IpSec VPN Design

  • View
    241

  • Download
    2

Embed Size (px)

Text of IpSec VPN Design

  • 8/21/2019 IpSec VPN Design

    1/394

    Table of

    Contents

    Index

    IPSec VPN Design

    By Vijay Bollapragada, Mohamed Khalid, Scott Wainner

    Publisher: Cisco Press

    Pub Date: April 07, 2005

    ISBN: 1-58705-111-7

    Pages: 384

    Master IPSec-based Virtual Private Networks with guidance from the Cisco

    Systems VPN Solutions group

    Understand how IPSec VPNs are designed, built, and administered

    Improve VPN performance through enabling of modern VPN servicessuch as performance, scalability, QoS, packet processing, multicast,and security

    Integrate IPSec VPNs with MPLS, Frame Relay, and ATM technologies

    As the number of remote branches and work-from-home employees grows

    throughout corporate America, VPNs are becoming essential to bothenterprise networks and service providers. IPSec is one of the morepopular technologies for deploying IP-based VPNs. IPSec VPN Design

    provides a solid understanding of the design and architectural issues ofIPSec VPNs. Some books cover IPSec protocols, but they do not address

    overall design issues. This book fills that void.

    IPSec VPN Designconsists of three main sections. The first sectionprovides a comprehensive introduction to the IPSec protocol, includingIPSec Peer Models. This section also includes an introduction to site-to-

    site, network-based, and remote access VPNs. The second section isdedicated to an analysis of IPSec VPN architecture and proper designmethodologies. Peer relationships and fault tolerance models and

    architectures are examined in detail. Part three addresses enabling VPNservices, such as performance, scalability, packet processing, QoS,

    multicast, and security. This book also covers the integration of IPSecVPNs with other Layer 3 (MPLS VPN) and Layer 2 (Frame Relay, ATM)technologies; and discusses management, provisioning, and

    troubleshooting techniques. Case studies highlight design, implementation,and management advice to be applied in both service provider andenterprise environments.

    Table of

    Contents

    Index

    IPSec VPN Design

    By Vijay Bollapragada, Mohamed Khalid, Scott Wainner

    Publisher: Cisco Press

    Pub Date: April 07, 2005

    ISBN: 1-58705-111-7

    Pages: 384

    Master IPSec-based Virtual Private Networks with guidance from the Cisco

    Systems VPN Solutions group

    Understand how IPSec VPNs are designed, built, and administered

    Improve VPN performance through enabling of modern VPN servicessuch as performance, scalability, QoS, packet processing, multicast,and security

    Integrate IPSec VPNs with MPLS, Frame Relay, and ATM technologies

    As the number of remote branches and work-from-home employees grows

    throughout corporate America, VPNs are becoming essential to bothenterprise networks and service providers. IPSec is one of the morepopular technologies for deploying IP-based VPNs. IPSec VPN Design

    provides a solid understanding of the design and architectural issues ofIPSec VPNs. Some books cover IPSec protocols, but they do not address

    overall design issues. This book fills that void.

    IPSec VPN Designconsists of three main sections. The first sectionprovides a comprehensive introduction to the IPSec protocol, includingIPSec Peer Models. This section also includes an introduction to site-to-

    site, network-based, and remote access VPNs. The second section isdedicated to an analysis of IPSec VPN architecture and proper designmethodologies. Peer relationships and fault tolerance models and

    architectures are examined in detail. Part three addresses enabling VPNservices, such as performance, scalability, packet processing, QoS,

    multicast, and security. This book also covers the integration of IPSecVPNs with other Layer 3 (MPLS VPN) and Layer 2 (Frame Relay, ATM)technologies; and discusses management, provisioning, and

    troubleshooting techniques. Case studies highlight design, implementation,and management advice to be applied in both service provider andenterprise environments.

  • 8/21/2019 IpSec VPN Design

    2/394

    Table of

    Contents

    Index

    IPSec VPN Design

    By Vijay Bollapragada, Mohamed Khalid, Scott Wainner

    Publisher: Cisco Press

    Pub Date: April 07, 2005

    ISBN: 1-58705-111-7

    Pages: 384

    Copyright

    About the Authors

    About the Technical Editors

    Acknowledgments

    This Book Is Safari Enabled

    Icons Used in This Book

    Command Syntax Conventions

    Introduction

    Chapter 1. Introduction to VPNs

    Motivations for Deploying a VPN

    VPN Technologies

    Summary

    Chapter 2. IPSec Overview

    Encryption Terminology

    IPSec Security Protocols

    Key Management and Security Associations Summary

    Chapter 3. Enhanced IPSec Features

    IKE Keepalives

    Dead Peer Detection

    Idle Timeout

    Reverse Route Injection

    Stateful Failover

    IPSec and Fragmentation

    GRE and IPSec

    IPSec and NAT

    Summary

    Chapter 4. IPSec Authentication and Authorization Models

    Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)

    Mode-Configuration (MODECFG)

    Easy VPN (EzVPN)

    Digital Certificates for IPSec VPNs

  • 8/21/2019 IpSec VPN Design

    3/394

    Summary

    Chapter 5. IPSec VPN Architectures

    IPSec VPN Connection Models

    Hub-and-Spoke Architecture

    Full-Mesh Architectures

    Summary

    Chapter 6. Designing Fault-Tolerant IPSec VPNs

    Link Fault Tolerance

    IPSec Peer Redundancy Using SLB

    Intra-Chassis IPSec VPN Services Redundancy

    Summary

    Chapter 7. Auto-Configuration Architectures for Site-to-Site IPSec VPNs

    IPSec Tunnel Endpoint Discovery

    Dynamic Multipoint VPN

    Summary

    Chapter 8. IPSec and Application Interoperability

    QoS-Enabled IPSec VPNs

    VoIP Application Requirements for IPSec VPN Networks

    IPSec VPN Architectural Considerations for VoIP

    Multicast over IPSec VPNs

    Summary

    Chapter 9. Network-Based IPSec VPNs

    Fundamentals of Network-Based VPNs

    The Network-Based IPSec Solution: IOS Features

    Operation of Network-Based IPSec VPNs

    Network-Based VPN Deployment Scenarios

    Summary

    Index

  • 8/21/2019 IpSec VPN Design

    4/394

    Copyright

    IPSec VPN Design

    Vijay Bollapragada, Mohamed Khalid, Scott Wainner

    Copyright 2005 Cisco Systems, Inc.

    Cisco Press logo is a trademark of Cisco Systems, Inc.

    Published by:Cisco Press

    800 East 96th StreetIndianapolis, IN 46240 USA

    All rights reserved. No part of this book may be reproduced or transmitted in any form or by anymeans, electronic or mechanical, including photocopying, recording, or by any information storageand retrieval system, without written permission from the publisher, except for the inclusion of briefquotations in a review.

    Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

    First Printing April 2005

    Library of Congress Cataloging-in-Publication Number: 2002106378

    ISBN: 1-58705-111-7

    Warning and Disclaimer

    This book is designed to provide information about IPSec VPN design. Every effort has been made tomake this book as complete and as accurate as possible, but no warranty or fitness is implied.

    The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc.

    shall have neither liability nor responsibility to any person or entity with respect to any loss ordamages arising from the information contained in this book or from the use of the discs or programsthat may accompany it.

    The opinions expressed in this book belong to the author and are not necessarily those of Cisco

    Systems, Inc.

    Corporate and Government Sales

    Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases orspecial sales.

    For more information, please contact U.S. Corporate and Government Sales, 1-800-382-3419,

  • 8/21/2019 IpSec VPN Design

    5/394

    [email protected]

    For sales outside the U.S., please contact International Sales at [email protected]

    Trademark Acknowledgments

    All terms mentioned in this book that are known to be trademarks or service marks have beenappropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this

    information. Use of a term in this book should not be regarded as affecting the validity of any

    trademark or service mark.

    Feedback Information

    At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each

    book is crafted with care and precision, undergoing rigorous development that involves the uniqueexpertise of members from the professional technical community.

    Readers' feedback is a natural continuation of this process. If you have any comments regarding howwe could improve the quality of this book, or otherwise alter it to better suit your needs, you can

    contact us through email at [email protected] Please make sure to include the book title andISBN in your message.

    We greatly appreciate your assistance.

    Publisher John Wait

    Editor-in-Chief John Kane

    Cisco Representative Anthony Wolfenden

    Cisco Press Program Manager Jeff Brady

    Executive Editor Brett Bartow

    Production Manager Patrick Kanouse

    Development Editor Grant Munroe

    Project Editor Sheila Schroeder

    Copy Editor Michelle Grandin

    Technical Editors Anthony Kwan, Suresh Subbarao, MichaelSullenberger

    Team Coordinator Tammi Barnett

Search related