IPSEC VPN Fundamentals

7/13/2019 IPSEC VPN Fundamentals

1/480

From the Library of Ahmed

7/13/2019 IPSEC VPN Fundamentals

2/480

800 East 96th Street

Indianapolis, Indiana 46240 USA

Cisco Press

IPsec Virtual Private NetworkFundamentals

James Henry Carmouche, CCIE No. 6085

From the Library of Ah

7/13/2019 IPSEC VPN Fundamentals

3/480

ii

IPsec Virtual Private Network FundamentalsJames Henry Carmouche, CCIE No. 6085

Copyright 2007 Cisco Systems, Inc.

Published by:Cisco Press800 East 96th StreetIndianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical,including photocopying, recording, or by any information storage and retrieval system, without written permission from the pub-lisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

First Printing June 2006

Library of Congress Cataloging-in-Publication Number: 2004107143

ISBN: 1-58705-207-5

Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Pressor Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affectingthe validity of any trademark or service mark.

Warning and DisclaimerThis book is designed to provide information about IPsec virtual private networks. Every effort has been made to make this book ascomplete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability norresponsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or fromthe use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

Corporate and Government SalesCisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.

For more information please contact: U.S. Corporate and Government Sales [email protected]

For sales outside the U.S. please contact: International Sales [email protected]

Feedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and pre-cision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

Readers feedback is a natural continuation of this process. If you have any comments regarding how we could improve the qualityof this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected] Pleasemake sure to include the book title and ISBN in your message.

We greatly appreciate your assistance.

From the Library of Ah

7/13/2019 IPSEC VPN Fundamentals

4/480

iii

Publisher Paul Boger

Cisco Representative Anthony Wolfenden

Cisco Press Program Manager Jeff Brady

Executive Editor Brett Bartow

Production Manager Patrick KanouseDevelopment Editor Andrew Cupp

Project Editor Interactive Composition Corporation

Copy Editor Interactive Composition Corporation

Technical Editors Aamer Akhter, Jason Guy, Mark J. Newcomb

Editorial Assistant Katherine Linder

Book and Cover Designer Louisa Adair

Composition Interactive Composition Corporation

Indexer Tim Wright

From the Library of Ah

7/13/2019 IPSEC VPN Fundamentals

5/480

iv

About the AuthorJames Henry Carmouche, CCIE No. 6085,is a technical marketing engineer on the Cisco

Enterprise Systems Engineering team, where he is currently responsible for architecting,

constructing, and validating enterprise-class network systems solutions. As part of his solution

development responsibilities, Henry researches and publishes solution reference designs for use

by customers, technical sales staff members, and marketing staff members. Prior to joining ESE,

Henry worked as a technical marketing engineer in the Cisco Government Systems Unit, where

he was responsible for bringing advanced security products to market, building technical

marketing collateral and presentations, and designing new product introduction training for the

GSUs newly introduced security platforms. In addition to his product and solution development

experience, Henry has more than six years of technical consulting experience, including three

years as a network consulting engineer in the Cisco Advanced Services Group. Henry earned an

M.B.A. degree from UNCs Kenan-Flagler Business School and a B.S. degree in mechanical

engineering from Lehigh University. Henry currently lives in Chapel Hill, NC, with his wife and

two sons.

About the Technical ReviewersAamer Akhter, CCIE No. 4543,joined Cisco Systems in 1998 after graduating from Georgia

Tech with a B.S. degree in electrical engineering to work in the Cisco Technical Assistance Center.

He then supported the larger enterprise customers from Cisco in the NSA unit, where he helped

design and deploy several large Layer 2 networks. Aamer later moved to Networked Solutions

Integration Test Engineering (NSITE), where after a brief stint with IPsec VPNs, he moved into a

new group for testing MPLS-VPNs. Five years later, MPLS-VPNS had matured much but testing

of MPLS-related technologies still continues. Aamer is currently leading a team for testing Layer3 VPNs and related technologies in a cross-Cisco effort.

Jason Guyis an engineer within the Cisco Systems NSITE Security team, an organization

responsible for network-based security solution testing. Jason is a member of a team responsible

for testing, validating, scaling, and assisting in deployment of the Cisco security solution. Jasons

primary focus is on firewalls, IPsec Remote Access, and SSL VPN testing. Prior to his work on the

security technologies, Jason worked on the AToM Layer 2 VPN and MPLS VPN teams. Jason

received his Masters of Computer Engineering degree from North Carolina State University in

Raleigh, NC.

Mark J. Newcomb, CCNP, CCDP,is a retired network security engineer. Mark has more than

20 years experience in the networking industry, focusing on the financial and medical industries.

Mark is a frequent contributor and reviewer for Cisco Press books.

From the Library of Ah

7/13/2019 IPSEC VPN Fundamentals

6/480

v

DedicationFor my loving wife, Kristen, and my two wonderful sons, James and Charlie. This would not have

been possible without your unconditional love, support, and inspiration.

From the Library of Ah

7/13/2019 IPSEC VPN Fundamentals

7/480

vi

AcknowledgmentsDuring the development of this book, I had the privilege to work in three different groups at Cisco.

Thank you to all of my teammates in Enterprise Systems Engineering, the Government Systems

Unit, and Advanced Services who have lent me your professional acumen and loyal friendship

over the years.

Id like to thank Mike OShea for his support and friendship over the course of developing this

book. Mikes sound professional and personal advice have helped me endure the ebbs and flows

of sanity while balancing a challenging workload and added development responsibilities

associated with writing this book.

Thank you to Pavan Reddy, one of the sharpest technical minds in Advanced Services, who was

instrumental in helping me outline and define this scope of work and whose technical advice and

words of encouragement throughout the course of developing this book have proven to be

invaluable.

And on that note, many thanks go out to Andrew Cupp and Brett Bartow for their patience,

understanding, and support during this process. An author could not have asked for a more

professional team to work with while developing and publishing his work.

From the Library of Ah

7/13/2019 IPSEC VPN Fundamentals

8/480

vii

This Book Is Safari EnabledThe SafariEnabled icon on the cover of your favorite technology book

means the book is available through Safari Bookshelf. When you buy this

book, you get free access to the online edition for 45 days.

Safari Bookshelf is an electronic reference library that lets you easily search

thousands of technical books, find code samples, download chapters, and

access technical information whenever and wherever you need it.

To gain 45-day Safari Enabled access to this book:

Go to http://www.ciscopress.com/safarienabled

Complete the brief registration form

Enter the coupon code 6LL4-NBLJ-5EK4-HDJP-PKVQIf you have difficulty registering on Safari Bookshelf or accessing the online

edition, please e-mail [email protected]

From the Library of Ah

7/13/2019 IPSEC VPN Fundamentals

9/480

viii

Contents at a Glance

Introduction xvii

Part I Introductory Concepts and Configuration/Troubleshooting 3

Chapter 1 Introduction to VPN Technologies 5

Chapter 2 IPsec Fundamentals 35

Chapter 3 Basic IPsec VPN Topologies and Configu