I have replaced a mess of Cisco routers with a single Dell PowerConnect 6224. These routers serve (and served) public IPs to clients, and just acted as routers to the upstream provider.
Prior to the replacement, a customer had a VPN appliance that used GRE and IPsec to connect back to their head office.
Prior to the change, the network looked like:
Customer -> cisco -> cisco -> internet
Now it looks like
Customer -> 6224 -> internet
(The IP space that the customer is using has also changed.)
The 6224 was selected for routing duties as the new connection has a datarate of 150Mb/s and the operator of the network did not want to limit themselves to the 100Mb/s that the ciscos would provide. Upgrading the capability of the ciscos (or rather, replacing them with ciscos with the required data rate) was considered too expensive; the 6224 was selected instead.
The customer uses the 6224 as their next-hop to the internet. It is acting as a router -- there are no ACLs or firewall rules or anything like that going on.
After the customer has reconfigured their VPN device, they can no longer connect to it over the internet.
Other customers, using what I presume are standard IPsec VPNs, are operating on the same link without incident.
We have confirmed the IP parameters by replacing the VPN device with a XP laptop. With the same parameters, the laptop can use the internet, and is reachable from the internet as would be expected.
My question: does the 6224 (or whatever router is doing this job) have to understand GRE in order for the connection through it to work? Was there some on-by-default-magic in the Ciscos that was handling this for me?
Failing that, is there anything else obvious I should be looking at to figure out why their VPN device does not work?