Click here to load reader

Data-only Site-to-Site IPSec VPN Design Guide · PDF file Data-only Site-to-Site IPSec VPN Design Guide OL-7281-01 Solution Two—DMVPN A-6 Head End Configuration A-6 Branch Site Configuration

  • View
    13

  • Download
    4

Embed Size (px)

Text of Data-only Site-to-Site IPSec VPN Design Guide · PDF file Data-only Site-to-Site IPSec VPN...

  • Data-only Site-to-Site IPSec VPN Design Guide OL-7281-01 Version 1.0

    Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

    800 553-NETS (6387) Fax: 408 526-4100

    http://www.cisco.com

  • THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

    THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

    The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

    NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

    IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    Data-only Site-to-Site IPSec VPN Design Guide Copyright © 2005 Cisco Systems, Inc. All rights reserved.

    AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, FrameShare, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, ScriptBuilder, ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, GigaStack, IOS, IP/TV, LightStream, MICA, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

    All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0110R)

  • OL-7281-01

    C O N T E N T S

    C H A P T E R 1 VPN Site-to-Site Solution Overview 1-1

    Introduction 1-1

    VPN Site-to-Site Design Overview 1-2 Starting Assumptions 1-2 Design Topology 1-3 Site-to-Site VPN Design Components 1-4 Cisco VPN Product Overview 1-6 Solution Benefits 1-8 Three Solutions—Overview and Recommendations 1-8

    Solution One—IPSec with GRE 1-9 Solution Two—DMVPN 1-9 Solution Three—IPSec with DPD, RRI, and HSRP 1-9

    IPSec Overview 1-10 Introduction to IPSec 1-10 Tunneling Protocols 1-10 IPSec Protocols 1-11

    Encapsulating Security Protocol 1-11 Authentication Header 1-11

    IPSec Modes 1-12 Tunnel Mode 1-12 Transport Mode 1-13

    Internet Key Exchange 1-13 Security Association 1-14 IKE Authentication 1-14

    C H A P T E R 2 Selecting a Site-to-Site VPN Solution 2-1

    Types of Site-to-Site VPN Deployments 2-1

    Solution Design Requirements 2-3 Network Requirements 2-3 Using IPSec for Data Encryption 2-4 Minimizing Packet Fragmentation 2-5 IP Addressing 2-6 Placing VPN Head Ends Relative to the Firewall 2-7

    Solution One (IPSec with GRE)—Design Recommendations 2-7

    iii Data-only Site-to-Site IPSec VPN Design Guide

  • Contents

    Implementing GRE 2-7 High Availability and Resiliency 2-8 Head End Load Distribution 2-9 Number of Tunnels per Device 2-10 Path MTU Discovery 2-11 Alternative Network Topologies 2-11 Using a Routing Protocol across the VPN 2-11 Route Propagation Strategy 2-12

    Solution Two (DMVPN)—Design Recommendations 2-13 Generic Route Encapsulation with mGRE Tunnels and NHRP 2-13 Tunnel Protection 2-14 High Availability and Resiliency 2-15 Head End Load Distribution 2-15 Path MTU Discovery 2-15 Supported Network Topologies 2-15

    Hub-and-Spoke 2-15 Spoke-to-Spoke 2-16 Spoke-to-Spoke Design Considerations 2-19

    Solution Three (IPSec with DPD, RRI, and HSRP)—Design Recommendations 2-20 Alternatives to Using a Routing Protocol 2-20 Dead Peer Detection 2-20 Reverse Route Injection 2-20 Dynamic Crypto Maps 2-20 Hot Standby Router Protocol 2-21

    Stateless Failover 2-21 Stateful Failover 2-21

    Solution Three Limitation—Tunnel Initiation Not Possible from Head Ends 2-22 Number of Tunnels per Device and Load Distribution 2-22

    Comparing Failover and Convergence Performance 2-22 Solution One—Failover and Convergence Performance 2-22 Solution Two—Failover and Convergence Performance 2-25 Solution Three—Failover and Convergence Performance 2-26

    Additional Design Considerations 2-26 Security 2-27 Split Tunneling 2-27 Multicast 2-27 IPSec Interactions with Other Networking Functions 2-27

    Routing Protocols 2-27 Network Address Translation and Port Address Translation 2-28

    iv Data-only Site-to-Site IPSec VPN Design Guide

    OL-7281-01

  • Contents

    Dynamic Host Configuration Protocol 2-28 Service Provider Dependencies 2-28 Management 2-29

    C H A P T E R 3 Selecting Solution Components 3-1

    Scalability Testing Methodology 3-1

    Subsequent Testing 3-2 New Traffic Mix 3-2 Tunnel Quantity Affects Throughput 3-3 GRE Encapsulation Affects Throughput 3-3 Routing Protocols Affect Throughput 3-3 How the Test Results are Presented 3-3

    Deploying Hardware-Accelerated Encryption 3-4 Head End Encryption Acceleration Options 3-4 Hardware Encryption Acceleration Options for 2600, 3600, and 3700 Routers 3-4

    Head End Devices 3-5 Sizing the Head End 3-6 Cisco VPN Routers for Head Ends 3-8 Head End Products for Solution Two 3-9 Head End Products for Solution Three 3-9 Other Cisco Products for the Head End 3-10 Cisco PIX VPN Limitations 3-11

    Branch Site Devices 3-11 Sizing the Branch Site 3-11 Cisco VPN Routers for Branch Sites 3-12

    Phase One Tests 3-12 Solution One Test Results 3-13 Solution Three Testing 3-13 Solution Two Testing 3-14

    Other Cisco Products for the Branch 3-18

    Software Releases Evaluated 3-18

    C H A P T E R 4 Configuring the Three Solutions 4-1

    Configuring Solution One 4-1 IKE Policy Configuration 4-1 IPSec Transform and Protocol Configuration 4-2 Access List Configuration for Encryption 4-2 Crypto Map Configuration 4-3 Applying Crypto Maps 4-4

    v Data-only Site-to-Site IPSec VPN Design Guide

    OL-7281-01

  • Contents

    Common Configuration Mistakes 4-4 ACL Mirroring 4-4 Peer Address Matching 4-4 Transform Set Matches 4-5 IKE Policy Matching 4-5

    Configuring Solution Two 4-5 IKE Policy Configuration 4-5 IPSec Profile Configuration 4-6 mGRE or GRE Tunnel Configuration 4-7 NHRP Configuration 4-8 Applying Tunnel Protection 4-9 Tunnels Sharing a Tunnel Source Interface 4-9

    Configuring Solution Three 4-10 IKE Configuration 4-10

    Dead Peer Detection 4-10 IPSec Configuration 4-11

    Dynamic IPSec Tunnels 4-11 Reverse Route Injection 4-12

    Head End HSRP and Interface Configuration 4-13 HSRP and IPSec 4-13

    Head End Redistribution for RRI Configuration 4-14 Static Route Redistribution 4-14

    C H A P T E R 5 Site-to-Site VPN Case Study 5-1

    Customer Overview 5-1

    Design Considerations 5-3 Preliminary Design Considerations 5-3 Sizing the Head End 5-4 Sizing the Branch Sites 5-4 Tunnel Aggregation and Load Distribution 5-5

    Network Layout 5-5

    Future Migration for Teleworkers 5-6

    A P P E N D I X A Test Bed Configuration A-1

    Scalability Test Bed Network Diagram A-1

    Scalability Test Bed Configuration Files A-3 Solution One—IPSec with GRE A-3

    Head End Configuration A-3 Branch Site Configuration A-4

    vi Data-only Site-to-Site IPSec VPN Design Guide

    OL-7281-01

  • Contents

    Solution Two—DMVPN A-6 Head End Configuration A-6 Branch Site Configuration A-7

    Solution Three—IPSec with DPD, RRI and HSRP A-9 Head End Configuration A-9 Branch Site Configuration A-10

    A P P E N D I X B References and Reading B-1

    Documents B-1

    Request For Comment (RFC) Papers B-1

    Websites B-2

    A P P E N D I X C Acronyms and Definitions C-1

    vii Data-only Site-to-Site I