Click here to load reader

IPSEC VPN Fundamentals

  • View
    509

  • Download
    16

Embed Size (px)

DESCRIPTION

IPsec Virtual Private Network Fundamentals

Text of IPSEC VPN Fundamentals

  • 7/13/2019 IPSEC VPN Fundamentals

    1/480

    From the Library of Ahmed

  • 7/13/2019 IPSEC VPN Fundamentals

    2/480

    800 East 96th Street

    Indianapolis, Indiana 46240 USA

    Cisco Press

    IPsec Virtual Private NetworkFundamentals

    James Henry Carmouche, CCIE No. 6085

    From the Library of Ah

  • 7/13/2019 IPSEC VPN Fundamentals

    3/480

    ii

    IPsec Virtual Private Network FundamentalsJames Henry Carmouche, CCIE No. 6085

    Copyright 2007 Cisco Systems, Inc.

    Published by:Cisco Press800 East 96th StreetIndianapolis, IN 46240 USA

    All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical,including photocopying, recording, or by any information storage and retrieval system, without written permission from the pub-lisher, except for the inclusion of brief quotations in a review.

    Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

    First Printing June 2006

    Library of Congress Cataloging-in-Publication Number: 2004107143

    ISBN: 1-58705-207-5

    Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Pressor Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affectingthe validity of any trademark or service mark.

    Warning and DisclaimerThis book is designed to provide information about IPsec virtual private networks. Every effort has been made to make this book ascomplete and as accurate as possible, but no warranty or fitness is implied.

    The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability norresponsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or fromthe use of the discs or programs that may accompany it.

    The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

    Corporate and Government SalesCisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.

    For more information please contact: U.S. Corporate and Government Sales [email protected]

    For sales outside the U.S. please contact: International Sales [email protected]

    Feedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and pre-cision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

    Readers feedback is a natural continuation of this process. If you have any comments regarding how we could improve the qualityof this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected] Pleasemake sure to include the book title and ISBN in your message.

    We greatly appreciate your assistance.

    From the Library of Ah

  • 7/13/2019 IPSEC VPN Fundamentals

    4/480

    iii

    Publisher Paul Boger

    Cisco Representative Anthony Wolfenden

    Cisco Press Program Manager Jeff Brady

    Executive Editor Brett Bartow

    Production Manager Patrick KanouseDevelopment Editor Andrew Cupp

    Project Editor Interactive Composition Corporation

    Copy Editor Interactive Composition Corporation

    Technical Editors Aamer Akhter, Jason Guy, Mark J. Newcomb

    Editorial Assistant Katherine Linder

    Book and Cover Designer Louisa Adair

    Composition Interactive Composition Corporation

    Indexer Tim Wright

    From the Library of Ah

  • 7/13/2019 IPSEC VPN Fundamentals

    5/480

    iv

    About the AuthorJames Henry Carmouche, CCIE No. 6085,is a technical marketing engineer on the Cisco

    Enterprise Systems Engineering team, where he is currently responsible for architecting,

    constructing, and validating enterprise-class network systems solutions. As part of his solution

    development responsibilities, Henry researches and publishes solution reference designs for use

    by customers, technical sales staff members, and marketing staff members. Prior to joining ESE,

    Henry worked as a technical marketing engineer in the Cisco Government Systems Unit, where

    he was responsible for bringing advanced security products to market, building technical

    marketing collateral and presentations, and designing new product introduction training for the

    GSUs newly introduced security platforms. In addition to his product and solution development

    experience, Henry has more than six years of technical consulting experience, including three

    years as a network consulting engineer in the Cisco Advanced Services Group. Henry earned an

    M.B.A. degree from UNCs Kenan-Flagler Business School and a B.S. degree in mechanical

    engineering from Lehigh University. Henry currently lives in Chapel Hill, NC, with his wife and

    two sons.

    About the Technical ReviewersAamer Akhter, CCIE No. 4543,joined Cisco Systems in 1998 after graduating from Georgia

    Tech with a B.S. degree in electrical engineering to work in the Cisco Technical Assistance Center.

    He then supported the larger enterprise customers from Cisco in the NSA unit, where he helped

    design and deploy several large Layer 2 networks. Aamer later moved to Networked Solutions

    Integration Test Engineering (NSITE), where after a brief stint with IPsec VPNs, he moved into a

    new group for testing MPLS-VPNs. Five years later, MPLS-VPNS had matured much but testing

    of MPLS-related technologies still continues. Aamer is currently leading a team for testing Layer3 VPNs and related technologies in a cross-Cisco effort.

    Jason Guyis an engineer within the Cisco Systems NSITE Security team, an organization

    responsible for network-based security solution testing. Jason is a member of a team responsible

    for testing, validating, scaling, and assisting in deployment of the Cisco security solution. Jasons

    primary focus is on firewalls, IPsec Remote Access, and SSL VPN testing. Prior to his work on the

    security technologies, Jason worked on the AToM Layer 2 VPN and MPLS VPN teams. Jason

    received his Masters of Computer Engineering degree from North Carolina State University in

    Raleigh, NC.

    Mark J. Newcomb, CCNP, CCDP,is a retired network security engineer. Mark has more than

    20 years experience in the networking industry, focusing on the financial and medical industries.

    Mark is a frequent contributor and reviewer for Cisco Press books.

    From the Library of Ah

  • 7/13/2019 IPSEC VPN Fundamentals

    6/480

    v

    DedicationFor my loving wife, Kristen, and my two wonderful sons, James and Charlie. This would not have

    been possible without your unconditional love, support, and inspiration.

    From the Library of Ah

  • 7/13/2019 IPSEC VPN Fundamentals

    7/480

    vi

    AcknowledgmentsDuring the development of this book, I had the privilege to work in three different groups at Cisco.

    Thank you to all of my teammates in Enterprise Systems Engineering, the Government Systems

    Unit, and Advanced Services who have lent me your professional acumen and loyal friendship

    over the years.

    Id like to thank Mike OShea for his support and friendship over the course of developing this

    book. Mikes sound professional and personal advice have helped me endure the ebbs and flows

    of sanity while balancing a challenging workload and added development responsibilities

    associated with writing this book.

    Thank you to Pavan Reddy, one of the sharpest technical minds in Advanced Services, who was

    instrumental in helping me outline and define this scope of work and whose technical advice and

    words of encouragement throughout the course of developing this book have proven to be

    invaluable.

    And on that note, many thanks go out to Andrew Cupp and Brett Bartow for their patience,

    understanding, and support during this process. An author could not have asked for a more

    professional team to work with while developing and publishing his work.

    From the Library of Ah

  • 7/13/2019 IPSEC VPN Fundamentals

    8/480

    vii

    This Book Is Safari EnabledThe SafariEnabled icon on the cover of your favorite technology book

    means the book is available through Safari Bookshelf. When you buy this

    book, you get free access to the online edition for 45 days.

    Safari Bookshelf is an electronic reference library that lets you easily search

    thousands of technical books, find code samples, download chapters, and

    access technical information whenever and wherever you need it.

    To gain 45-day Safari Enabled access to this book:

    Go to http://www.ciscopress.com/safarienabled

    Complete the brief registration form

    Enter the coupon code 6LL4-NBLJ-5EK4-HDJP-PKVQIf you have difficulty registering on Safari Bookshelf or accessing the online

    edition, please e-mail [email protected]

    From the Library of Ah

    http://www.ciscopress.com/safarienabledhttp://www.ciscopress.com/safarienabled
  • 7/13/2019 IPSEC VPN Fundamentals

    9/480

    viii

    Contents at a Glance

    Introduction xvii

    Part I Introductory Concepts and Configuration/Troubleshooting 3

    Chapter 1 Introduction to VPN Technologies 5

    Chapter 2 IPsec Fundamentals 35

    Chapter 3 Basic IPsec VPN Topologies and Configu

Search related