Vijay Bollapragada - IPSec VPN Design

[]access linksadvanced IPSec featuresRRIauthenticationauto-configuring site-to-site IPSec VPNs [] []CAs (certificate authorities)Cisco Easy VPN. [See ]Cisco IOS softwareconfiguringstateful failover []databasesdesigning fault tolerant IPSec VPNsof access linksdial backuparchitectures [] []fault tolerancepeer redundancyfull-mesh point-to-point GRE/IPSec tunnels [] []HSRP (Hot Standby Routing Protocol)hub configurationhub-and-spoke architectureGRE with dynamic routing []IKEinternal redundancyIPSec modelISAKMP []jitter []keepalives []limitations []messages [] []applyingpacket flow for single IP address on PEpacket size distributionpacketspeer redundancy []packet size distribution []redundancyRRI (Reverse Route Injection) []SAsSAs (security associations)scalabilitysecurityauthenticationsite-to-site VPNsspoke configuration []TED (Tunnel Endpoint Discovery) []VoIPapplication requirements for IPSec VPN networksVPNs [] []access linksadvanced IPSec featuresRRIauthenticationauto-configuring site-to-site IPSec VPNs [] []CAs (certificate authorities)Cisco Easy VPN. [See ]Cisco IOS softwareconfiguringstateful failover

Virtual private networks, commonly referred to as VPNs, are not an entirely new concept in networking. As the name suggests, a VPN can be defined as a private network service delivered over a public network infrastructure. A telephone call between two parties is the simplest example of a virtual private connection over a public telephone network. Two important characteristics of a VPN are that it is virtual and private.

There are many types of VPNs, such as Frame Relay and ATM, and entire books can and have been written about each of these VPN technologies. The focus of this book is on a VPN technology known as IPSec.

This chapter introduces some of the VPN technologies and helps to explain the motivations for deploying a VPN. The primary reason for deploying a VPN is cost savings. Corporations with offices all over the world often need to interconnect them in order to conduct everyday business. For these connections, they can either use dedicated leased lines that run between the offices or have each site connect locally to a public network, such as the Internet, and form a VPN over the public network.

shows an international corporation that connects to each site using leased lines. Each connection is point-to-point and requires a dedicated leased line to connect it to another site. If each site needs to be connected to every other site (a situation also known as any-to-any or full-mesh connectivity), n-1 leased lines would be required at each site where n is the number of sites. Leased lines are typically priced based on the distance between the sites and bandwidth offered. Cross-country and intercontinental links are typically very expensive, making full-mesh connectivity with leased lines very expensive.

shows an alternate method of connecting the same sites of the corporation, this time over a public network such as the Internet. In this model, each site is connected to the public network at its closest point, possibly via a leased line, but all connections between sites are virtual connections. The cloud in the figure represents a virtual connection between the sites, as opposed to a physical dedicated connection between sites in the leased-line model.

Note

A public network can be defined as a network with an infrastructure shared by many users of that network. Bear in mind that the word "public" does not mean that the network is available free to anyone. Many service providers have large ATM and Frame Relay public networks, and the Internet is probably the most ubiquitous public network of them all.

Although connecting the sites over a public network has obvious cost advantages over the dedicated leased line model and provides significant cost savings to the corporation, this model also introduces risks, such as the following:

• Data security

• Lack of dedicated bandwidth between sites

In the VPN model, the corporation's data is being transported across a public network, which means other users of the public network can potentially access the corporation's data and thereby pose a security risk.

The second risk in the VPN model is the lack of dedicated bandwidth availability between sites that the leased line model provides. Because the VPN model connects sites using a virtual connection and the physical links in the public network are shared by many sites of many different VPNs. Bandwidth between the sites is not guaranteed unless the VPN allows some form of connection admission control and bandwidth reservation schemes. Both risks can be mitigatedthe next section introduces some VPN technologies that overcome these risks.

In the simplest sense, a VPN connects two endpoints over a public network to form a logical connection. The logical connections can be made at either Layer 2 or Layer 3 of the OSI model, and VPN technologies can be classified broadly on these logical connection models as Layer 2 VPNs or Layer 3 VPNs. Conceptually, establishing connectivity between sites over a Layer 2 or Layer 3 VPN is the same. The concept involves adding a "delivery header" in front of the payload to get it to the destination site. In the case of Layer 2 VPNs, the delivery header is at Layer 2, and in the case of Layer 3 VPNs, it is (obviously) at Layer 3. ATM and Frame Relay are examples of Layer 2 VPNs; GRE, L2TP, MPLS, and IPSec are examples of Layer 3 VPN technologies.

Layer 2 VPNs operate at Layer 2 of the OSI reference model; they are point-to-point and establish connectivity between sites over a virtual circuit. A virtual circuit is a logical end-to-end connection between two endpoints in a network, and can span multiple elements and multiple physical segments of a network. The virtual circuit is configured end-to-end and is usually called a permanent virtual circuit (PVC). A dynamic point-to-point virtual circuit is also possible and is known as a switched virtual circuit (SVC); SVCs are used less frequently because of the complexity involved in troubleshooting them. ATM and Frame Relay are two of the most popular Layer 2 VPN technologies. ATM and Frame Relay providers can offer private site-to-site connectivity to a corporation by configuring permanent virtual circuits across a shared backbone.

One of the advantages of a Layer 2 VPN is the independence of the Layer 3 traffic payload that can be carried over it. A Frame Relay or ATM PVC between sites can carry many different types of Layer 3 traffic such as IP, IPX, AppleTalk, IP multicast, and so on. ATM and Frame Relay also provide good quality of service (QoS) characteristics, which is especially critical for delay-sensitive traffic such as voice.