Chapter 3. Basic IPsec VPN Topologies and Configurations

Previous page
Table of content
Next page

In this chapter, we will review several common deployments of IPsec virtual private networks (VPNs). We will begin by reviewing the typical site-to-site IPsec model over a dedicated circuit between two endpoints, then discuss some of the design implications as that dedicated circuit grows to include an entire routed domain. We will discuss aggregation of many site-to-site IPsec VPNs at an aggregation point, or hub IPsec router, in a standard hub-and-spoke design and extend the IPsec aggregation concept to include Remote Access VPN (RAVPN) design considerations. Figure 3-1 illustrates a loose process that may be helpful when configuring a crypto endpoint for basic IPsec operations. Though effective IPsec VPN design drives the complexity of configuration far beyond what is depicted in Figure 3-1, most of the basic topologies we will discuss will relate to this procedure on a fundamental level.

Figure 3-1. High-Level Configuration Process for IPsec VPN


Each of the following deployments requires the configuration of IPsec in a point-to-point fashion in one way or another. As such, all of the topologies discussed share common configuration tasks to establish the IPsec tunnel:

Step 1.

Decide how strong the IPsec transform must be and what mode the tunnel must use (define IPsec Transform Set).

Step 2.

Decide how the session keys must be derived and if IKE is necessary (create ISAKMP Policy or Session Keys within Crypto Map).

Step 3.

If IKE is required, decide on ISAKMP policy parameters (create Internet Security Association and Key Management Protocol policy), addressing the following tasks in your configuration:

  • Authentication method (select one of the following):

    Assign key and peer if pre-shared.

    Create and share RSA public keys if RSA-encr.

    Authenticate and enroll with CA if RSA-sig.

  • Diffie-Hellman Key Modulus (Group #)

  • Hash used for IKE authentication

  • Encryption method used for IKE channel

Step 4.

Identify and assign IPsec peer and any High-Availability requirements. (Create crypto map.)

Note

In this chapter, topologies will include only limited discussions of IPsec High-Availability (HA) design concepts. IPsec HA design and examples are discussed in greater detail in Chapters 59.

Step 5.

Define traffic sets to be encrypted (Crypto ACL Definition and Crypto Map Reference).

Step 6.

Identify requirement for PFS and reference PFS group in crypto map if necessary.

Step 7.

Apply crypto map to crypto interfaces.



Previous page
Table of content
Next page
IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113
Authors: James Henry Carmouche
BUY ON AMAZON
Developing Tablet PC Applications (Charles River Media Programming)
101 Microsoft Visual Basic .NET Applications
Sap Bw: a Step By Step Guide for Bw 2.0
Junos Cookbook (Cookbooks (OReilly))
Programming .Net Windows Applications
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy