IPsec to MPLS VPN
Integration
Vijay Bollapragada
Course Number
Presentation_ID
© 2001, Cisco Systems, Inc.
1
Agenda
• IPsec VPN Overview
• IPsec and MPLS VPN Integration
• Architecture
• Conclusions
Presentation_ID
© 2001, Cisco Systems, Inc.
2
IPsec
• Open standards for ensuring
secure private communications
over any IP network
Negotiation, protocols, and formats
• Network layer encryption
and authentication
• Data protected with network
encryption, digital certification,
and device authentication
• RFCs: 1825–1829
Presentation_ID
© 2001, Cisco Systems, Inc.
3
IPsec Terminology
IPSec = Internet Protocol Security (RFC 2401): An IETF standardized
architecture that defines a set of standards that can be used to secure the
Internet Protocol (IPv4 and IPv6)
IKE = Internet Key Exchange (RFC 2409): A hybrid protocol (uses parts of Oakley
and SKEME key exchanges in conjunction with ISAKMP) whose purpose is to
provide authenticated keying material for, and secure negotiation of, Security
Associations.
SA = Security Associations: A set of policies and keys between two parties used
to protect information exchange between them. IKE uses ISAKMP SAs which
must include negotiations of the following attributes: encryption algorithm, hash
algorithm, authentication method, and info re: Diffie-Hellmen group.
ISAKMP = Internet Security Association and Key Management Protocol (RFC
2407): Defines a framework for security association management and
cryptographic key establishment for the Internet.
Presentation_ID
© 2001, Cisco Systems, Inc.
4
IPSec
Technology Primer
Initiated by IPSec
(CPE)
AH Protocol (RFC 2402)
Original IP Layer
IP HDR
Data
IPSec Authenticated session
IP HDR
AH HDR
Data
ESP Transport Mode (RFC 2406)
Original IP Layer
IP HDR
Data
IPSec Encrypted session
IP HDR
ESP HDR
Data
Terminated by
customer’s corporate
gateway/Firewall or
destination system
Original IP Layer
IP HDR
Data
Terminated by a
corporate end-system
or resource
Original IP Layer
IP HDR
Data
encrypted
ESP Tunnel Mode (RFC 2406)
Original IP Layer
IP HDR
Presentation_ID
Data
© 2001, Cisco Systems, Inc.
IPSec Tunnel
New IP HDR ESP HDR
IP HDR
Data
encrypted
Terminated by
customer’s corporate
gateway/Firewall or
destination system
Original IP Layer
IP HDR
Data
5
IPSec VPNs
Advantages
•Quickly provision VPN services
without SP infrastructure changes
(transparent to SP network)
•Very high security for entire data
path (including client-to-SP
connection)
•Very mobile and can span multiple
SP networks
•Hardware encryption accelerators
now available to help address
performance and scalability issues
Presentation_ID
© 2001, Cisco Systems, Inc.
Limitations
•Not scalable
•No tunnel sharing (like Layer 2
tunneling) so each concurrent user
terminates a separate tunnel on
gateway
•Encryption can severely limit
performance of tunnel termination
platform
•IPSec (and all related protocols)
expertise needed for provisioning
•Client software must be installed
and supported (support desk costs)
•Limited added value and revenue
stream potential
•Export restrictions of encryption
technology
•Only supports tunneling of IP
packets
6
IPSEC TO MPLS SERVICE ARCHITECTURE
Branch
Office
Access
Corporate
Intranet
PE
PE
Local or Direct
Dial ISP
MPLS
PE
PE
Internet
= Frame PVC or 802.1Q
Cable/DSL/
ISDN ISP
Remote Users/
Telecommuters
IP
Presentation_ID
Cisco VPN 5000 Client
Software Is Tunnel Source:
Windows 95/98/2000/NT
Mac
Linux
Solaris
IPsec Session
© 2001, Cisco Systems, Inc.
= IPsec session
Cisco VPN 5002/5008
Terminates IPsec Tunnels
and Maps sessions into
FR PVCs
FR PVC, MPLS LSP
IP
7
IPsec to MPLS
• IOS IPsec site to site and client sessions mapped directly into
MPLS VPN by co-locating Cisco VPN 5002 or 5008 concentrators
with Cisco IOS MPLS PE routers
• Authenticate off-net sites via pre-shared keys and digital
certificates
• Authenticate remote users via AAA and digital certificates
• CVPN5000 to support dynamic routing updates over IPsec
protected GRE tunnels
• For QoS, maintain packet classification (ToS byte/DSCP) on all
traffic (ingress and egress) traveling through IPsec tunnels
Presentation_ID
© 2001, Cisco Systems, Inc.
8
VPN 5000 CUSTOMER VIRUTAL CONTEXTS (CVC) &
VIRTUAL ROUTER (VR) ARCHITECTURE
• Each CVC Has a VR Which Only Knows About
its Network.
• CVC Identifies Routing Features and VPN for
Specified Customer
• Main CVC Defines Basic Functions of the
System
• Permits Overlapping IP Address Ranges
CISCO VPN 5000
Cust 2
VR
HSSI
FR
•Features Configured Per CVC
- IGP Routing
- Static Routes, RIP, RIP 2, OSPF
- L3/L2 Tunnel Mapping
- IPsec, L2TP, GRE, FR PVC,
802.1Q VLAN
- RADIUS Authentication/Accounting
- Filter Sets
Presentation_ID
© 2001, Cisco Systems, Inc.
Cust 1
VR
DS3
FR PVC
10/100
Ether.
Cust 3
VR
Main
VR
10/100
Ether.
or
FR PVC
Cust 4
VR
9
IPSEC to MPLS VPN Architecture
Customer Virtual Contexts (CVC):
Logical Interfaces
MPLS
Backbone
Physical Ports
CISCO
IOS
PE
ROUTER
VPN Tunnel Mapping
CISCO VPN5000
VPN Termination
Cust 1 VR
Cust 1 VRF
Cust 2 VRF
Cust 3 VRF
DS3
FR
PVCs
Cust 2 VR
Cust 3 VR
Main
VR
10/100
Ether.
or
DS3
FR
Cust 1
IPsec Tunnels
Cust 2
IPsec Tunnels
Cust 3
IPsec Tunnels
INTERNET
FR PVCs within a single DS3 port.
Each CVC, or FR PVC, is viewed as
a CE from PE’s perspective.
Can run Static, RIPv2 or OSPF.
Presentation_ID
© 2001, Cisco Systems, Inc.
10
Presentation_ID
© 1999, Cisco Systems, Inc.
11