Assuming the remote site has a public IP address
then there should be no problems.
{Central
Site}---[FW-A]---[Rtr-A]---ISDN---[Rtr-B]---[ifx FW-B]---{Remote
Site}
For simplicity I've ignored the FR
link.
As long as the 'FW-B ifx' is a public address
there should be no problem. The VPN will be created between the 'FW-B ifx' IP
address and FW-A external IP address - no dynamic address. All the issues of
initiating the connection are handled by Rtr-B, the VPN is treated a ordinary IP
traffic (which of course it is).
If you want FW-B to support both the FR and the
ISDN then you have challenges. In theory with an unlimited lisences (to
accommodate the 2 external interface - i.e. FR and ISDN) this could be done. I'm
told that the CP FP2 supports dynamic addresses - but I've never tried it.
However, the VPN would have to use a common IP address for the SA (security
association), irrespective of the physical interface being used (and its
associated IP address). In principle this could be achieved by associating the
VPN with an IP address on the loopback interface. This sort of worked back in
the CP4.0 days, but CP hardened the usage of the loopback interface during
the CP4.1SP2 BlackHat fixes. Finally, what products can support both
an FR and ISDN interface at a reasonable cost - possible the new Nokia
IP350?
This setup would need some serious
testing!
Derin
|