Telecommunications

Aug. 7, 2009, 5:16 p.m.
posted by prosto

Basic IPsec VPN Topologies and Configurations




Basic IPsec VPN Topologies and Configurations

In this chapter, we will review several common deployments of IPsec virtual private networks (VPNs). We will begin by reviewing the typical site-to-site IPsec model over a dedicated circuit between two endpoints, then discuss some of the design implications as that dedicated circuit grows to include an entire routed domain. We will discuss aggregation of many site-to-site IPsec VPNs at an aggregation point, or hub IPsec router, in a standard hub-and-spoke design and extend the IPsec aggregation concept to include Remote Access VPN (RAVPN) design considerations. Figure illustrates a loose process that may be helpful when configuring a crypto endpoint for basic IPsec operations. Though effective IPsec VPN design drives the complexity of configuration far beyond what is depicted in Figure, most of the basic topologies we will discuss will relate to this procedure on a fundamental level.

High-Level Configuration Process for IPsec VPN

[View full size image]


Each of the following deployments requires the configuration of IPsec in a point-to-point fashion in one way or another. As such, all of the topologies discussed share common configuration tasks to establish the IPsec tunnel:

Step 1.
Decide how strong the IPsec transform must be and what mode the tunnel must use (define IPsec Transform Set).

Step 2.
Decide how the session keys must be derived and if IKE is necessary (create ISAKMP Policy or Session Keys within Crypto Map).

Step 3.
If IKE is required, decide on ISAKMP policy parameters (create Internet Security Association and Key Management Protocol policy), addressing the following tasks in your configuration:

  • Authentication method (select one of the following):

    Assign key and peer if pre-shared.

    Create and share RSA public keys if RSA-encr.

    Authenticate and enroll with CA if RSA-sig.

  • Diffie-Hellman Key Modulus (Group #)

  • Hash used for IKE authentication

  • Encryption method used for IKE channel

Step 4.
Identify and assign IPsec peer and any High-Availability requirements. (Create crypto map.)

Note

In this chapter, topologies will include only limited discussions of IPsec High-Availability (HA) design concepts. IPsec HA design and examples are discussed in greater detail in Chapters 59.

Step 5.
Define traffic sets to be encrypted (Crypto ACL Definition and Crypto Map Reference).

Step 6.
Identify requirement for PFS and reference PFS group in crypto map if necessary.

Step 7.
Apply crypto map to crypto interfaces.


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows