IPSec VPN Design
- By Vijay Bollapragada, Mohamed Khalid, Scott Wainner
- Published Mar 29, 2005 by Cisco Press. Part of the Networking Technology series.
eBook (Watermarked)
- Your Price: $49.59
- List Price: $61.99
- Includes EPUB and PDF
- About eBook Formats
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
- Copyright 2005
- Dimensions: 7-3/8" x 9-1/8"
- Pages: 384
- Edition: 1st
- eBook (Watermarked)
- ISBN-10: 0-13-343356-0
- ISBN-13: 978-0-13-343356-2
The definitive design and deployment guide for secure virtual private networks
- Learn about IPSec protocols and Cisco IOS IPSec packet processing
- Understand the differences between IPSec tunnel mode and transport mode
- Evaluate the IPSec features that improve VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives
- Overcome the challenges of working with NAT and PMTUD
- Explore IPSec remote-access features, including extended authentication, mode-configuration, and digital certificates
- Examine the pros and cons of various IPSec connection models such as native IPSec, GRE, and remote access
- Apply fault tolerance methods to IPSec VPN designs
- Employ mechanisms to alleviate the configuration complexity of a large- scale IPSec VPN, including Tunnel End-Point Discovery (TED) and Dynamic Multipoint VPNs (DMVPN)
- Add services to IPSec VPNs, including voice and multicast
- Understand how network-based VPNs operate and how to integrate IPSec VPNs with MPLS VPNs
Among the many functions that networking technologies permit is the ability for organizations to easily and securely communicate with branch offices, mobile users, telecommuters, and business partners. Such connectivity is now vital to maintaining a competitive level of business productivity. Although several technologies exist that can enable interconnectivity among business sites, Internet-based virtual private networks (VPNs) have evolved as the most effective means to link corporate network resources to remote employees, offices, and mobile workers. VPNs provide productivity enhancements, efficient and convenient remote access to network resources, site-to-site connectivity, a high level of security, and tremendous cost savings.
IPSec VPN Design is the first book to present a detailed examination of the design aspects of IPSec protocols that enable secure VPN communication. Divided into three parts, the book provides a solid understanding of design and architectural issues of large-scale, secure VPN solutions. Part I includes a comprehensive introduction to the general architecture of IPSec, including its protocols and Cisco IOS® IPSec implementation details. Part II examines IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. This part of the book also covers dynamic configuration models used to simplify IPSec VPN designs. Part III addresses design issues in adding services to an IPSec VPN such as voice and multicast. This part of the book also shows you how to effectively integrate IPSec VPNs with MPLS VPNs.
IPSec VPN Design provides you with the field-tested design and configuration advice to help you deploy an effective and secure VPN solution in any environment.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Table of Contents
Introduction
Chapter 1 Introduction to VPNs
Motivations for Deploying a VPN
VPN Technologies
Layer 2 VPNs
Layer 3 VPNs
Remote Access VPNs
Summary
Chapter 2 IPSec Overview
Encryption Terminology
Symmetric Algorithms
Asymmetric Algorithms
Digital Signatures
IPSec Security Protocols
IPSec Transport Mode
IPSec Tunnel Mode
Encapsulating Security Header (ESP)
Authentication Header (AH)
Key Management and Security Associations
The Diffie-Hellman Key Exchange
Security Associations and IKE Operation
IKE Phase 1 Operation
IKE Phase 2 Operation
IPSec Packet Processing
Summary
Chapter 3 Enhanced IPSec Features
IKE Keepalives
Dead Peer Detection
Idle Timeout
Reverse Route Injection
RRI and HSRP
Stateful Failover
SADB Transfer
SADB Synchronization
IPSec and Fragmentation
IPSec and PMTUD
Look Ahead Fragmentation
GRE and IPSec
IPSec and NAT
Effect of NAT on AH
Effect of NAT on ESP
Effect of NAT on IKE
IPSec and NAT Solutions
Summary
Chapter 4 IPSec Authentication and Authorization Models
Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)
Mode-Configuration (MODECFG)
Easy VPN (EzVPN)
EzVPN Client Mode
Network Extension Mode
Digital Certificates for IPSec VPNs
Digital Certificates
Certificate Authority–Enrollment
Certificate Revocation
Summary
Chapter 5 IPSec VPN Architectures
IPSec VPN Connection Models
IPSec Model
The GRE Model
The Remote Access Client Model
IPSec Connection Model Summary
Hub-and-Spoke Architecture
Using the IPSec Model
Transit Spoke-to-Spoke Connectivity Using IPSec
Internet Connectivity
Scalability Using the IPSec Connection Model
GRE Model
Transit Site-to-Site Connectivity
Transit Site-to-Site Connectivity with Internet Access
Scalability of GRE Hub-and-Spoke Models
Remote Access Client Connection Model
Easy VPN (EzVPN) Client Mode
EzVPN Network Extension Mode
Scalability of Client Connectivity Models
Full-Mesh Architectures
Native IPSec Connectivity Model
GRE Model
Summary
Chapter 6 Designing Fault-Tolerant IPSec VPNs
Link Fault Tolerance
Backbone Network Fault Tolerance
Access Link Fault Tolerance
Access Link Fault Tolerance Summary
IPSec Peer Redundancy
Simple Peer Redundancy Model
Virtual IPSec Peer Redundancy Using HSRP
IPSec Stateful Failover
Peer Redundancy Using GRE
Virtual IPSec Peer Redundancy Using SLB
Server Load Balancing Concepts
IPSec Peer Redundancy Using SLB
Cisco VPN 3000 Clustering for Peer Redundancy
Peer Redundancy Summary
Intra-Chassis IPSec VPN Services Redundancy
Stateless IPSec Redundancy
Stateful IPSec Redundancy
Summary
Chapter 7 Auto-Configuration Architectures for Site-to-Site IPSec VPNs
IPSec Tunnel Endpoint Discovery
Principles of TED
Limitations with TED
TED Configuration and State
TED Fault Tolerance
Dynamic Multipoint VPN
Multipoint GRE Interfaces
Next Hop Resolution Protocol
Dynamic IPSec Proxy Instantiation
Establishing a Dynamic Multipoint VPN
DMVPN Architectural Redundancy
DMVPN Model Summary
Summary
Chapter 8 IPSec and Application Interoperability
QoS-Enabled IPSec VPNs
Overview of IP QoS Mechanisms
IPSec Implications for Classification
IPSec Implications on QoS Policies
VoIP Application Requirements for IPSec VPN Networks
Delay Implications
Jitter Implications
Loss Implications
IPSec VPN Architectural Considerations for VoIP
Decoupled VoIP and Data Architectures
VoIP over IPSec Remote Access
VoIP over IPSec-Protected GRE Architectures
VoIP Hub-and-Spoke Architecture
VoIP over DMVPN Architecture
VoIP Traffic Engineering Summary
Multicast over IPSec VPNs
Multicast over IPSec-protected GRE
Multicast on Full-Mesh Point-to-Point GRE/IPSec Tunnels
DMVPN and Multicast
Multicast Group Security
Multicast Encryption Summary
Summary
Chapter 9 Network-Based IPSec VPNs
Fundamentals of Network-Based VPNs
The Network-Based IPSec Solution: IOS Features
The Virtual Routing and Forwarding Table
Crypto Keyrings
ISAKMP Profiles
Operation of Network-Based IPSec VPNs
A Single IP Address on the PE
Front-Door and Inside VRF
Configuration and Packet Flow
Termination of IPSec on a Unique IP Address Per VRF
Network-Based VPN Deployment Scenarios
IPSec to MPLS VPN over GRE
IPSec to L2 VPNs
PE-PE Encryption
Summary
Index