When referring to technologies "on-a-stick," we are typically describing a scenario in which the device performing that technical function is attached to the network using a single interface. Common examples that can reside "on-a-stick" include router-on-a-stick, NAT-on-a-stick, and IPsec VPN termination-on-a-stick. In this section, we will discuss the latest of the three, focusing on IPsec Virtual Private Network (VPN) deployment scenarios in which one or both IPsec VPN tunnel termination points are attached out-of-path using a single physical interface for network connectivity. IPsec with Router-on-a-Stick Design OverviewAlthough they do exist in many network deployments, cases in which administrators would opt for IPsec VPN tunnel termination "on-a-stick" are rare. Furthermore, of those existing cases, this design option is most commonly used as an alternative to accommodate other areas of the network architecture, rather than as an option that an administrator would choose over in-path IPsec VPN design options discussed previously. IPsec termination on-a-stick refers to a deployment scenario in which the IPsec tunnel termination point is attached to the network using a single network interface. As such, this design option places crypto and IPsec functionality outside of the data path, as illustrated in Figure 10-1. Figure 10-1. IPsec VPN Tunnel Termination "On-a-Stick"Figure 10-1 depicts a rare scenario in which IPsec using router-on-a-stick is required. Let's now discuss some of the circumstances that force this scenario to exist. Single, Flatly Addressed L3 DomainThe key design driver here is that the cable modem and integrated bridge provides only one flat Layer 2 domain for devices to attach to. Although it is rare to see a VPN concentrator with one interface (most devices will ship with multiple interfaces to reside in-path), the bridged layout of this network design on the LAN side presents only one interface from a L3 perspective. In other words, a second interface on the VPN concentrator or router would yield no benefit, as one would be unable to assign it an IP address (it would conflict with the other interface connected to the bridged domain). Lack of In-Path Design OptionsThe flat L3 network forces the IPsec VPN tunnel outside of the data path. Due to the fact that only one L3 interface can be attached to this bridged LAN, the encryptor is unable to reside inside the unencrypted data path. Note In-Path and Out-of-Path refer to the path of the unencrypted data flows. The encrypted data must flow through the IPsec VPN tunnel endpoint, even in "on-a-stick" implementations. In-Path versus Out-of-Path comparisons are discussed later in this chapter. In this situation, IPsec VPN tunnel termination "on-a-stick" can be used to provide encryption for resources on the bridged LAN in Figure 10-1. This design option involves several components, some of which are unique to this design. Single Interface to the Bridged LANThis interface resides outside of the unencrypted data path. This requires that network resources traversing the VPN tunnel use the IP address of the IPsec VPN tunnel termination point that connects to the bridged LAN as their default gateways. Crypto-Enabled Loopback InterfaceThis interface essentially serves as the crypto interface used to terminate the IPsec VPN tunnel. In Chapter 6, "Solutions for Local Site-to-Site High Availability," we discussed the use of a loopback interface to terminate the IPsec VPN tunnel for local High Availability (HA). In this situation, we will actually apply the crypto map to the loopback interface itself and loop encrypted traffic back onto the bridged LAN. Figure 10-2 displays this operation. Figure 10-2. IPsec VPN Tunnel Termination On-a-Stick Using Loopback Interfaces for CryptoThe process in Figure 10-2 is as follows:
Note These steps described vary slightly from the ones outlined in the ensuing case study, as the case study includes IPsec VPN tunnel termination on-a-stick and Network Address Translation (NAT) on-a-stick, while the example we have just discussed includes only IPsec VPN tunnel termination on-a-stick without NAT. Let's now take a look at a case study that will illustrate the operation of IPsec VPN tunnel termination "on-a-stick," including a real-world scenario in which this rare choice of IPsec design is used and working configurations. Case Study: Small Branch IPsec VPN Tunnel Termination with NAT On-a-StickIn this section, we will discuss a scenario in which a large company in retail wants to deploy secure, low-cost IP communications at each of its stores globally. At each branch location, there are server applications that collect and store customer information and financial data. That data must be reliably relayed to centralized data storage facilities in the company's data center, which is centrally located at the corporation's headquarters. For this reason, the customer is interested in a simple, low-cost solution for relaying this information from their many retail locations over the WAN to the data center at the corporate HQ. The corporate IT staff is interested in using an Internet managed service to provide the WAN connectivity to HQ to meet several critical business objectives, including:
The corporation's IT staff has been in contact with several service providers who will offer managed services that may meet the retailer's business requirement. The managed service offers basic IP connectivity using a cable modem at the remote retail location. The service also includes a workgroup switch for connecting devices together on the retailer's LAN, but the functionality of the switch is very basic and therefore does not include support VLANs or 802.1q trunking. Given the retailer's business objectives, these circumstances present design challenges at the retailer's remote locations, including the following:
The retailer agrees to a small pilot of the Internet service provider's (ISP's) managed service. As depicted in remote retail store LAN pilot topology in Figure 10-1, the corporate IT staff elects to use a small IPsec-enabled router, such as the Cisco 1845 ISR, to enable two key services at the remote retail locationData Confidentiality (IPsec) and NAT. Let us take a quick step-by-step look at the life of a packet on egress from the remote retail LAN en route to centralized corporate resources before diving in to some configuration examples for enabling data confidentiality and NAT in "on-a-stick" environments:
Data confidentiality is required across the WAN using IPsec VPN tunnel termination. The IPsec VPN gateway at the remote branch resides out-of-path, and is therefore considered to be deployed "on-a-stick." This out-of-path design option was selected for the retailer's pilot program due to the fact that the branch LAN switch is incapable of providing multiple L3 domains. As such, only one L3 domain is presented to the IPsec VPN-enabled router on-a-stick, supporting only a single L2 connection between the router and the switch. Example 10-1 provides a configuration for the retail branch LAN's IPsec VPN gateway. The IPsec VPN gateway is configured to use the ESP-3DES with MD5 HMAC authentication on data sent to and received from the remote IPsec VPN gateway at 24.10.100.1, as illustrated in configuration lines 10 and 20, respectively. Note that, in line 20, the crypto map is applied to the loopback interface rather than a physical interface. It is important to note that the crypto map matches ACL 102 specifying the inside global IP address space as the source. This is because encryption occurs after NAT when the two are configured concurrently. As illustrated in Example 10-2, all traffic to be translated on-a-stick is policy routed to loopback 201. This enables traffic from the 10.0.0.0/8 address space on the retailer's LAN to be NAT'd between inside (e0/0) and outside (lo201) before being encrypted using the crypto map on loopback 201. Provided in line 26 is the crypto ACL used by the retail branch LAN VPN gateway. Note that the source IP address space is the inside global address space. This configuration is required for IPsec to properly agree upon consistent protected address space when negotiating a Phase 2 SA, as encryption occurs after NAT. If not properly configured with the correct addresses, a crypto ACL scope inconsistency can cause Phase 2 negotiation to fail. Example 10-1. IPsec VPN Tunnel Termination "On-a-Stick" Using Logical (Loopback) Interfaces
NAT on-a-stick supports IP communications with privately addressed devices across a publicly addressed infrastructure. In this case, the retailer has not been given enough publicly routable address space for all of the IP-enabled resources to communicate across the Internet. Therefore NAT must be used to translate the privately addressed IP addresses in to public ones so that they can be routed across the Internet to the retailer's data center at its HQ. Because there is only one connection between the IPsec VPN-enabled router and the remote retail site's LAN switch, like IPsec VPN tunnel termination, this service must also exist "on-a-stick." Example 10-2 provides a sample NAT on-a-stick configuration that the retail branch LAN IPsec VPN gateway uses in conjunction with its IPsec VPN tunnel termination configuration on-a-stick in Example 10-1. Example 10-2. Network Address Translation "On-a-Stick" Using Logical (Loopback) Interfaces
Once the appropriate configurations have been put in place, the retailer takes several measures to ensure that the operation of the IPsec VPN router on-a-stick is working correctly with NAT:
|