IPsecVirtualPrivateNetworkFundamentals
ByJamesHenryCarmouche,-CCIENo.6085
...............................................
Publisher:CiscoPress
PubDate:July19,2006
PrintISBN-10:1-58705-207-5
PrintISBN-13:978-1-58705-207-1
Pages:480
TableofContents|Index
AnintroductiontodesigningandconfiguringCiscoIPsecVPNs
UnderstandthebasicsoftheIPsecprotocolandlearnimplementationbestpractices
Studyup-to-dateIPsecdesign,incorporatingcurrentCiscoinnovationsinthe
securityandVPNmarketplace
LearnhowtoavoidcommonpitfallsrelatedtoIPsecdeployment
Reinforcetheorywithcasestudies,configurationexamplesshowinghowIPsecmaps
toreal-worldsolutions
IPsecVirtualPrivateNetworkFundamentalsprovidesabasicworkingknowledgeofIPsec
onvariousCiscoroutingandswitchingplatforms.Itprovidesthefoundationnecessaryto
understandthedifferentcomponentsofCiscoIPsecimplementationandhowitcanbe
successfullyimplementedinavarietyofnetworktopologiesandmarkets(serviceprovider,
enterprise,financial,government).ThisbookviewsIPsecasanemergingrequirementin
mostmajorverticalmarkets,explainingtheneedforincreasedinformationauthentication,
confidentiality,andnon-repudiationforsecuretransmissionofconfidentialdata.Thebook
iswrittenusingalayeredapproach,startingwithbasicexplanationsofwhyIPsecwas
developedandthetypesoforganizationsrelyingonIPsectosecuredatatransmissions.It
thenoutlinesthebasicIPsec/ISAKMPfundamentalsthatweredevelopedtomeetdemand
forsecuredatatransmission.ThebookcoversthedesignandimplementationofIPsecVPN
architecturesusinganarrayofCiscoproducts,startingwithbasicconceptsandproceeding
tomoreadvancedtopicsincludinghighavailabilitysolutionsandpublickeyinfrastructure
(PKI).Sampletopologydiagramsandconfigurationexamplesareprovidedineachchapter
toreinforcethefundamentalsexpressedintextandtoassistreadersintranslating
conceptsintopracticaldeploymentscenarios.Additionally,comprehensivecasestudiesare
incorporatedthroughouttomaptopicstoreal-worldsolutions.
IPsecVirtualPrivateNetworkFundamentals
ByJamesHenryCarmouche,-CCIENo.6085
...............................................
Publisher:CiscoPress
PubDate:July19,2006
PrintISBN-10:1-58705-207-5
PrintISBN-13:978-1-58705-207-1
Pages:480
TableofContents|Index
Copyright
AbouttheAuthor
AbouttheTechnicalReviewers
Acknowledgments
CommandSyntaxConventions
Introduction
Methodology
WhoShouldReadThisBook?
HowThisBookIsOrganized
PartI:IntroductoryConceptsandConfiguration/Troubleshooting
Chapter1.IntroductiontoVPNTechnologies
VPNOverviewofCommonTerms
CharacteristicsofanEffectiveVPN
VPNTechnologies
CommonVPNDeployments
BusinessDriversforVPNs
IPsecVPNsandtheCiscoSecurityFramework
Summary
Chapter2.IPsecFundamentals
OverviewofCryptographicComponents
PublicKeyEncryptionMethods
TheIPSecurityProtocol(IPsec)
IKEandISAKMP
Summary
Chapter3.BasicIPsecVPNTopologiesandConfigurations
Site-to-SiteIPsecVPNDeployments
Site-to-SiteIPsecVPNDeploymentsandGRE(IPsec+GRE)
Hub-and-SpokeIPsecVPNDeployments
RemoteAccessVPNDeployments
Summary
Chapter4.CommonIPsecVPNIssues
IPsecDiagnosticToolswithinCiscoIOS
CommonConfigurationIssueswithIPsecVPNs
ArchitecturalandDesignIssueswithIPsecVPNs
Summary
PartII:DesigningVPNArchitectures
Chapter5.DesigningforHighAvailability
NetworkandPathRedundancy
IPSecTunnelTerminationRedundancy
ManagingPeerandPathAvailability
ManagingPathSymmetry
LoadBalancing,LoadSharing,andHighAvailability
Summary
Chapter6.SolutionsforLocalSite-to-SiteHighAvailability
UsingMultipleCryptoInterfacesforHighAvailability
StatelessIPsecVPNHigh-AvailabilityAlternatives
StatefulIPsecVPNHigh-AvailabilityAlternatives
Summary
Chapter7.SolutionsforGeographicSite-to-SiteHighAvailability
GeographicIPsecVPNHAwithReverseRouteInjectionandMultipleIPsec
Peers
GeographicIPsecVPNHighAvailabilitywithIPsec+GREandEncrypted
RoutingProtocols
DynamicMultipointVirtualPrivateNetworks
Summary
Chapter8.HandlingVendorInteroperabilitywithHighAvailability
VendorInteroperabilityImpactonPeerAvailability
VendorInteroperabilityImpactonPathAvailability
VendorInteroperabilityDesignConsiderationsandOptions
Summary
Chapter9.SolutionsforRemote-AccessVPNHighAvailability
IPsecRAVPNConcentratorHighAvailabilityUsingVirtualInterfacesforTunnel
Termination
IPsecRAVPNConcentratorHAUsingtheVCAProtocol
IPsecRAVPNGeographicHADesignOptions
Summary
Chapter10.FurtherArchitecturalOptionsforIPsec
IPsecVPNTerminationOn-a-Stick
In-PathVersusOut-of-PathEncryptionwithIPsec
SeparateTerminationofIPsecandGRE(GRE-Offload)
Summary
PartIII:AdvancedTopics
Chapter11.PublicKeyInfrastructureandIPsecVPNs
PKIBackground
PKIComponents
LifeofaPublicKeyCertificate
PKIandtheIPSecProtocolSuiteWherePKIFitsintotheIPSecmodel
OCSPandCRLScalability
CaseStudiesandSampleConfigurations
Summary
Chapter12.SolutionsforHandlingDynamicallyAddressedPeers
DynamicCryptoMaps
TunnelEndpointDiscovery
CaseStudyUsingDynamicAddressingwithLow-MaintenanceSmallHome
OfficeDeployments
Summary
AppendixA.Resources
Books
RFCs
WebandOtherResources
Index
Copyright
IPsecVirtualPrivateNetworkFundamentals
JamesHenryCarmouche,CCIENo.6085
Copyright©2007CiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedor
transmittedinanyformorbyanymeans,electronicor
mechanical,includingphotocopying,recording,orbyany
informationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbrief
quotationsinareview.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingJune2006
LibraryofCongressCataloging-inPublicationNumber:2004107143
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.CiscoPressorCiscoSystems,Inc.cannotattestto
theaccuracyofthisinformation.Useofaterminthisbook
shouldnotberegardedasaffectingthevalidityofany
trademarkorservicemark.
WarningandDisclaimer
ThisbookisdesignedtoprovideinformationaboutIPsecvirtual
privatenetworks.Everyefforthasbeenmadetomakethisbook
ascompleteandasaccurateaspossible,butnowarrantyor
fitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthors,
CiscoPress,andCiscoSystems,Inc.shallhaveneitherliability
norresponsibilitytoanypersonorentitywithrespecttoany
lossordamagesarisingfromtheinformationcontainedinthis
bookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorand
arenotnecessarilythoseofCiscoSystems,Inc.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales.
Formoreinformationpleasecontact:U.S.Corporateand
GovernmentSales1-800-382-3419
ForsalesoutsidetheU.S.pleasecontact:InternationalSales
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksof
thehighestqualityandvalue.Eachbookiscraftedwithcare
andprecision,undergoingrigorousdevelopmentthatinvolves
theuniqueexpertiseofmembersfromtheprofessional
technicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.If
youhaveanycommentsregardinghowwecouldimprovethe
qualityofthisbook,orotherwisealterittobettersuityour
needs,youcancontactusthroughe-mailat
Pleasemakesuretoincludethe
booktitleandISBNinyourmessage.
Wegreatlyappreciateyourassistance.
Publisher
PaulBoger
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgram
Manager
JeffBrady
ExecutiveEditor
BrettBartow
ProductionManager
PatrickKanouse
DevelopmentEditor
AndrewCupp
ProjectEditor
InteractiveComposition
Corporation
CopyEditor
InteractiveComposition
Corporation
TechnicalEditors
AamerAkhter,JasonGuy,MarkJ.
Newcomb
EditorialAssistant
KatherineLinder
BookandCoverDesigner
LouisaAdair
Composition
InteractiveComposition
Corporation
Indexer
TimWright
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www-europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowing
countriesandregions.Addresses,phonenumbers,andfax
numbersarelistedontheCisco.comWebsiteat
www.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•
Canada•Chile•ChinaPRC•Colombia•CostaRica•Croatia•
CzechRepublic•Denmark•Dubai,UAE•Finland•France•
Germany•Greece•HongKongSAR•Hungary•India•
Indonesia•Ireland•Israel•Italy•Japan•Korea•
Luxembourg•Malaysia•Mexico•TheNetherlands•New
Zealand•Norway•Peru•Philippines•Poland•Portugal•
PuertoRico•Romania•Russia•SaudiArabia•Scotland•
Singapore•Slovakia•Slovenia•SouthAfrica•Spain•
Sweden•Switzerland•Taiwan•Thailand•Turkey•Ukraine•
UnitedKingdom•UnitedStates•Venezuela•Vietnam•
Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.CCIP,
CCSP,theCiscoArrowlogo,theCiscoPoweredNetworkmark,
theCiscoSystemsVerifiedlogo,CiscoUnity,FollowMe
Browsing,FormShare,iQNetReadinessScorecard,Networking
Academy,andScriptSharearetrademarksofCiscoSystems,
Inc.;ChangingtheWayWeWork,Live,Play,andLearn,The
FastestWaytoIncreaseYourInternetQuotient,andiQuick
StudyareservicemarksofCiscoSystems,Inc.;andAironet,
ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCNA,CCNP,Cisco,
theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,the
CiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystems
Capital,theCiscoSystemslogo,EmpoweringtheInternet
Generation,Enterprise/Solver,EtherChannel,EtherSwitch,Fast
Step,GigaStack,InternetQuotient,IOS,IP/TV,iQExpertise,
theiQlogo,LightStream,MGX,MICA,theNetworkerslogo,
NetworkRegistrar,Packet,PIX,Post-Routing,Pre-Routing,
RateMUX,Registrar,SlideCast,SMARTnet,StrataViewPlus,
Stratm,SwitchProbe,TeleRouter,TransPath,andVCOare
registeredtrademarksofCiscoSystems,Inc.and/orits
affiliatesintheU.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsite
arethepropertyoftheirrespectiveowners.Theuseoftheword
partnerdoesnotimplyapartnershiprelationshipbetweenCisco
andanyothercompany.(0303R)
PrintedintheUSA
Dedication
Formylovingwife,Kristen,andmytwowonderfulsons,James
andCharlie.Thiswouldnothavebeenpossiblewithoutyour
unconditionallove,support,andinspiration.
AbouttheAuthor
JamesHenryCarmouche,CCIENo.6085,isatechnical
marketingengineerontheCiscoEnterpriseSystems
Engineeringteam,whereheiscurrentlyresponsiblefor
architecting,constructing,andvalidatingenterprise-class
networksystemssolutions.Aspartofhissolutiondevelopment
responsibilities,Henryresearchesandpublishessolution
referencedesignsforusebycustomers,technicalsalesstaff
members,andmarketingstaffmembers.PriortojoiningESE,
HenryworkedasatechnicalmarketingengineerintheCisco
GovernmentSystemsUnit,wherehewasresponsiblefor
bringingadvancedsecurityproductstomarket,building
technicalmarketingcollateralandpresentations,anddesigning
newproductintroductiontrainingfortheGSU'snewly
introducedsecurityplatforms.Inadditiontohisproductand
solutiondevelopmentexperience,Henryhasmorethansix
yearsoftechnicalconsultingexperience,includingthreeyears
asanetworkconsultingengineerintheCiscoAdvanced
ServicesGroup.HenryearnedanM.B.A.degreefromUNC's
Kenan-FlaglerBusinessSchoolandaB.S.degreeinmechanical
engineeringfromLehighUniversity.Henrycurrentlylivesin
ChapelHill,NC,withhiswifeandtwosons.
AbouttheTechnicalReviewers
AamerAkhter,CCIENo.4543,joinedCiscoSystemsin1998
aftergraduatingfromGeorgiaTechwithaB.S.degreein
electricalengineeringtoworkintheCiscoTechnicalAssistance
Center.Hethensupportedthelargerenterprisecustomersfrom
CiscointheNSAunit,wherehehelpeddesignanddeploy
severallargeLayer2networks.Aamerlatermovedto
NetworkedSolutionsIntegrationTestEngineering(NSITE),
whereafterabriefstintwithIPsecVPNs,hemovedintoanew
groupfortestingMPLS-VPNs.Fiveyearslater,MPLS-VPNShad
maturedmuchbuttestingofMPLS-relatedtechnologiesstill
continues.AameriscurrentlyleadingateamfortestingLayer3
VPNsandrelatedtechnologiesinacross-Ciscoeffort.
JasonGuyisanengineerwithintheCiscoSystems'NSITE
Securityteam,anorganizationresponsiblefornetwork-based
securitysolutiontesting.Jasonisamemberofateam
responsiblefortesting,validating,scaling,andassistingin
deploymentoftheCiscosecuritysolution.Jason'sprimaryfocus
isonfirewalls,IPsecRemoteAccess,andSSLVPNtesting.Prior
tohisworkonthesecuritytechnologies,Jasonworkedonthe
AToMLayer2VPNandMPLSVPNteams.Jasonreceivedhis
MastersofComputerEngineeringdegreefromNorthCarolina
StateUniversityinRaleigh,NC.
MarkJ.Newcomb,CCNP,CCDP,isaretirednetworksecurity
engineer.Markhasmorethan20yearsexperienceinthe
networkingindustry,focusingonthefinancialandmedical
industries.MarkisafrequentcontributorandreviewerforCisco
Pressbooks.
Acknowledgments
Duringthedevelopmentofthisbook,Ihadtheprivilegeto
workinthreedifferentgroupsatCisco.Thankyoutoallofmy
teammatesinEnterpriseSystemsEngineering,theGovernment
SystemsUnit,andAdvancedServiceswhohavelentmeyour
professionalacumenandloyalfriendshipovertheyears.
I'dliketothankMikeO'Sheaforhissupportandfriendshipover
thecourseofdevelopingthisbook.Mike'ssoundprofessional
andpersonaladvicehavehelpedmeenduretheebbsandflows
ofsanitywhilebalancingachallengingworkloadandadded
developmentresponsibilitiesassociatedwithwritingthisbook.
ThankyoutoPavanReddy,oneofthesharpesttechnicalminds
inAdvancedServices,whowasinstrumentalinhelpingme
outlineanddefinethisscopeofworkandwhosetechnical
adviceandwordsofencouragementthroughoutthecourseof
developingthisbookhaveproventobeinvaluable.
Andonthatnote,manythanksgoouttoAndrewCuppand
BrettBartowfortheirpatience,understanding,andsupport
duringthisprocess.Anauthorcouldnothaveaskedforamore
professionalteamtoworkwithwhiledevelopingandpublishing
hiswork.
CommandSyntaxConventions
Theconventionsusedtopresentcommandsyntaxinthisbook
arethesameconventionsusedintheIOSCommandReference.
TheCommandReferencedescribestheseconventionsas
follows:
Boldfaceindicatescommandsandkeywordsthatare
enteredliterallyasshown.Inactualconfigurationexamples
andoutput(notgeneralcommandsyntax),boldface
indicatescommandsthataremanuallyinputbytheuser
(suchasashowcommand).
Italicsindicateargumentsforwhichyousupplyactual
values.
Verticalbars(|)separatealternative,mutuallyexclusive
elements.
Squarebrackets[]indicateoptionalelements.
Braces{}indicatearequiredchoice.
Braceswithinbrackets[{}]indicatearequiredchoice
withinanoptionalelement.
Introduction
Inrecentyears,networksecuritysolutionshavegrownto
includeIPsecasacriticalcomponentofsecurenetwork
architecturedesign.Oneprimaryobjectiveofthispublicationis
thereforetoprovidethereaderwithabasicworkingknowledge
ofIPseconvariousCiscoroutingandswitchingplatformsand
anunderstandingofthedifferentcomponentsoftheCiscoIPsec
implementation.Thisbookcoverssuccessfulimplementationof
IPsecinavarietyofnetworktopologies.ThisbookviewsIPsec
asanemergingrequirementinmostmajorverticalmarkets
(serviceprovider,enterprisefinancial,government),explaining
theneedforincreasedinformationauthentication,
confidentiality,andnonrepudiationforsecuretransmissionof
confidentialdata(governmentrecords,financialdata,billing
information).
Theprimarydevelopmentobjectiveofthisbookistocreatea
workthataidsnetworkarchitects,administrators,and
managersintheireffortstointegrateIPsecVPNtechnologyinto
theirexistingIPinfrastructures.ThefocusisonIPsec
deploymentsinCisconetworkenvironments,fromsimplesiteto-sitevirtualprivatenetwork(VPN)configurationsto
comprehensiveVPNstrategies,includingarchitectural
redundancyandinteroperability.
Methodology
Thisbookfollowsatieredapproachtowardbuildingaworking
knowledgeoffundamentalIPsecVPNdesign,startingwithan
overviewofbasicIPsecbusinessdriversandfunctional
components.Theseconceptsandcomponentsarethenusedas
afoundationuponwhichIPsecVPNHighAvailability(HA)design
considerationsarepresented.Lastly,severaladvancedIPsec
VPNtechnologiesthatarecommonlyavailableintoday's
enterprisenetworksarepresentedanddiscussed.Withineach
chapter,thedesignconceptsarepresentedandthenreinforced
withconfigurations,illustrations,andpracticalcasestudies
whereappropriate.
WhoShouldReadThisBook?
Thisbookpresentsinformationfortechnicallysavvyindividuals
whowanttofurthertheirunderstandingofthefundamentalsof
thisspecifictechnology.Thosepartiesinterestedinthisbook
mostlikelyincludenetworkengineers,networkdesign
consultants,networkadministrators,systemsadministrators,
informationsecurityspecialists,andallotherindividualswho
haveaninterestinsecuringtheirnetworkswithCiscorouters
andVPNproducts.Additionally,networkingprofessionalswho
haveanunderstandingofIPsecandalsowanttoviewtypical
CiscospecificIPsecconfigurationsandpracticalIPsec
deploymentexamplesonCiscoproductsmayalsofindthe
designguidanceprovidedinthisbookvaluable.Becauseit
providesinformationatafundamentallevel,thisbookmayalso
serveasaneffectivedesignreferencefordecisionmakers
lookingtomakestrategicdecisionsimpactingthesecurityof
theirorganizations'network.
HowThisBookIsOrganized
Theorganizationofthebookisformattedinalayered
approach,startingwithabasicexplanationofthemotivation
behindIPsec'sdevelopmentandthetypesoforganizationsthat
relyonIPsectosecuredatatransmissions.Thebookthen
proceedstooutlinethebasicIPsec/InternetSecurityAssociation
andKeyManagementProtocol(ISAKMP)fundamentalsthat
weredevelopedtomeetdemandforsecuredatatransmission.
Thebookproceedstocoverthedesignandimplementationof
IPsecVPNarchitecturesusinganarrayofCiscoproducts,
startingwithbasicconceptsandproceedingtomoreadvanced
topics,includingHAsolutionsandpublickeyinfrastructure
(PKI).Sampletopologydiagramsandconfigurationexamples
areprovidedtohelpreinforcethefundamentalsexpressedin
thetext,andtoassistthereaderintranslatingexplainedIPsec
conceptsintopracticalworkingdeploymentscenarios.Case
studiesareincorporatedthroughoutthetextinordertomap
thetopicsandconceptsdiscussedtoreal-worldsolutions.
Chapters1through4composePartIofthisbook,coveringthe
mostbasicconceptsrequiredtodevelopanunderstandingof
IPsecVPNs.ThechaptercontentprovidedinPartIaimstohelp
thereaderachievethefollowingobjectives:
UnderstandthebackgroundofIPsecVPNdevelopment
DifferentiateIPSEC/SSLVPNfromotherVPNtechnologies
Understandtheunderlyingcryptographictechnologiesthat
composeanIPsecVPN
UnderstandbasicIPsecVPNconfigurationtechniques
UnderstandcommonissuesthatcanaffectallIPsecdesigns
AfteryouarefamiliarwiththecontentofPartI,youshould
havetheworkingknowledgeofIPsecVPNsnecessarytobegin
buildingaknowledgebasesurroundingthefundamentalsof
IPsecVPNHighAvailabilityusingthedesignconceptsprovided
inPartII.ThechaptersinPartIinclude:
Chapter1,"IntroductiontoVPNTechnologies"This
chapterincludesanintroductiontovariousVPN
technologies,discusseshowVPNsareutilizedintoday's
networks,andidentifiesthedriversforbusinessmigration
toVPNtechnologies.Thediscussioninthischapterprovides
thereaderwithahigh-leveloverviewofVPN,particularly
withacomparisonbetweenMultiprotocolLabelSwitching
(MPLS),VirtualPrivateDialupNetwork(VPDN),Secure
SocketsLayer(SSL),andIPsecVPNs.Afterabrief
comparisonoftheVPNtechnologies,thefocusturnstothe
businessdriversforVPN,whichincludebotheconomicsand
security.
Chapter2,"IPsecFundamentals"Thischapterfocuses
ontheunderlyingcomponentsandmechanicsofIPsec,
includingcryptographiccomponents,InternetKeyExchange
(IKE),andIPsec.Thischapterincludesbasicconfiguration
examples(notstep-by-step)todemonstratetheconcepts.
Chapter3,"BasicIPsecVPNTopologiesand
Configurations"Thischapterdemonstratesbuildingof
basicVPNtopologiesusingtheknowledgegainedinthe
previouschapters.Threebasictopologiesarediscussed:
hub-and-spokewithoutgenericroutingencapsulation
(GRE),hub-and-spokeVPNwithGRE,andremote-access
VPN.
Chapter4,"CommonIPsecVPNIssues"IPsec
deploymentscaninvolveanumberofpotentialpitfallsifnot
properlyaddressed.Chapter4discussesthecommonIPsec
VPNissuesthatanetworkengineershouldtakeinto
considerationduringthedesignanddeploymentprocess.It
discussescommontroubleshootingtechniquestodiagnose
theseproblemsshouldtheyoccurinyournetwork.Design
solutionstothecommonVPNissuespresentedinthis
chapterareprovided,alongwiththeappropriatedesign
verificationtechniques.
PartIIconsistsofChapters5through10.Thetopicsdiscussed
herebuildontheintroductoryconceptsfromPartI,extending
themtoencompassacommonarchitecturalgoal:High
Availability.Additionalarchitecturalvariationsareprovidedso
astopresentacomprehensivescopeofdesignoptions
available.ThechaptersinPartIIinclude:
Chapter5,"DesigningforHighAvailability"This
chapterdiscussesthebasicprinciplesofanHAVPNdesign.
Basedontheseprinciples,subsequentchaptersdevelop
solutionsforlocalandgeographicalHAanddiscussissues
andoptionsforachievingHAinmulti-vendorVPN
environments.
Chapter6,"SolutionsforLocalSite-to-SiteHigh
Availability"Thischapterusesconceptspreviously
describedtodevelopsolutionsforlocalHA,includingthe
useofhighlyavailableinterfaceforIPsectunnel
termination,statelesstunnelterminationHA,andstateful
tunnelterminationHA.
Chapter7,"SolutionsforGeographicSite-to-SiteHigh
Availability"Thischapterusesconceptspreviously
describedtodevelopsolutionsforgeographicHA.This
chapterdiscussesRRI,IPsecwithGREtunnels,and
DynamicMultipointVPN.
Chapter8,"HandlingVendorInteroperabilitywith
HighAvailability"Unfortunately,currentIPsecstandards
donotaddressHA.Thisleadstointeroperabilityissues
amongvendors.Thischapterdiscussescommonissuesand
detailstheoptionsthatexisttohandlethesescenarios.
Chapter9,"SolutionsforRemoteAccessVPNHigh
Availability"ThischapterdiscussestheHAconcepts
previouslydiscussedinChapters6and7inthecontextof
RAVPNdeployments.Additionally,itcoversotherHAtools
commonlyfoundinRAVPNs,includingtheuseofVPN
concentratorclusteringwithVCAandDNS-basedload
balancing.
Chapter10,"FurtherArchitecturalOptionsforIPsec"
Thischapterdiscussesotherarchitecturalvariationsin
designingVPNsolutions.Itdescribeseachoptionwith
usageconsiderationsandfinisheswithcasestudiesofeach.
IPsecVPNdesignconceptsrangefromfundamental
cryptographicoperationstodynamicspoke-to-spokepeering
andMPLSVPNroutingandforwarding(VRF)-AwareIPsecVPNS.
Althoughthescopeofthisbookisfirmlycenteredaroundthe
fundamentalconceptsofIPsecVPNdesign,thechapters
includedinPartIIIprovidedesignguidancearoundtwo
advancedtopicsofIPsecthatarequitecommonlydeployedin
today'senterprise-classIPnetworks:
Chapter11,"PublicKeyInfrastructureandIPsec
VPNs"Thischapterdiscussestheusageofpublickey
infrastructure(PKI)toauthenticateIPsecpeersviaRivest,
Shamir,andAdelman(RSA)signatures.Thismethodusesa
certificateauthorityasatrustedthirdpartytosecureand
scaleIKEauthentication.Asorganizationsbecomemore
PublicKeyInfrastructure(PKI)-aware,thiswillbecomethe
defactoauthenticationmechanism.
Chapter12,"SolutionsforHandlingDynamically
AddressedPeers"Dynamicpeersallownetwork
administratorstoensurenetworkconnectivitywhenremote
networkpeersareeithernotknowninadvanceorchangeto
anunknownvalueovertime.Dynamicpeersalsorequire
lessadministrativeeffortthandostaticpeers.Thischapter
addressesIPsecdynamicpeeringoptions,someofwhich
arelesscommonlyused,andothersthataremoreprolificin
variousarchitectures.
PartI:IntroductoryConceptsand
Configuration/Troubleshooting
Chapter1IntroductiontoVPNTechnologies
Chapter2IPsecFundamentals
Chapter3BasicIPsecVPNTopologiesand
Configurations
Chapter4CommonIPsecVPNIssues
Chapter1.IntroductiontoVPN
Technologies
Modernbusinessenvironmentshavebeenconsistentlychanging
sincetheadventoftheInternetinthe1990s.Nowmorethan
ever,organizationalleadersareaskingthemselveshow
efficienciescanbegainedthroughmakingtheirworkforcemore
mobileandthusincreasingthescopeofsalesanddistribution
channelswhilecontinuingtomaximizetheeconomiesofscope
intheirexistingdatainfrastructureinvestments.Virtualprivate
network(VPN)technologiesprovideameansbywhichtorealize
thesebusinessefficienciesintandemwithgreatlyreducedIT
operationalexpenditures.Inthischapter,wewilldiscusshow
today'sVPNtechnologiesenableenterpriseworkforcestoshare
dataseamlesslyandsecurelyovercommonyetseparately
maintainednetworkinfrastructures,suchasthroughan
Internetserviceprovider(ISP)betweenenterprisenetworksor
withcorporateextranetpartners.Wewillintroduceseveral
IPsecVPNtopologiescommonlyfoundintoday'senterprise
networks,andwewillconcludewiththeoverviewoftwoIPsec
VPNbusinessmodels,completewithcostsavingsrealizedby
theenterprise.
VPNOverviewofCommonTerms
AVPNisameanstosecurelyandprivatelytransmitdataover
anunsecuredandsharednetworkinfrastructure.VPNssecure
thedatathatistransmittedacrossthiscommoninfrastructure
byencapsulatingthedata,encryptingthedata,orboth
encapsulatingthedataandthenencryptingthedata.Inthe
contextofVPNdeployments,encapsulationisoftenreferredto
astunneling,asitisamethodthateffectivelytransmitsdata
fromonenetworktoanothertransparentlyacrossashared
networkinfrastructure.
AcommonencapsulationmethodfoundinVPNstodayis
GenericRoutingEncapsulation(GRE).IP-basedGREisdefined
inIETFRFC2784asameanstoenclosetheIPheaderand
payloadwithaGRE-encapsulationheader.Networkdesigners
usethismethodofencapsulationtohidetheIPheaderaspart
oftheGRE-encapsulatedpayload.Indoingso,theyseparateor
"tunnel"datafromonenetworktoanotherwithoutmaking
changestotheunderlyingcommonnetworkinfrastructure.
AlthoughGREtunnelshaveprimitiveformsofauthentication,as
we'llexploreinlaterchapterswhendiscussingdynamic
multipointVPN(DMVPN)deployments,theycurrentlyprovide
nomeanstoprovideconfidentiality,integrity,andnonrepudiationnatively.Nevertheless,GREtunnelingisa
fundamentalcomponentofmanydifferentIPSecurityProtocol
(IPsec)designs,andwillbediscussedfrequentlyinsubsequent
chapters.
Note
AlthoughIPSec-processeddataisencrypted,itisalso
encapsulatedwitheitherEncapsulatingStandardProtocol(ESP)
orAuthenticationHeaders(AH).