SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
An introduction to designing and configuring Cisco IPsec VPNs
IPsec Virtual Private Network Fundamentals provides a basic working knowledge of IPsec on various Cisco routing and switching platforms. It provides the foundation necessary to understand the different components of Cisco IPsec implementation and how it can be successfully implemented in a variety of network topologies and markets (service provider, enterprise, financial, government). This book views IPsec as an emerging requirement in most major vertical markets, explaining the need for increased information authentication, confidentiality, and non-repudiation for secure transmission of confidential data. The book is written using a layered approach, starting with basic explanations of why IPsec was developed and the types of organizations relying on IPsec to secure data transmissions. It then outlines the basic IPsec/ISAKMP fundamentals that were developed to meet demand for secure data transmission. The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics including high availability solutions and public key infrastructure (PKI). Sample topology diagrams and configuration examples are provided in each chapter to reinforce the fundamentals expressed in text and to assist readers in translating concepts into practical deployment scenarios. Additionally, comprehensive case studies are incorporated throughout to map topics to real-world solutions.
Contents
Introduction
Part I Introductory Concepts and Configuration/Troubleshooting
Chapter 1 Introduction to VPN Technologies
VPN Overview of Common Terms
Characteristics of an Effective VPN
VPN Technologies
Virtual Private Dialup Networks
Multiprotocol Label Switching VPNs
IPsec VPNs
Transport Layer VPNs
Common VPN Deployments
Site-to-Site VPNs
Remote Access VPNs
Business Drivers for VPNs
Remote Access VPN Business Drivers–A Practical Example
Site-to-Site VPN Business Drivers–A Practical Example
IPsec VPNs and the Cisco Security Framework
Summary
Chapter 2 IPsec Fundamentals
Overview of Cryptographic Components
Asymmetric Encryption
Symmetric Encryption
Message Authentication, Message Integrity, and Sender Nonrepudiation Mechanisms
Public Key Encryption Methods
RSA Public-Key Technologies
Diffie-Hellman Key Exchange
The IP Security Protocol (IPsec)
IPsec Modes
IPsec Transforms
IPsec SA
IPsec Configuration Elements
Manual Keying
The Need for Security Association and Key Management
IKE and ISAKMP
IKE and ISAKMP Terminology and Background
IKE SA Negotiation and Maintenance
IPsec Diffie-Hellman Shared Secret Key Generation Using IKE
IKE Authentication Services
IKE Phase I Negotiation
IKE Phase II Negotiation
Configuring ISAKMP
IKE with RAVPN Extensions
Summary
Chapter 3 Basic IPsec VPN Topologies and Configurations
Site-to-Site IPsec VPN Deployments
Site-to-Site VPN Architectural Overview for a Dedicated Circuit
Site-to-Site Architectural Overview over a Routed Domain
Site-to-Site IPsec VPN Deployments and GRE (IPsec+GRE)
Site-to-Site IPsec+GRE Architectural Overview
Site-to-Site IPsec+GRE Sample Configurations
Hub-and-Spoke IPsec VPN Deployments
Hub-and-Spoke Architectural Overview
Standard Hub-and-Spoke Design without High Availability
Clustered Spoke Design to Redundant Hubs
Redundant Clustered Spoke Design to Redundant Hubs
Remote Access VPN Deployments
RAVPN Architectural Overview
RAVPN Clients
Standalone VPN Concentrator Designs
Clustered VPN Concentrator Designs
Summary
Chapter 4 Common IPsec VPN Issues
IPsec Diagnostic Tools within Cisco IOS
Common Configuration Issues with IPsec VPNs
IKE SA Proposal Mismatches
IKE Authentication Failures and Errors
IPsec SA Proposal Mismatches
Crypto-Protected Address Space Issues (Crypto ACL Errors)
Architectural and Design Issues with IPsec VPNs
Troubleshooting IPsec VPNs in Firewalled Environments
NAT Issues in IPsec VPN Designs
The Influence of IPsec on Traffic Flows Requiring QoS
Solving Fragmentation Issues in IPsec VPNs
The Effect of Recursive Routing on IPsec VPNs
Summary
Part II Designing VPN Architectures
Chapter 5 Designing for High Availability
Network and Path Redundancy
IPSec Tunnel Termination Redundancy
Multiple Physical Interface HA with Highly Available Tunnel Termination Interfaces
Tunnel Termination HA Using HSRP/VRRP Virtual Interfaces
HA with Multiple Peer Statements
RP-based IPSec HA
Managing Peer and Path Availability
Peer Availability
Path Availability
Managing Path Symmetry
Load Balancing, Load Sharing, and High Availability
Load-Sharing with Peer Statements
Routing
Domain Name System (DNS)
Cisco VPN3000 Concentrator Clustering
IPSec Session Load-Balancing Using External Load Balancers
Summary
Chapter 6 Solutions for Local Site-to-Site High Availability
Using Multiple Crypto Interfaces for High Availability
Impact of Routing Protocol Reconvergence on IPsec Reconvergence
Impact of Stale SAs on IPsec Reconvergence
Impact of IPsec and ISAKMP SA Renegotiation on IPsec Reconvergence
Stateless IPsec VPN High-Availability Alternatives
Solution Overview for Stateless IPsec High Availability
Stateless High Availability Failover Process
Stateful IPsec VPN High-Availability Alternatives
Solution Overview for Stateful IPsec High Availability
Stateful High Availability Failover Process
Summary
Stateless IPsec VPN High Availability Design Summary
Stateful IPsec VPN High Availability Design Summary
Chapter 7 Solutions for Geographic Site-to-Site High Availability
Geographic IPsec VPN HA with Reverse Route Injection and Multiple IPsec Peers
Solution Overview for RRI with Multiple IPsec Peers
Geographic IPsec VPN High Availability with IPsec+GRE and Encrypted Routing
Protocols
Solution Overview for IPsec+GRE with Encrypted Routing Protocols
Dynamic Multipoint Virtual Private Networks
DMVPN Solution Design Drivers
DMVPN Component-Level Overview and System Operation
Summary
Chapter 8 Handling Vendor Interoperability with High Availability
Vendor Interoperability Impact on Peer Availability
The Inability to Specify Multiple Peers
Lack of Peer Availability Mechanisms
Vendor Interoperability Impact on Path Availability
IPSec HA Design Considerations for Platforms with Limited Routing
Protocol Support
IPSec HA Design Considerations for Lack of RRI Support
IPSec HA Design Considerations for Lack of Generic Routing Encapsulation (GRE)
Support
Vendor Interoperability Design Considerations and Options
Phase 1 and 2 SA Lifetime Expiry
SADB Management with Quick Mode Delete Notify Messages
Invalid Security Parameter Index Recovery
Vendor Interoperability with Stateful IPSec HA
Summary
Chapter 9 Solutions for Remote-Access VPN High Availability
IPsec RAVPN Concentrator High Availability Using Virtual Interfaces for Tunnel
Termination
IPsec RAVPN Concentrator High Availability Using VRRP
IPsec RAVPN Concentrator HA Using HSRP
IPsec RAVPN Concentrator HA Using the VCA Protocol
IPsec RAVPN Geographic HA Design Options
VPN Concentrator Session Load Balancing Using DNS
VPN Concentrator Redundancy Using Multiple Peers
Summary
Chapter 10 Further Architectural Options for IPsec
IPsec VPN Termination On-a-Stick
IPsec with Router-on-a-Stick Design Overview
Case Study: Small Branch IPsec VPN Tunnel Termination with NAT On-a-Stick
In-Path Versus Out-of-Path Encryption with IPsec
Out-of-Path Encryption Design Overview
Case Study: Firewalled Site-to-Site IPsec VPN Tunnel Termination
Separate Termination of IPsec and GRE (GRE-Offload)
GRE-Offload Design Overview
Case Study: Large-Scale IPsec VPN Tunnel Termination with GRE Offload
Summary
Part III Advanced Topics
Chapter 11 Public Key Infrastructure and IPsec VPNs
PKI Background
PKI Components
Public Key Certificates
Registration Authorities
Certificate Revocation Lists and CRL Issuers
Certificate Authorities
PKI Cryptographic Endpoints
Life of a Public Key Certificate
RSA Signatures and X.509v3 Certificates
Generating Asymmetric Keypairs on Cryptographic Endpoints
Registration and Endpoint Authentication
Receipt and Authentication of the CA’s Certificate
Forwarding and Signing of Public Keys
Obtaining and Using Public Key Certificates
PKI and the IPSec Protocol Suite–Where PKI Fits into the IPSec model
OCSP and CRL Scalability
OCSP
Case Studies and Sample Configurations
Case Study 1: PKI Integration of Cryptographic Endpoints
Case Study 2: PKI with CA and RA
Case Study 3: PKI with Redundant CAs (CA Hierarchy)
Summary
Chapter 12 Solutions for Handling Dynamically Addressed Peers
Dynamic Crypto Maps
Dynamic Crypto Map Impact on VPN Behavior
Dynamic Crypto Map Configuration and Verification
Tunnel Endpoint Discovery
TED Configuration and Verification
Case Study–Using Dynamic Addressing with Low-Maintenance Small Home Office
Deployments
Summary
Appendix A Resources
Books
RFCs
Web and Other Resources
Index