithm.

    Cheers - Bob

Children
No Data