You are previewing IPSec VPN Design.
O'Reilly logo
IPSec VPN Design

Book Description

The definitive design and deployment guide for secure virtual private networks

  • Learn about IPSec protocols and Cisco IOS IPSec packet processing

  • Understand the differences between IPSec tunnel mode and transport mode

  • Evaluate the IPSec features that improve VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives

  • Overcome the challenges of working with NAT and PMTUD

  • Explore IPSec remote-access features, including extended authentication, mode-configuration, and digital certificates

  • Examine the pros and cons of various IPSec connection models such as native IPSec, GRE, and remote access

  • Apply fault tolerance methods to IPSec VPN designs

  • Employ mechanisms to alleviate the configuration complexity of a large- scale IPSec VPN, including Tunnel End-Point Discovery (TED) and Dynamic Multipoint VPNs (DMVPN)

  • Add services to IPSec VPNs, including voice and multicast

  • Understand how network-based VPNs operate and how to integrate IPSec VPNs with MPLS VPNs

  • Among the many functions that networking technologies permit is the ability for organizations to easily and securely communicate with branch offices, mobile users, telecommuters, and business partners. Such connectivity is now vital to maintaining a competitive level of business productivity. Although several technologies exist that can enable interconnectivity among business sites, Internet-based virtual private networks (VPNs) have evolved as the most effective means to link corporate network resources to remote employees, offices, and mobile workers. VPNs provide productivity enhancements, efficient and convenient remote access to network resources, site-to-site connectivity, a high level of security, and tremendous cost savings.

    IPSec VPN Design is the first book to present a detailed examination of the design aspects of IPSec protocols that enable secure VPN communication. Divided into three parts, the book provides a solid understanding of design and architectural issues of large-scale, secure VPN solutions. Part I includes a comprehensive introduction to the general architecture of IPSec, including its protocols and Cisco IOS® IPSec implementation details. Part II examines IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. This part of the book also covers dynamic configuration models used to simplify IPSec VPN designs. Part III addresses design issues in adding services to an IPSec VPN such as voice and multicast. This part of the book also shows you how to effectively integrate IPSec VPNs with MPLS VPNs.

    IPSec VPN Design provides you with the field-tested design and configuration advice to help you deploy an effective and secure VPN solution in any environment.

    This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
    3. About the Technical Editors
    4. Acknowledgments
    5. Icons Used in This Book
      1. Command Syntax Conventions
      2. Introduction
        1. The Goals of This Book
        2. Who Should Read This Book
        3. How This Book Is Organized
    6. 1. Introduction to VPNs
      1. Motivations for Deploying a VPN
      2. VPN Technologies
        1. Layer 2 VPNs
        2. Layer 3 VPNs
          1. GRE Tunnels
          2. MPLS VPNs
          3. IPSec VPNs
        3. Remote Access VPNs
      3. Summary
    7. 2. IPSec Overview
      1. Encryption Terminology
        1. Symmetric Algorithms
        2. Asymmetric Algorithms
        3. Digital Signatures
      2. IPSec Security Protocols
        1. IPSec Transport Mode
        2. IPSec Tunnel Mode
        3. Encapsulating Security Header (ESP)
        4. Authentication Header (AH)
      3. Key Management and Security Associations
        1. The Diffie-Hellman Key Exchange
        2. Security Associations and IKE Operation
        3. IKE Phase 1 Operation
          1. Main Mode
          2. Aggressive Mode
          3. Authentication Methods
            1. Pre-shared Key Authentication
            2. Digital Signature Authentication
        4. IKE Phase 2 Operation
          1. Quick Mode
        5. IPSec Packet Processing
          1. Security Policy Database
          2. Security Association Database (SADB)
          3. Cisco IOS IPSec Packet Processing
      4. Summary
    8. 3. Enhanced IPSec Features
      1. IKE Keepalives
      2. Dead Peer Detection
      3. Idle Timeout
      4. Reverse Route Injection
        1. RRI and HSRP
      5. Stateful Failover
        1. SADB Transfer
        2. SADB Synchronization
      6. IPSec and Fragmentation
        1. IPSec and PMTUD
        2. Look Ahead Fragmentation
      7. GRE and IPSec
      8. IPSec and NAT
        1. Effect of NAT on AH
        2. Effect of NAT on ESP
        3. Effect of NAT on IKE
        4. IPSec and NAT Solutions
          1. NAT Traversal (NAT-T)
          2. IPSec Pass-through
          3. IKE Passing Through PAT
          4. ESP Passing Through PAT
          5. Restricted ESP Through PAT Mode
      9. Summary
    9. 4. IPSec Authentication and Authorization Models
      1. Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)
      2. Mode-Configuration (MODECFG)
      3. Easy VPN (EzVPN)
        1. EzVPN Client Mode
        2. Network Extension Mode
      4. Digital Certificates for IPSec VPNs
        1. Digital Certificates
        2. Certificate Authority—Enrollment
        3. Certificate Revocation
      5. Summary
    10. 5. IPSec VPN Architectures
      1. IPSec VPN Connection Models
        1. IPSec Model
        2. The GRE Model
        3. The Remote Access Client Model
        4. IPSec Connection Model Summary
      2. Hub-and-Spoke Architecture
        1. Using the IPSec Model
        2. Transit Spoke-to-Spoke Connectivity Using IPSec
        3. Internet Connectivity
        4. Scalability Using the IPSec Connection Model
        5. GRE Model
          1. Transit Site-to-Site Connectivity
          2. Transit Site-to-Site Connectivity with Internet Access
          3. Scalability of GRE Hub-and-Spoke Models
        6. Remote Access Client Connection Model
          1. Easy VPN (EzVPN) Client Mode
          2. EzVPN Network Extension Mode
        7. Scalability of Client Connectivity Models
      3. Full-Mesh Architectures
        1. Native IPSec Connectivity Model
        2. GRE Model
      4. Summary
    11. 6. Designing Fault-Tolerant IPSec VPNs
      1. Link Fault Tolerance
        1. Backbone Network Fault Tolerance
        2. Access Link Fault Tolerance
          1. Multiple IKE Identities
          2. Multiple IKE Identities Associated with Dial Backup
          3. Single IKE Identity
          4. Single IKE Identity Using Multi-link PPP on the Access Links
        3. Access Link Fault Tolerance Summary
        4. IPSec Peer Redundancy
        5. Simple Peer Redundancy Model
        6. Virtual IPSec Peer Redundancy Using HSRP
        7. IPSec Stateful Failover
        8. Peer Redundancy Using GRE
        9. Virtual IPSec Peer Redundancy Using SLB
        10. Server Load Balancing Concepts
      2. IPSec Peer Redundancy Using SLB
        1. Cisco VPN 3000 Clustering for Peer Redundancy
        2. Peer Redundancy Summary
      3. Intra-Chassis IPSec VPN Services Redundancy
        1. Stateless IPSec Redundancy
        2. Stateful IPSec Redundancy
      4. Summary
    12. 7. Auto-Configuration Architectures for Site-to-Site IPSec VPNs
      1. IPSec Tunnel Endpoint Discovery
        1. Principles of TED
        2. Limitations with TED
        3. TED Configuration and State
        4. TED Fault Tolerance
      2. Dynamic Multipoint VPN
        1. Multipoint GRE Interfaces
        2. Next Hop Resolution Protocol
        3. Dynamic IPSec Proxy Instantiation
        4. Establishing a Dynamic Multipoint VPN
        5. DMVPN Architectural Redundancy
        6. DMVPN Model Summary
      3. Summary
    13. 8. IPSec and Application Interoperability
      1. QoS-Enabled IPSec VPNs
        1. Overview of IP QoS Mechanisms
        2. IPSec Implications for Classification
          1. QoS Applied to IPSec Transport Mode
          2. QoS Applied to IPSec Tunnel Mode
          3. IPSec Transport Mode - QoS Attribute Preservation of GRE Tunnels
          4. Transitive QoS Applied to IPSec
          5. Internal Preservation of QoS Attributes
        3. IPSec Implications on QoS Policies
          1. IPSec Implications of Packet Size Distribution on Queue Structures
          2. IPSec Implications of Packet Size on Queue Bandwidth Assignments
      2. VoIP Application Requirements for IPSec VPN Networks
        1. Delay Implications
        2. Jitter Implications
        3. Loss Implications
          1. Mitigating Anti-replay Loss in Combined Voice/Data Flows
          2. Mitigating Anti-replay Loss in Separate Voice/Data Flows
          3. Engineering Best Practices for Voice and IPSec
      3. IPSec VPN Architectural Considerations for VoIP
        1. Decoupled VoIP and Data Architectures
        2. VoIP over IPSec Remote Access
        3. VoIP over IPSec-Protected GRE Architectures
        4. VoIP Hub-and-Spoke Architecture
        5. VoIP over DMVPN Architecture
          1. VoIP Bearer Path Optimization with DMVPN
          2. VoIP Bearer Path Synchronization with DMVPN
        6. VoIP Traffic Engineering Summary
      4. Multicast over IPSec VPNs
        1. Multicast over IPSec-protected GRE
        2. Multicast on Full-Mesh Point-to-Point GRE/IPSec Tunnels
        3. DMVPN and Multicast
        4. Multicast Group Security
          1. Group Security Key Management
          2. Group Security Association
          3. Multicast Group Security Summary
        5. Multicast Encryption Summary
      5. Summary
    14. 9. Network-Based IPSec VPNs
      1. Fundamentals of Network-Based VPNs
      2. The Network-Based IPSec Solution: IOS Features
        1. The Virtual Routing and Forwarding Table
        2. Crypto Keyrings
        3. ISAKMP Profiles
      3. Operation of Network-Based IPSec VPNs
        1. A Single IP Address on the PE
        2. Front-Door and Inside VRF
        3. Configuration and Packet Flow
          1. Generic MPLS VPN Configuration on the PE
          2. Mapping an IPSec Tunnel from a Site into IVRF at the PE
          3. Mapping an IPSec Tunnel from a Telecommuter into an IVRF at the PE
        4. Termination of IPSec on a Unique IP Address Per VRF
      4. Network-Based VPN Deployment Scenarios
        1. IPSec to MPLS VPN over GRE
          1. DMVPN and VRF
        2. IPSec to L2 VPNs
        3. PE-PE Encryption
      5. Summary