IPSec VPN Design

Description

The definitive design and deployment guide for secure virtual private networks

• Learn about IPSec protocols and Cisco IOS IPSec packet processing
• Understand the differences between IPSec tunnel mode and transport mode
• Evaluate the IPSec features that improve VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives
• Overcome the challenges of working with NAT and PMTUD
• Explore IPSec remote-access features, including extended authentication, mode-configuration, and digital certificates
• Examine the pros and cons of various IPSec connection models such as native IPSec, GRE, and remote access
• Apply fault tolerance methods to IPSec VPN designs
• Employ mechanisms to alleviate the configuration complexity of a large- scale IPSec VPN, including Tunnel End-Point Discovery (TED) and Dynamic Multipoint VPNs (DMVPN)
• Add services to IPSec VPNs, including voice and multicast
• Understand how network-based VPNs operate and how to integrate IPSec VPNs with MPLS VPNs

Among the many functions that networking technologies permit is the ability for organizations to easily and securely communicate with branch offices, mobile users, telecommuters, and business partners. Such connectivity is now vital to maintaining a competitive level of business productivity. Although several technologies exist that can enable interconnectivity among business sites, Internet-based virtual private networks (VPNs) have evolved as the most effective means to link corporate network resources to remote employees, offices, and mobile workers. VPNs provide productivity enhancements, efficient and convenient remote access to network resources, site-to-site connectivity, a high level of security, and tremendous cost savings.

IPSec VPN Design is the first book to present a detailed examination of the design aspects of IPSec protocols that enable secure VPN communication. Divided into three parts, the book provides a solid understanding of design and architectural issues of large-scale, secure VPN solutions. Part I includes a comprehensive introduction to the general architecture of IPSec, including its protocols and Cisco IOS® IPSec implementation details. Part II examines IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. This part of the book also covers dynamic configuration models used to simplify IPSec VPN designs. Part III addresses design issues in adding services to an IPSec VPN such as voice and multicast. This part of the book also shows you how to effectively integrate IPSec VPNs with MPLS VPNs.

IPSec VPN Design provides you with the field-tested design and configuration advice to help you deploy an effective and secure VPN solution in any environment.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Back Cover

The definitive design and deployment guide for secure virtual private networks

• Learn about IPSec protocols and Cisco IOS IPSec packet processing
• Understand the differences between IPSec tunnel mode and transport mode
• Evaluate the IPSec features that improve VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives
• Overcome the challenges of working with NAT and PMTUD
• Explore IPSec remote-access features, including extended authentication, mode-configuration, and digital certificates
• Examine the pros and cons of various IPSec connection models such as native IPSec, GRE, and remote access
• Apply fault tolerance methods to IPSec VPN designs
• Employ mechanisms to alleviate the configuration complexity of a large- scale IPSec VPN, including Tunnel End-Point Discovery (TED) and Dynamic Multipoint VPNs (DMVPN)
• Add services to IPSec VPNs, including voice and multicast
• Understand how network-based VPNs operate and how to integrate IPSec VPNs with MPLS VPNs

Among the many functions that networking technologies permit is the ability for organizations to easily and securely communicate with branch offices, mobile users, telecommuters, and business partners. Such connectivity is now vital to maintaining a competitive level of business productivity. Although several technologies exist that can enable interconnectivity among business sites, Internet-based virtual private networks (VPNs) have evolved as the most effective means to link corporate network resources to remote employees, offices, and mobile workers. VPNs provide productivity enhancements, efficient and convenient remote access to network resources, site-to-site connectivity, a high level of security, and tremendous cost savings.

IPSec VPN Design is the first book to present a detailed examination of the design aspects of IPSec protocols that enable secure VPN communication. Divided into three parts, the book provides a solid understanding of design and architectural issues of large-scale, secure VPN solutions. Part I includes a comprehensive introduction to the general architecture of IPSec, including its protocols and Cisco IOS® IPSec implementation details. Part II examines IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. This part of the book also covers dynamic configuration models used to simplify IPSec VPN designs. Part III addresses design issues in adding services to an IPSec VPN such as voice and multicast. This part of the book also shows you how to effectively integrate IPSec VPNs with MPLS VPNs.

IPSec VPN Design provides you with the field-tested design and configuration advice to help you deploy an effective and secure VPN solution in any environment.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Contents

Introduction

Chapter 1  Introduction to VPNs  

Motivations for Deploying a VPN  

VPN Technologies  

Layer 2 VPNs  

Layer 3 VPNs  

Remote Access VPNs  

Summary  

Chapter 2  IPSec Overview  

Encryption Terminology  

Symmetric Algorithms  

Asymmetric Algorithms  

Digital Signatures  

IPSec Security Protocols  

IPSec Transport Mode  

IPSec Tunnel Mode

Encapsulating Security Header (ESP)  

Authentication Header (AH)  

Key Management and Security Associations  

The Diffie-Hellman Key Exchange  

Security Associations and IKE Operation  

IKE Phase 1 Operation  

IKE Phase 2 Operation  

IPSec Packet Processing  

Summary  

Chapter 3  Enhanced IPSec Features  

IKE Keepalives  

Dead Peer Detection  

Idle Timeout  

Reverse Route Injection  

RRI and HSRP  

Stateful Failover  

SADB Transfer  

SADB Synchronization  

IPSec and Fragmentation  

IPSec and PMTUD  

Look Ahead Fragmentation  

GRE and IPSec  

IPSec and NAT  

Effect of NAT on AH  

Effect of NAT on ESP  

Effect of NAT on IKE  

IPSec and NAT Solutions  

Summary  

Chapter 4  IPSec Authentication and Authorization Models  

Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)  

Mode-Configuration (MODECFG)  

Easy VPN (EzVPN)  

EzVPN Client Mode  

Network Extension Mode  

Digital Certificates for IPSec VPNs  

Digital Certificates  

Certificate Authority–Enrollment  

Certificate Revocation  

Summary  

Chapter 5  IPSec VPN Architectures  

IPSec VPN Connection Models  

IPSec Model  

The GRE Model  

The Remote Access Client Model  

IPSec Connection Model Summary  

Hub-and-Spoke Architecture  

Using the IPSec Model

Transit Spoke-to-Spoke Connectivity Using IPSec  

Internet Connectivity

Scalability Using the IPSec Connection Model  

GRE Model

Transit Site-to-Site Connectivity  

Transit Site-to-Site Connectivity with Internet Access  

Scalability of GRE Hub-and-Spoke Models  

Remote Access Client Connection Model  

Easy VPN (EzVPN) Client Mode  

EzVPN Network Extension Mode  

Scalability of Client Connectivity Models  

Full-Mesh Architectures

Native IPSec Connectivity Model  

GRE Model

Summary  

Chapter 6  Designing Fault-Tolerant IPSec VPNs  

Link Fault Tolerance  

Backbone Network Fault Tolerance  

Access Link Fault Tolerance

Access Link Fault Tolerance Summary  

IPSec Peer Redundancy  

Simple Peer Redundancy Model  

Virtual IPSec Peer Redundancy Using HSRP  

IPSec Stateful Failover  

Peer Redundancy Using GRE  

Virtual IPSec Peer Redundancy Using SLB  

Server Load Balancing Concepts  

IPSec Peer Redundancy Using SLB  

Cisco VPN 3000 Clustering for Peer Redundancy  

Peer Redundancy Summary

Intra-Chassis IPSec VPN Services Redundancy

Stateless IPSec Redundancy  

Stateful IPSec Redundancy  

Summary  

Chapter 7  Auto-Configuration Architectures for Site-to-Site IPSec VPNs  

IPSec Tunnel Endpoint Discovery  

Principles of TED  

Limitations with TED  

TED Configuration and State  

TED Fault Tolerance  

Dynamic Multipoint VPN  

Multipoint GRE Interfaces  

Next Hop Resolution Protocol  

Dynamic IPSec Proxy Instantiation  

Establishing a Dynamic Multipoint VPN  

DMVPN Architectural Redundancy  

DMVPN Model Summary  

Summary  

Chapter 8  IPSec and Application Interoperability  

QoS-Enabled IPSec VPNs

Overview of IP QoS Mechanisms  

IPSec Implications for Classification  

IPSec Implications on QoS Policies  

VoIP Application Requirements for IPSec VPN Networks  

Delay Implications  

Jitter Implications  

Loss Implications  

IPSec VPN Architectural Considerations for VoIP  

Decoupled VoIP and Data Architectures

VoIP over IPSec Remote Access  

VoIP over IPSec-Protected GRE Architectures  

VoIP Hub-and-Spoke Architecture  

VoIP over DMVPN Architecture

VoIP Traffic Engineering Summary  

Multicast over IPSec VPNs  

Multicast over IPSec-protected GRE

Multicast on Full-Mesh Point-to-Point GRE/IPSec Tunnels  

DMVPN and Multicast  

Multicast Group Security  

Multicast Encryption Summary  

Summary  

Chapter 9  Network-Based IPSec VPNs  

Fundamentals of Network-Based VPNs  

The Network-Based IPSec Solution: IOS Features  

The Virtual Routing and Forwarding Table  

Crypto Keyrings  

ISAKMP Profiles  

Operation of Network-Based IPSec VPNs  

A Single IP Address on the PE  

Front-Door and Inside VRF  

Configuration and Packet Flow  

Termination of IPSec on a Unique IP Address Per VRF  

Network-Based VPN Deployment Scenarios  

IPSec to MPLS VPN over GRE  

IPSec to L2 VPNs  

PE-PE Encryption  

Summary  

Index  

Author

Vijay Bollapragada, CCIE® No. 1606, is a senior manager in the Network Systems Integration and Test Engineering group at Cisco Systems® where he works on the architecture, design, and validation of complex network solutions.

Mohamed Khalid, CCIE No. 2435, is a technical leader working with IP VPN solutions at Cisco®. He works extensively with service providers across the globe and their associated Cisco account teams to determine technical and engineering requirements for various IP VPN architectures.

Scott Wainner is a Distinguished Systems Engineer in the U.S. Service Provider Sales Organization at Cisco Systems where he focuses on VPN architecture and solution development. In this capacity, he provides customer guidance on IP VPN architectures and drives internal development initiatives within Cisco Systems.