Border Manager 3.8.5 and S2S VPN

Similar Messages

• Border Manager and Cisco ACS connection

  The NIC in the Border Manager server failed.
  I installed a new NIC and gave it the same IP address and mask as the old
  one. The lights on the NIC's in both boxes are green but I cannot ping one
  from the other. They are connected with a cross-over cable
  I was told I would have to set up a 'route' - help please.
  The person who would normally set this up is sun bathing on an island
  somewhere in the Indian Ocean.

  > > In article <LShvd.6367$[email protected]>, wrote:
  > > > The NIC in the Border Manager server failed.
  > >
  > > Which NIC? The public side, or the private side?
  > >
  > > > I installed a new NIC and gave it the same IP address and mask as
  the
  > old
  > > > one.
  > >
  > > If this was on the public side, did you also rename the interface the
  > same as
  > > the old one? (If not, your filters may fail to filter).
  > >
  > > > The lights on the NIC's in both boxes are green but I cannot ping
  one
  > > > from the other. They are connected with a cross-over cable
  > >
  > > UNLOAD IPFLT (drops filters) for a test. If you did everything right,
  > the
  > > default filters may be blocking ICMP, and so you would normally not be
  > able
  > > to ping.
  > >
  > > > I was told I would have to set up a 'route' - help please.
  > >
  > > Seems unlikely. Changing a nic will not normally change any
  configured
  > > static routes, as they are stored in a separate file.
  > >
  > > > The person who would normally set this up is sun bathing on an
  island
  > > > somewhere in the Indian Ocean.
  > >
  > > Must be nice!
  > >
  > >
  > > Craig Johnson
  > > Novell Support Connection SysOp
  > > *** For a current patch list, tips, handy files and books on
  > > BorderManager, go to http://www.craigjconsulting.com ***
  > >
  >
  > The card that I replaced in the Border Manager server had a 192.168.x.x
  > address, connected to the card in the ACS box with a cross-over cable.
  The
  > card in the ACS box is also a 192.168.x.x address. I have a route set up
  > to the 192.168.101.0 network specifying the ACS box address as the next
  > hop.
  > Mike
  >
  Problem solved, the card has blown in the ACS box.

• S2S VPN - ASA 5505 to ASA 5540 - Routing Problems

  I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
  Current running config:
  ASA Version 8.2(5)
  hostname asa15
  enable password XXXXX encrypted
  passwd XXXXX encrypted
  names
  name 10.0.0.0 remote-network
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.5.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm location remote-network 255.0.0.0 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 172.16.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 99.X.X.7
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA
  crypto map outside_map 1 set reverse-route
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 28800
  vpn-addr-assign local reuse-delay 5
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 172.16.5.100-172.16.5.130 inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  tunnel-group 99.X.X.7 type ipsec-l2l
  tunnel-group 99.X.X.7 ipsec-attributes
  pre-shared-key XXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  : end

  just out of curiosity, why do you have
  route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
  You already set your default route through DHCP setroute under the interface. this could be the issue.
  If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
  Does the remote device have the correct default gateway?
  May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
  Patrick

• S2S VPN only works in one direction

  I'm very new to cisco devices but we recently acquired a catalyst 2911 device for our co-lo cabinet and I am trying to get a site-to-site vpn connection working between the facility and my offices network as well as a remote access VPN for me to use in case I have to fix something while outside of the office. 
  The office's gateway is 66.119.163.2 and the device is a TZ210 with it's LAN network being 192.168.1.0 /24
  The co-los gateway is 204.244.50.254 and the device is an ASR 2911 with it's LAN network being 10.0.10.0 /24
  The S2S VPN connection is up between the two locations and the 2911 device and the servers within it's LAN can ping and RDP to the office's machines.  The office network can only ping the LAN interface IP on the 2911 which is 10.0.10.1 but not the servers in the network.  the site-to-site VPN was set up with the CCP wizard.
  How can I allow the 192.168.1.0/24 network to see the 10.0.10.1/24 network and why do I only currently see the gateway?
  If need be I can post my running-config file with the preshare keys redacted. 

  I would suggest that you change your vpn client pool to be in a totally unique subnet.
  For example:
  10.20.20.0/24
  ip local pool SDM_POOL_1 10.20.20.200 10.20.20.250
  Then a few ACLs to be modified:
  access-list 101 permit ip 10.10.10.0 0.0.0.255 any
  access-list 105 permit ip 10.20.20.0 0.0.0.255 10.0.10.0 0.0.0.255
  access-list 105 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
  ip access-list extended 106
     5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255
  ip access-list extended 107
     5 deny   ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255

• Reporting on Border Manager

  Hi
  Running Border Manager Proxy Server 3.8 on Netware 6.5 sp5, is there a way
  to draw reports on internet access for users?

  In article <akoIi.855$[email protected]>, Janine wrote:
  > Running Border Manager Proxy Server 3.8 on Netware 6.5 sp5, is there a way
  > to draw reports on internet access for users?
  >
  BorderManager has some logging display options built in (described in my BMgr
  3.x book - see the URL below), but mostly you are expected to use 3rd-party
  log analysis tools.
  See tip #21 at the URL below, and tip #72.
  As for commercial programs to look at log files, I've heard Cyfin Reported is
  good, but pricy. Any program which can read a web server's common log files
  could be used to look at your proxy logs, though they may not give the output
  you want.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• Managing VMs in Azure and AWS : What's the best practice?

  Hi guys,
    I'm doing some research to understand what my options are when it comes to managing some machines in both Azure and AWS.  I'd ideally like to treat each web service as a separate physical office site, demarking boundaries and putting a Distribution
  Point (or maybe a secondary, based on the bandwidth costs) up in each to handle content distribution.  The VMs within these services are routable, as in I can ping them and they can ping back to the core datacenter where I plan to put the primary.  
    Have you guys done something like this before?  How did it work out?  How would you recommend I approach managing less than 50 Azure + AWS VMs?  I'm trying to keep this infrastructure as simple as is possible, and currently only
  has one Primary site.
    Thanks!
  If this post was helpful, please vote up or 'Mark as Answer'! More of this sort of thing at www.foxdeploy.com

  Managing Azure VMs from an on-prem ConfigMgr instance is supported and should work no problem assuming you have a VPN connection set up (which it sounds like you do):
  http://support.microsoft.com/kb/2889321
  There really is nothing special here. It's just network traffic and the VPN makes the actual physical location of the target managed system irrelevant. As long as the client can communicate with the MP, DP, and WSUS instance on the normal ports (80, 8530,
  and 10123 by default) then it'll work.
  Same goes with Amazon. Although of course it isn't specifically supported by Microsoft, neither is your internal networking infrastructure.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Border Manager 3.9 upgrade

  Are current subscription holders of SMB6.6 eligable for the upgrade to
  3.9 border manager?

  Chuck,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Border Manager Radius Services

  Can someone tell me how many DNS servers can you specify with Border
  Manager Radius Services?

  Kerry,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Certificate based S2S VPN

  Hi all!
  Please give me advice in the problem below:
  Exist a device in the Small business portfolio which allows certificate based authentication (not only PSK) in S2S VPN?
  Or which is the first/cheapest device that support this function?
  We have to connect a device (remote site) to a Checkpoint firewall (central site) over S2S VPN.
  On the remote site NO fixed IP address. And our contact person sad,  the Checkpoint support this type of connection only with certificate.
  (PSK is not allowed, only with fixed IP)
  Thanks,

  You are on the right track. Client certificates plus OTP authentication methods is one of the most secure ways to setup remote access VPN on the ASA.
  For revocation, the ASA will generally check the CRLs on the issuing CA. (or in rare cases use OCSP)
  For your second post, you use connection-profiles (i.e. pre-login selection) to configure the different authentication methods for your two (or more) use cases.
  You might want to invest in the certifcation guide for the CCNP VPN exam: 
  CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
  Even though that exam is being retired next month, it has a wealth of information that complements the configuration guides with a more comprehensive explanation of just the type of questions you are asking.

• S2S VPN Dropping GroupWise Connection

  We have a S2S vpn between two BM 3.8.4 servers. At the remote site, the
  user has a full GroupWise 7.0.2 client running in caching mode, which
  connects to the post office at the home site. Everything will work fine
  for about 4 hours, then the GW client will fail to connect. The only way
  to recover is to reboot the client system. While the GW client will not
  connect, all other services through the tunnel work fine. The servers
  never lose contact, and I can even remote the system in question while it
  can't connect to GW.
  There is nothing scheduled to run every 4 hours on the system or the
  servers. The NIC is not set to power off. We sent another system to the
  remote site, and brought his back here. The new system at the remote site
  does the same thing, but the old system connected to the post
  office locally without going through the vpn stays connected.
  I looked at the old (2004) post from Craig about making sure the connection
  can be initiated from both sides, and it can. Am I missing something?
  TIA

  In article <f6Fkk.13632$[email protected]>, Randall Diekmeyer
  wrote:
  > It seems to happen every four hours. Would a packet capture from the BM
  > server do? That would save me from a 10 hr round trip. :-)
  >
  That's hard to say. Capturing packets might just get you a bunch of
  encrypted traffic and miss what is going on at the client. Wouldn't hurt
  though.
  Why not try to remote into the problem PC and install wireshark, and then
  use it remotely? Either RDP, or VNC. You'll have to filter out the remote
  control traffic, and probably other stuff as well, but you will at least
  see what is happening where it is important.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• WatchGuard S2S VPN very slow

  Hi guys,
  I have created a site to site VPN between my WatchGuard XTM firewall and MS Azure static gateway. The VPN connects without any issues, but I noticed the file transfer speeds to my servers (via SMB) are very slow. Most of the time it peaks at 350KB/s, sometimes
  it hovers around 70KB/s. I have 200Mbps fibre link that is not saturated at all.
  sometimes it reaches 3-5MB/s, but it is rare and random.
  I'm located in Sydney Australia, the Virtual network is in the UK. I tried to test the Netherlands and Sydney data centres, same exact problem, very poor performance.
  Anyone having similar issues with S2S VPNs?
  Thanks,
  Ib

  Hello Code_Jax,
  1. Have you created the Azure resources in the same data center region?
  2. Is the region that you have chosen close to your On-premise network?
  I suggest that you change the region where you have deployed your Azure Resources and check if you get the same Performance.
  I also suggest that you use Netmon to  and analyze network traffic. You can follow the link below to download Netmon:
  https://www.microsoft.com/en-us/download/details.aspx?id=4865
  Thanks,
  Syed Irfan Hussain

• IPsec S2S VPN Encap/Decap

  hi,
  i created a S2S VPN and the ASA2's internet connection isn't that good and some packet losses would be 'normal'.
  i'm not sure if that relates to the unequal encap/decaps on my 'sh crypto ipsec sa' output.
  is the below reading normal?
  ASA1:
        #pkts encaps: 129766, #pkts encrypt: 130193, #pkts digest: 130193
        #pkts decaps: 90306, #pkts decrypt: 90306, #pkts verify: 90306
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 129766, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 427, #pre-frag failures: 0, #fragments created: 854
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 29
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
  ASA2:
   #pkts encaps: 533, #pkts encrypt: 533, #pkts digest: 533
        #pkts decaps: 600, #pkts decrypt: 600, #pkts verify: 600
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 533, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 36
        #send errors: 0, #recv errors: 0

  Hi,
  I don't think there is anything unusual about the packet count being different for decaps/encaps
  I would imagine that typically the data transfer is uneven so I don't expect ever to see these counters match. Only time is usually when just configuring a new connection and testing it with ICMP which would result in identical count in encap/decap counters (if the ICMP went through) as we would see echo/echo-reply packets.
  If you would see zero counter on one of the SA pairs then it would indicate a problem
  I don't see anything special/strange in the above.
  - Jouni

• S2S VPN

  Hello,
  I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..
  RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8
  crypto isakmp policy 10
  authentication pre-share
  group 2
  crypto isakmp key P2P address 24.47.184.XX
  crypto ipsec transform-set P2P ah-sha-hmac
  crypto map S2S-VPN-MAP 100 ipsec-isakmp
  set peer 24.47.184.XX
  set transform-set P2P
  match address S2S-VPN-TRAFFIC
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
          Peer = 24.47.184.XX
          Extended IP access list S2S-VPN-TRAFFIC
              access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
          Security association lifetime: 4608000 kilobytes/3600 seconds
          PFS (Y/N): N
          Transform sets={
                  P2P:  { ah-sha-hmac  } ,
          Interfaces using crypto map S2S-VPN-MAP:
  RouterB#  2821 IOS 2800nm-advipservicesk9-mz.124-24.T1
  crypto isakmp policy 10
  authentication pre-share
  group 2
  crypto isakmp key P2P address 108.170.99.XX
  crypto ipsec transform-set P2P ah-sha-hmac
  crypto map S2S-VPN-MAP 100 ipsec-isakmp
  set peer 108.170.99.XXX
  set transform-set P2P
  match address S2S-VPN-TRAFFIC
  Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
          Peer = 108.170.99.XX
          Extended IP access list S2S-VPN-TRAFFIC
              access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
          Security association lifetime: 4608000 kilobytes/3600 seconds
          Responder-Only (Y/N): N
          PFS (Y/N): N
          Transform sets={
                  P2P:  { ah-sha-hmac  } ,
          Interfaces using crypto map S2S-VPN-MAP:
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  I have applied the crypto map on the interfaces and created ACL to allow the traffic..
  I would appreciate if someone can point me on the right direction..

  Not to sure if it makes a difference, but RouterA isn;t the same as B when i do show cry engine bri
  RouterB#sh crypto engine bri
          crypto engine name:  Virtual Private Network (VPN) Module
          crypto engine type:  hardware
                       State:  Enabled
                    Location:  onboard 0
                Product Name:  Onboard-VPN
          Middleware Version:  v1.3.3
            Firmware Version:  v2.3.3
                Time running:  153029 seconds
                 Compression:  Yes
                         DES:  Yes
                       3 DES:  Yes
                     AES CBC:  Yes (128,192,256)
                    AES CNTR:  No
       Maximum buffer length:  4096
            Maximum DH index:  0000
            Maximum SA index:  0000
          Maximum Flow index:  2400
        Maximum RSA key size:  2048
          crypto engine name:  Cisco VPN Software Implementation
          crypto engine type:  software
               serial number:  EBFFDF68
         crypto engine state:  installed
       crypto engine in slot:  N/A
  RouterA#sh crypto engine bri
          crypto engine name:  Virtual Private Network (VPN) Modul
          crypto engine type:  hardware
                       State:  Enabled
                    Location:  onboard 0
                Product Name:  Onboard-VPN
                  HW Version:  1.0
                 Compression:  Yes
                         DES:  Yes
                       3 DES:  Yes
                     AES CBC:  Yes (128,192,256)
                    AES CNTR:  No
       Maximum buffer length:  4096
            Maximum DH index:  0000
            Maximum SA index:  0000
          Maximum Flow index:  0300
        Maximum RSA key size:  0000
          crypto engine name:  Cisco VPN Software Implementation
          crypto engine type:  software
               serial number:  93994D78
         crypto engine state:  installed
       crypto engine in slot:  N/A

• How to have one centeral management console for DB and Application server?

  Hi
  Thank you for reading my post
  I read in several places that ORACLE provide facilitis that help developers to have one centeral console to manage Application server / Database and what ever oracle products.
  I want to know that, when i have Oracle 10g r2 and Application server 10.1.3.1 installed, how i can use that centeral management console?
  is it some other application that i should install ?
  or it is just some more configuration?
  thanks

  What you are looking for is called Grid Control.
  You will need the Grid Control Agent installed on each server that has products from Oracle's technology stack installed (database, web server, app server, etc). You will also need install the Grid Control software and repository.
  You can download Grid Control from the following link:
  http://www.oracle.com/technology/software/products/oem/index.html

• I need your help with a decision to use iPhoto.  I have been a PC user since the mid 1980's and more recently have used ACDSee to manage my photo images and Photoshop to edit them.  I have used ProShow Gold to create slideshows.  I am comfortable with my

  I need your help with a decision to use iPhoto.  I have been a PC user since the mid 1980’s and more recently have used ACDSee to manage my photo images and Photoshop to edit them.  I have used ProShow Gold to create slideshows.  I am comfortable with my own folder and file naming conventions. I currently have over 23,000 images of which around 60% are scans going back 75 years.  Since I keep a copy of the originals, the storage requirements for over 46,000 images is huge.  180GB plus.
  I now have a Macbook Pro and will add an iMac when the new models arrive.  For my photos, I want to stay with Photoshop which also gives me the Bridge.  The only obvious reason to use iPhoto is to take advantage of Faces and the link to iMovie to make slideshows.  What am I missing and is using iPhoto worth the effort?
  If I choose to use iPhoto, I am not certain whether I need to load the originals and the edited versions. I suspect that just the latter is sufficient.  If I set PhotoShop as my external editor, I presume that iPhoto will keep track of all changes moving forward.  However, over 23,000 images in iPhoto makes me twitchy and they are appear hidden within iPhoto.  In the past, I have experienced syncing problems with, and database errors in, large databases.  If I break up the images into a number of projects, I loose the value of Faces reaching back over time.
  Some guidance and insight would be appreciated.  I have a number of Faces questions which I will save for later. 

  Bridge and Photoshop is a common file-based management system. (Not sure why you'd have used ACDSEE as well as Bridge.) In any event, it's on the way out. You won't be using it in 5 years time.
  Up to this the lack of processing power on your computer left no choice but to organise this way. But file based organisation is as sensible as organising a Shoe Warehouse based on the colour of the boxes. It's also ultimately data-destructive.
  Modern systems are Database driven. Files are managed, Images imported, virtual versions, lossless processing and unlimited editing are the way forward.
  For a Photographer Photoshop is overkill. It's an enormously powerful app, a staple of the Graphic Designers' trade. A Photographer uses maybe 15% to 20% of its capability.
  Apps like iPhoto, Lightroom, Aperture are the way forward - for photographers. There's the 20% of Photoshop that shooters actually use, coupled with management and lossless processing. Pop over to the Aperture or Lightroom forums (on the Adobe site) and one comment shows up over and over again... "Since I started using Aperture/ Lightroom I hardly ever use Photoshop any more..." and if there is a job that these apps can do, then the (much) cheaper Elements will do it.
  The change is not easy though, especially if you have a long-standing and well thought out filing system of your own. The first thing I would strongly advise is that you experiment before making any decisions. So I would create a Library, import 300 or 400 shots and play. You might as well do this in iPhoto to begin with - though if you’re a serious hobbyist or a Pro then you'll find yourself looking further afield pretty soon. iPhoto is good for the family snapper, taking shots at birthdays and sharing them with friends and family.
  Next: If you're going to successfully use these apps you need to make a leap: Your files are not your Photos.
  The illustration I use is as follows: In my iTunes Library I have a file called 'Let_it_Be_The_Beatles.mp3'. So what is that, exactly? It's not the song. The Beatles never wrote an mp3. They wrote a tune and lyrics. They recorded it and a copy of that recording is stored in the mp3 file. So the file is just a container for the recording. That container is designed in a specific way attuned to the characteristics and requirements of the data. Hence, mp3.
  Similarly, that Jpeg is not your photo, it's a container designed to hold that kind of data. iPhoto is all about the data and not about the container. So, regardless of where you choose to store the file, iPhoto will manage the photo, edit the photo, add metadata to the Photo but never touch the file. If you choose to export - unless you specifically choose to export the original - iPhoto will export the Photo into a new container - a new file containing the photo.
  When you process an image in iPhoto the file is never touched, instead your decisions are recorded in the database. When you view the image then the Master is presented with these decisions applied to it. That's why it's lossless. You can also have multiple versions and waste no disk space because they are all just listings in the database.
  These apps replace the Finder (File Browser) for managing your Photos. They become the Go-To app for anything to do with your photos. They replace Bridge too as they become a front-end for Photoshop.
  So, want to use a photo for something - Export it. Choose the format, size and quality you want and there it is. If you're emailing, uploading to websites then these apps have a "good enough for most things" version called the Preview - this will be missing some metadata.
  So it's a big change from a file-based to Photo-based management, from editing files to processing Photos and it's worth thinking it through before you decide.