Site-to-Site IPSec VPNs

This chapter covers the following topics:

• Preconfiguration checklist
• Configuration steps
• Advanced features
• Optional commands
• Deployment scenarios
• Monitoring and troubleshooting

Corporations continuously expand their operations by adding remote offices. These offices need network connectivity back to the corporate network for data transfer. Network administrators must evaluate the requirements and create the design to meet them. This includes selecting the network hardware platforms and the WAN technology to interconnect the branch and small offices. Some point-to-point WAN technologies include Frame Relay, Integrated Services Digital Network (ISDN), and Asynchronous Transfer Mode (ATM). Though these technologies do provide connectivity between locations, they are not very cost effective. Corporations look for ways to cut costs, for increased profitability.

Network professionals can reduce the high maintenance cost of point-to-point WAN links by using the IPSec VPN tunnel in site-to-site mode. They can use broadband connections, including digital subscriber line (DSL) or cable modem, to achieve Internet connectivity at a considerably cheaper rate, and they can deploy IPSec VPN on top of that to connect the remote locations to the central site. This allows them to accomplish both goals in a cost-effective manner:

• Internet access for clear-text traffic
• Intranet connectivity over the VPN tunnel

This chapter focuses on configuring and troubleshooting site-to-site IPSec tunnels on the Cisco Adaptive Security Appliances. It discusses a preconfiguration checklist, configuration steps, and different design scenarios. This chapter also discusses how to monitor the IPSec site-to-site tunnel to make sure that the traffic is flowing flawlessly. If the IPSec VPN is having connectivity issues, the chapter provides extensive troubleshooting help later in this chapter.