VPN basics

It is a vague question: depends on the VPN devices at each end. I have used Nortel Contivity switches extensively in the past for Lan2Lan connections (called "branch office tunnels" in Nortel-speak), and when you set up tunnels between sites, you list the local subnets and the remote subnets relative to each end of the link. That info is shared via the setup/handshaking of the IPSEC tunnel- if both sides agree that a particular subnet is at one end, it is added to the routing table of the remote end VPN device...wth the next hop being the remote end of the tunnel.

For example, VPN-A says it has 10.x at it's end, and VPN-B says it has 11.x at it's end. When an IPsec tunnel is being established between them, they exchange that local subnet info in the handshaking phase. VPN-A adds 11.x to it's routing table (next hop VPN-B) and VPN-B adds 10.x to it's routing table (next hop VPN-A).

Great info, Thanks.

We currently have have a Cisco PIX 506e and a 1700 series router in our main office, so we will almost certainly use cisco at the remote ends as well.

In this case, RPPreacher is correct...I believe that PIX firewalls use access-list statements to define what traffic is classified as "interesting" and should be sent down a VPN tunnel.

In my eyes, Cisco does it in a very stupid method- access-lists are getting SO old. But they are Cisco so....I guess they know best.

I had no issues with Nortel at all...very easy to setup and manage. Netscreen (now Juniper-owned) is also a better option.