Comment Cisco VPN (Score 2) 17
It sounds like your vendor is trying to milk you for a buck or they don't know what they are talking about. The only exception to this is if your 2500/2600 is under heavy load already that it can't handle the CPU overhead of the encryption. The 2600's have hardware DES accelerators for the NAM slot that can greatly improve VPN performance. You would still have to bump up your RAM and Flash to the IOS specs of choice.
A few notes for the fray:
A PIX-to-IOS-Firewall is fairly easy. You can use 3DES on both ends (if you can legally get it offshore) or DES for other stuff. To my knowledge the PIX doesn't support Cisco proprietary encryption so IPSec would be the way to go. Setup the connections with the same group key on ISAKMP and IPSec tunnel parameters and you should be ready to roll.
The only caveat is that your router should have IOS 12.1 or higher (12.1(4) has a NAT bug) - the 12.0 series has troubles with VPN key negotiation. The other option is to manually exchange the keys and SPIs on a 12.0 IOS version but that is difficult to get right and not recommended for the weak at heart.
User interfaces for PIX or IOS-Firewall configuration are lacking at best. The Cisco tools available are difficult to follow, rather unintuitive, and lagging behind in the development cycle from the firmware releases by about 6 months. The command line isn't too difficult for those with some router experience although the PIX is sorta unique. Just remember "the PIX is not a router" - it does not support routing protocols (other than simplified RIP) or many interfaces other than Ethernet. It also has a wierd arrangement for access-lists. Check this Cisco page for command notes:
http://www.cisco.com/univercd/cc/td/doc/product/i
You would be better off monitoring with a syslog stream on the secure fringes of your VPN and a server-side script to parse out violations.
Hope this helps...
