Deploying IPsec VPNs

  • View

  • Download

Embed Size (px)

Text of Deploying IPsec VPNs

  • 8/13/2019 Deploying IPsec VPNs


    Cisco Systems, Inc.

    All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

    Page 1 of 29

    Solutions Guide

    Deploying IPsec Virtual Private Networks

    Int roduct ion

    Corporate networks connected to the

    Internet can enableflexible and secure VPN

    access w ith IPsec. Connecting remo te sites

    over the Internet provides a great cost

    saving opportunity when compared to the

    traditional WAN access such as FrameRelay or ATM. With IPsec technology,

    customers now can build Virtual Private

    Networks (VPNs) over theInternet with the

    security of encryption protection a gainst

    wire taping or intruding on the private


    This deployment guide provides multiple

    designs for the implementation of IPsec

    VPN confi gurations over public Internet

    infrastructure. The IPsec VPN

    confi gurations presented in t his document

    are ba sed o n recommended customer

    confi gurations. These configura tions w ere

    tested and verified in a lab environment and

    can be deployed in thefi eld. This guide does

    not discuss alternate IPsec VPN

    implementation solutions.

    This deployment document describes basic

    design and deployment of an IP VPN

    network on top of a public network

    infrastructure. It does not detail the general

    operation of the protocols associated with

    deployment, such as Internet Key Exchange

    (IKE), Digital Encryption Standa rd (DES),

    nor d oes it discuss the management and

    autom ation aspect f or service provisioning.

    This document contains the following IPsec


    Site-to-Site VPN

    Fully-meshed VPN

    Hub-and-spoke VPN

    Fully-meshed on-demand VPN w ith

    Tunnel Endpoint D iscovery

    Dynamic Multipoint VPN

    Remote Access VPN

    Cisco Easy VPN

    IP sec VP N Def in i t ion

    IPsec VPN is an Enterprise Network

    deployed on a shared infrastructure using

    IPsec encryption technology. IPsec VPNs

    are used as an alternative to Wide Area

    Network (WAN) infrastructure that replaceor a ugment existing private networks tha t

    utilize leased-line or Enterprise-ow ned

    Frame Relay and Asynchronous Transfer

    Mode (ATM) Networks. IPsecVPNs do not

    inherently change WAN requirements, such

    as support for multiple protocols, high

    reliability, and extensive scalability, but

    instead meet these requirements more

    cost-effectively and with greater flexibility.

    An IPsec VPN utilizes the most pervasive

    transport technologies available today: the

    public Internet, SP Internet Protocol (IP)

    backbones, and a lso SP Frame Relay a nd

    ATM netw orks. IP sec. The equipment

    deployed at the edge of the Enterprise

    network and feature integration across the

  • 8/13/2019 Deploying IPsec VPNs


    Cisco Systems, Inc.

    All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

    Page 2 of 29

    WAN primarily define the functionality o f an IPsec VPN, ra ther than d efinitions by the WAN transport prot ocol.

    IPsec VPNs are deployed in order to ensure secure connectivity between the VPN sites. The VPN sites can be eithera subnet or a ho st residing behind routers. Follow ing are key components of t his IPsec VPN d esigns:

    Cisco high-end VPN routers serving as VPN head-end termination devices at a central campus (head-end devices

    Cisco VPN access routers serving as VPN branch-end termination devices at the branch office locations

    (branch-end devices)

    IPsec and G RE tunnels that interconnect the head-end and branch-end devices in the VPN

    Internet services procured from a third-party ISP serving as the WAN interconnection medium

    M a jo r C o m p o n e n t s

    Internet Key Exchange (RFC 2409)

    IPsec off ers a stand ard w ay to establish authentication and encryption services betw een endpoints. This includes

    both standa rd algorithms and transforms, but also standard key negotiat ion and mana gement mechanisms (via

    ISAKM P/O akley) to promo te interoperability between devices by allow ing fo r the negotiation of services betw een

    these devices.

    IKE is a key management protocol standard that isused in conjunction with theIPsec standard. I t enhances IPsec by

    providing add itional features, flexibility, and ease of confi guration fo r the IPsec stand ard. It enables automa tic

    negotiation o f IPsec security associations, enables IPsec secure communications w ithout costly manua l

    preconfi guration, and facilitates secure exchange of encryption keys.

    Negotiation refers to the establishment of policies or Security Associations (SAs)between devices. An SA is a policy

    rule that maps to a specific peer, with each rule ident ified by a unique SPI (Security Parameter Index). A device may

    have many SAs stored in its Security Association D ata base (SAD B), created in D RAM and indexed by SPI. As an

    IPsec data gra m arr ives, the device w ill use the enclosed SPI to reference the appro priat e policy that n eeds to be

    applied to the datagram.

    IKE is a fo rm of ISAKMP (Internet Security Association Key M ana gement Proto col)/Oakley specifically f or IPsec.

    ISAKMP describes the phase of negotiation; Oakley defines the method to establish an authenticated key exchange.

    This method may take various modes of operat ion and is also used to derive keying materia l via algorithms such as


    ISAKM P Pha se 1 is used w hen tw o peers establish a secure, authenticated channel w ith w hich to communicate.

    Oakley main mode is generally used here. The result of main mode is the authenticated bi-directional IKE Security

    Association and its keying material. ISAKMP Phase 2 is required to establish SAs on behalf of other services,

    including IPsec. This uses Oakley Quick Mode to generate key material and/or parameter negotiation. The result ofQuick Mod e is two to fo ur (depending on w hether AH a nd/or ESP w as used) uni-directiona l IPsec Security

    Associations and their keying material.


    IPsec combines the aforementioned security technologies into a complete system that provides confidentiality,

    integrity, and authenticity of IP datagrams. IPseca ctually refers to several related protocols as defined in thenew RFC

    2401-2411 and 2451 (the origina l IPsec RFCs 1825-1829 are now obso lete). These stand ard s include:

  • 8/13/2019 Deploying IPsec VPNs


    Cisco Systems, Inc.

    All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

    Page 3 of 29

    IP Security Protocol proper, w hich defines the information to add to an IP packet to enable confid entiality,

    integrity, and authenticity controls as w ell as defining how to encrypt the packet da ta.

    Internet Key Exchange (IKE), which negotia tes the security associa t ion between two entit ies and exchanges key

    material. IKE usage is not necessary, but it is diffi cult and labor-intensive to ma nually confi gure security

    associations. IKE should be used in most real-world applications to enable large-scale secure communications.

    IP sec Modes

    IPsec has two methods of forwarding da ta across a network : t ranspor t mode and tunnel mode. Each dif fers in their

    application a s w ell as in the amount of overhead add ed to the passenger packet. These protocols a re summarized

    briefly in the next tw o sections:

    Tunnel M od e

    Tr an spo rt M ode

    Tunnel Mode

    Tunnel Mode encapsulatesa nd protects an entire IP packet. Becausetunnel mode encapsulates or hidesthe IP header

    of the packet, a new IP header must be added in ord er for the packet to be successfully forw arded. The encrypting

    routers themselves ow n the IP a ddresses used in these new h eaders. Tunnel mode ma y be employed w ith either or

    both ESP a nd AH. Using tunnel mode results in additiona l packet expansion of approxima tely 20 bytes associated

    w ith the new IP head er. Tunnel mode expa nsion of t he IP packet is depicted in Figure 1.

    Figure 1

    IP sec Tunnel M ode

    Transport Mode

    Use transport mode only when using GRE tunnel for the VPN traffic.

    IPsec transport modeinsertsan IPsec header between theIP header and theG RE Header. In this case, transport mode

    saves an additional IP header, which results in less packet expansion. Transport mode can be deployed with either or

    both ESP and AH. Specifying transport mod e allows the router to negotiate w ith the remote peer w hether to use

    transport or tunnel mode. Transport mod e expansion of the IP packet with G RE encapsulation is depicted in

    Figure 2.

    IP HDR Data

    IP HDRNew IP HDR IPsec HDR Data

    To Be Protected

  • 8/13/2019 Deploying IPsec VPNs


    Cisco Systems, Inc.

    All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

    Page 4 of 29

    Figure 2

    IP sec Transport M ode with GR E

    IPsec Headers

    IPsec defines a new set of headersto beadded to IP datagrams. These new headersare placed after theouter IP header.

    These new headers provide informat ion for securing the payloa d of the IP packet as follow s:

    Authentication H eader (AH )This header, when added to an IP datagram, ensures the integrity and authenticity

    of thedata , including theinva