IPSec VPN Design

The definitive design and deployment guide for secure virtual private networks Learn about IPSec protocols and Cisco IOS IPSec packet processing Understand the differences between IPSec tunnel mode and transport mode Evaluate the IPSec features that improve VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives Overcome the challenges of working with NAT and PMTUD Explore IPSec remote-access features, including extended authentication, mode-configuration, and digital certificates Examine the pros and cons of various IPSec connection models such as native IPSec, GRE, and remote access Apply fault tolerance methods to IPSec VPN designs Employ mechanisms to alleviate the configuration complexity of a large- scale IPSec VPN, including Tunnel End-Point Discovery (TED) and Dynamic Multipoint VPNs (DMVPN) Add services to IPSec VPNs, including voice and multicast Understand how network-based VPNs operate and how to integrate IPSec VPNs with MPLS VPNs Among the many functions that networking technologies permit is the ability for organizations to easily and securely communicate with branch offices, mobile users, telecommuters, and business partners. Such connectivity is now vital to maintaining a competitive level of business productivity. Although several technologies exist that can enable interconnectivity among business sites, Internet-based virtual private networks (VPNs) have evolved as the most effective means to link corporate network resources to remote employees, offices, and mobile workers. VPNs provide productivity enhancements, efficient and convenient remote access to network resources, site-to-site connectivity, a high level of security, and tremendous cost savings.   IPSec VPN Design is the first book to present a detailed examination of the design aspects of IPSec protocols that enable secure VPN communication. Divided into three parts, the book provides a solid understanding of design and architectural issues of large-scale, secure VPN solutions. Part I includes a comprehensive introduction to the general architecture of IPSec, including its protocols and Cisco IOS® IPSec implementation details. Part II examines IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. This part of the book also covers dynamic configuration models used to simplify IPSec VPN designs. Part III addresses design issues in adding services to an IPSec VPN such as voice and multicast. This part of the book also shows you how to effectively integrate IPSec VPNs with MPLS VPNs.   IPSec VPN Design provides you with the field-tested design and configuration advice to help you deploy an effective and secure VPN solution in any environment.   This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Table of Contents:
Introduction Chapter 1      Introduction to VPNs    Motivations for Deploying a VPN           VPN Technologies       Layer 2 VPNs          Layer 3 VPNs          Remote Access VPNs         Summary         Chapter 2      IPSec Overview   Encryption Terminology            Symmetric Algorithms    Asymmetric Algorithms        Digital Signatures     IPSec Security Protocols          IPSec Transport Mode    IPSec Tunnel Mode Encapsulating Security Header (ESP)           Authentication Header (AH)   Key Management and Security Associations      The Diffie-Hellman Key Exchange     Security Associations and IKE Operation      IKE Phase 1 Operation    IKE Phase 2 Operation    IPSec Packet Processing    Summary         Chapter 3      Enhanced IPSec Features   IKE Keepalives            Dead Peer Detection    Idle Timeout     Reverse Route Injection     RRI and HSRP    Stateful Failover     SADB Transfer    SADB Synchronization  IPSec and Fragmentation   IPSec and PMTUD        Look Ahead Fragmentation       GRE and IPSec     IPSec and NAT      Effect of NAT on AH      Effect of NAT on ESP    Effect of NAT on IKE     IPSec and NAT Solutions          Summary  Chapter 4      IPSec Authentication and Authorization Models    Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)      Mode-Configuration (MODECFG)    Easy VPN (EzVPN)           EzVPN Client Mode      Network Extension Mode          Digital Certificates for IPSec VPNs  Digital Certificates         Certificate Authority–Enrollment            Certificate Revocation   Summary  Chapter 5      IPSec VPN Architectures   IPSec VPN Connection Models       IPSec Model   The GRE Model            The Remote Access Client Model         IPSec Connection Model Summary       Hub-and-Spoke Architecture          Using the IPSec Model Transit Spoke-to-Spoke Connectivity Using IPSec          Internet Connectivity Scalability Using the IPSec Connection Model          GRE Model Transit Site-to-Site Connectivity      Transit Site-to-Site Connectivity with Internet Access           Scalability of GRE Hub-and-Spoke Models            Remote Access Client Connection Model     Easy VPN (EzVPN) Client Mode   EzVPN Network Extension Mode  Scalability of Client Connectivity Models       Full-Mesh Architectures Native IPSec Connectivity Model      GRE Model Summary         Chapter 6      Designing Fault-Tolerant IPSec VPNs    Link Fault Tolerance      Backbone Network Fault Tolerance   Access Link Fault Tolerance Access Link Fault Tolerance Summary          IPSec Peer Redundancy    Simple Peer Redundancy Model      Virtual IPSec Peer Redundancy Using HSRP            IPSec Stateful Failover    Peer Redundancy Using GRE          Virtual IPSec Peer Redundancy Using SLB   Server Load Balancing Concepts     IPSec Peer Redundancy Using SLB      Cisco VPN 3000 Clustering for Peer Redundancy      Peer Redundancy Summary Intra-Chassis IPSec VPN Services Redundancy Stateless IPSec Redundancy           Stateful IPSec Redundancy  Summary         Chapter 7      Auto-Configuration Architectures for Site-to-Site IPSec VPNs    IPSec Tunnel Endpoint Discovery  Principles of TED          Limitations with TED      TED Configuration and State      TED Fault Tolerance      Dynamic Multipoint VPN     Multipoint GRE Interfaces          Next Hop Resolution Protocol   Dynamic IPSec Proxy Instantiation         Establishing a Dynamic Multipoint VPN  DMVPN Architectural Redundancy         DMVPN Model Summary          Summary  Chapter 8      IPSec and Application Interoperability   QoS-Enabled IPSec VPNs Overview of IP QoS Mechanisms          IPSec Implications for Classification       IPSec Implications on QoS Policies       VoIP Application Requirements for IPSec VPN Networks     Delay Implications         Jitter Implications          Loss Implications          IPSec VPN Architectural Considerations for VoIP    Decoupled VoIP and Data Architectures VoIP over IPSec Remote Access          VoIP over IPSec-Protected GRE Architectures   VoIP Hub-and-Spoke Architecture         VoIP over DMVPN Architecture VoIP Traffic Engineering Summary         Multicast over IPSec VPNs       Multicast over IPSec-protected GRE Multicast on Full-Mesh Point-to-Point GRE/IPSec Tunnels      DMVPN and Multicast           Multicast Group Security       Multicast Encryption Summary          Summary         Chapter 9      Network-Based IPSec VPNs   Fundamentals of Network-Based VPNs  The Network-Based IPSec Solution: IOS Features          The Virtual Routing and Forwarding Table      Crypto Keyrings       ISAKMP Profiles      Operation of Network-Based IPSec VPNs          A Single IP Address on the PE        Front-Door and Inside VRF   Configuration and Packet Flow          Termination of IPSec on a Unique IP Address Per VRF         Network-Based VPN Deployment Scenarios      IPSec to MPLS VPN over GRE        IPSec to L2 VPNs    PE-PE Encryption    Summary         Index     

About the Author :
Vijay Bollapragada, CCIE® No. 1606, is a senior manager in the Network Systems Integration and Test Engineering group at Cisco Systems® where he works on the architecture, design, and validation of complex network solutions.   Mohamed Khalid, CCIE No. 2435, is a technical leader working with IP VPN solutions at Cisco®. He works extensively with service providers across the globe and their associated Cisco account teams to determine technical and engineering requirements for various IP VPN architectures.   Scott Wainner is a Distinguished Systems Engineer in the U.S. Service Provider Sales Organization at Cisco Systems where he focuses on VPN architecture and solution development. In this capacity, he provides customer guidance on IP VPN architectures and drives internal development initiatives within Cisco Systems.