IpSec VPN Design

8/21/2019 IpSec VPN Design

1/394

Table of

Contents

Index

IPSec VPN Design

By Vijay Bollapragada, Mohamed Khalid, Scott Wainner

Publisher: Cisco Press

Pub Date: April 07, 2005

ISBN: 1-58705-111-7

Pages: 384

Master IPSec-based Virtual Private Networks with guidance from the Cisco

Systems VPN Solutions group

Understand how IPSec VPNs are designed, built, and administered

Improve VPN performance through enabling of modern VPN servicessuch as performance, scalability, QoS, packet processing, multicast,and security

Integrate IPSec VPNs with MPLS, Frame Relay, and ATM technologies

As the number of remote branches and work-from-home employees grows

throughout corporate America, VPNs are becoming essential to bothenterprise networks and service providers. IPSec is one of the morepopular technologies for deploying IP-based VPNs. IPSec VPN Design

provides a solid understanding of the design and architectural issues ofIPSec VPNs. Some books cover IPSec protocols, but they do not address

overall design issues. This book fills that void.

IPSec VPN Designconsists of three main sections. The first sectionprovides a comprehensive introduction to the IPSec protocol, includingIPSec Peer Models. This section also includes an introduction to site-to-

site, network-based, and remote access VPNs. The second section isdedicated to an analysis of IPSec VPN architecture and proper designmethodologies. Peer relationships and fault tolerance models and

architectures are examined in detail. Part three addresses enabling VPNservices, such as performance, scalability, packet processing, QoS,

multicast, and security. This book also covers the integration of IPSecVPNs with other Layer 3 (MPLS VPN) and Layer 2 (Frame Relay, ATM)technologies; and discusses management, provisioning, and

troubleshooting techniques. Case studies highlight design, implementation,and management advice to be applied in both service provider andenterprise environments.

Table of

Contents

Index

IPSec VPN Design

By Vijay Bollapragada, Mohamed Khalid, Scott Wainner

Publisher: Cisco Press

Pub Date: April 07, 2005

ISBN: 1-58705-111-7

Pages: 384

Master IPSec-based Virtual Private Networks with guidance from the Cisco

Systems VPN Solutions group

Understand how IPSec VPNs are designed, built, and administered

Improve VPN performance through enabling of modern VPN servicessuch as performance, scalability, QoS, packet processing, multicast,and security

Integrate IPSec VPNs with MPLS, Frame Relay, and ATM technologies

As the number of remote branches and work-from-home employees grows

throughout corporate America, VPNs are becoming essential to bothenterprise networks and service providers. IPSec is one of the morepopular technologies for deploying IP-based VPNs. IPSec VPN Design

provides a solid understanding of the design and architectural issues ofIPSec VPNs. Some books cover IPSec protocols, but they do not address

overall design issues. This book fills that void.

IPSec VPN Designconsists of three main sections. The first sectionprovides a comprehensive introduction to the IPSec protocol, includingIPSec Peer Models. This section also includes an introduction to site-to-

site, network-based, and remote access VPNs. The second section isdedicated to an analysis of IPSec VPN architecture and proper designmethodologies. Peer relationships and fault tolerance models and

architectures are examined in detail. Part three addresses enabling VPNservices, such as performance, scalability, packet processing, QoS,

multicast, and security. This book also covers the integration of IPSecVPNs with other Layer 3 (MPLS VPN) and Layer 2 (Frame Relay, ATM)technologies; and discusses management, provisioning, and

troubleshooting techniques. Case studies highlight design, implementation,and management advice to be applied in both service provider andenterprise environments.

8/21/2019 IpSec VPN Design

2/394

Table of

Contents

Index

IPSec VPN Design

By Vijay Bollapragada, Mohamed Khalid, Scott Wainner

Publisher: Cisco Press

Pub Date: April 07, 2005

ISBN: 1-58705-111-7

Pages: 384

Copyright

About the Authors

About the Technical Editors

Acknowledgments

This Book Is Safari Enabled

Icons Used in This Book

Command Syntax Conventions

Introduction

Chapter 1. Introduction to VPNs

Motivations for Deploying a VPN

VPN Technologies

Summary

Chapter 2. IPSec Overview

Encryption Terminology

IPSec Security Protocols

Key Management and Security Associations Summary

Chapter 3. Enhanced IPSec Features

IKE Keepalives

Dead Peer Detection

Idle Timeout

Reverse Route Injection

Stateful Failover

IPSec and Fragmentation

GRE and IPSec

IPSec and NAT

Summary

Chapter 4. IPSec Authentication and Authorization Models

Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)

Mode-Configuration (MODECFG)

Easy VPN (EzVPN)

Digital Certificates for IPSec VPNs

8/21/2019 IpSec VPN Design

3/394

Summary

Chapter 5. IPSec VPN Architectures

IPSec VPN Connection Models

Hub-and-Spoke Architecture

Full-Mesh Architectures

Summary

Chapter 6. Designing Fault-Tolerant IPSec VPNs

Link Fault Tolerance

IPSec Peer Redundancy Using SLB

Intra-Chassis IPSec VPN Services Redundancy

Summary

Chapter 7. Auto-Configuration Architectures for Site-to-Site IPSec VPNs

IPSec Tunnel Endpoint Discovery

Dynamic Multipoint VPN

Summary

Chapter 8. IPSec and Application Interoperability

QoS-Enabled IPSec VPNs

VoIP Application Requirements for IPSec VPN Networks

IPSec VPN Architectural Considerations for VoIP

Multicast over IPSec VPNs

Summary

Chapter 9. Network-Based IPSec VPNs

Fundamentals of Network-Based VPNs

The Network-Based IPSec Solution: IOS Features

Operation of Network-Based IPSec VPNs

Network-Based VPN Deployment Scenarios

Summary

Index

8/21/2019 IpSec VPN Design

4/394

Copyright

IPSec VPN Design

Vijay Bollapragada, Mohamed Khalid, Scott Wainner

Copyright 2005 Cisco Systems, Inc.

Cisco Press logo is a trademark of Cisco Systems, Inc.

Published by:Cisco Press

800 East 96th StreetIndianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by anymeans, electronic or mechanical, including photocopying, recording, or by any information storageand retrieval system, without written permission from the publisher, except for the inclusion of briefquotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

First Printing April 2005

Library of Congress Cataloging-in-Publication Number: 2002106378

ISBN: 1-58705-111-7

Warning and Disclaimer

This book is designed to provide information about IPSec VPN design. Every effort has been made tomake this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc.

shall have neither liability nor responsibility to any person or entity with respect to any loss ordamages arising from the information contained in this book or from the use of the discs or programsthat may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco

Systems, Inc.

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases orspecial sales.

For more information, please contact U.S. Corporate and Government Sales, 1-800-382-3419,

8/21/2019 IpSec VPN Design

5/394

[email protected]

For sales outside the U.S., please contact International Sales at [email protected]

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have beenappropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this

information. Use of a term in this book should not be regarded as affecting the validity of any

trademark or service mark.

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each

book is crafted with care and precision, undergoing rigorous development that involves the uniqueexpertise of members from the professional technical community.

Readers' feedback is a natural continuation of this process. If you have any comments regarding howwe could improve the quality of this book, or otherwise alter it to better suit your needs, you can

contact us through email at [email protected] Please make sure to include the book title andISBN in your message.

We greatly appreciate your assistance.

Publisher John Wait

Editor-in-Chief John Kane

Cisco Representative Anthony Wolfenden

Cisco Press Program Manager Jeff Brady

Executive Editor Brett Bartow

Production Manager Patrick Kanouse

Development Editor Grant Munroe

Project Editor Sheila Schroeder

Copy Editor Michelle Grandin

Technical Editors Anthony Kwan, Suresh Subbarao, MichaelSullenberger

Team Coordinator Tammi Barnett