Advantages and Disadvantages of IPsec Site-to-Site VPNs

Before deciding whether to deploy an IPsec site-to-site VPN, it is important to take a look at their advantages and disadvantages:

  • IPsec VPNs (properly configured) permit highly secure (encrypted and authenticated) site-to-site connectivity.
  • IPsec site-to-site VPNs can be deployed by an enterprise or offered as a managed service by a service provider.
  • IPsec VPNs can be implemented over any IP-enabled backbone network, including the Internet. The fact that IPsec VPNs can be deployed over the Internet can also make their implementation attractive from a cost perspective.
  • Enterprises that deploy and manage a site-to-site IPsec VPN will have complete control of their WAN routing. This is in contrast to a Multiprotocol Label Switching (MPLS) Layer 3 VPN, where Customer Edge (CE) routers must exchange routing information with Provider Edge (PE) routers (assuming dynamic routing is configured).
  • IPsec site-to-site VPNs built using standard IPsec tunnels might be difficult to scale because an IPsec tunnel needs to be provisioned between each pair of IPsec VPN gateways. IPsec site-to-site VPNs using standard IPsec tunnels are particularly difficult to scale if full-mesh (any-to-any) connectivity is required.

    Although site-to-site VPNs using standard IPsec tunnels may be difficult to scale, technologies such as Dynamic Multipoint VPNs (DMVPN) allow much greater scalability.

  • To make IPsec VPNs as secure as possible, it is necessary to use digital signature (digital certificate) authentication. The use of digital signature authentication mandates the deployment of a Public Key Infrastructure (PKI) that must be carefully managed.
  • Dynamic routing in an IPsec site-to-site VPN (using standard point-to-point IPsec tunnel configuration) is typically more complex than that in an MPLS Layer 3 VPNbecause each IPsec VPN gateway must be an IP routing peer of each other IPsec VPN gateway (assuming full-mesh connectivity), whereas in an MPLS Layer 3 VPN, each CE router is an IP routing peer with directly connected PE routers and not every other CE router in the VPN. Note, however, that where meshed-connectivity is provided using Dynamic Multipoint VPN (DMVPN), spoke site routers become routing peers only with the hub site router(s) and not other spoke site routers.
  • Currently, standard IPsec does not provide support for multiprotocol and IP multicast traffic. Support for multiprotocol and IP multicast traffic can be provisioned using Generic Routing Encapsulation (GRE) tunnels or (in the case of IP multicast) virtual tunnel interfaces (VTI).
  • IPsec can impose high CPU overhead on VPN gateways (due to the processing necessary for packet encryption/decryption and authentication). High CPU overhead can be alleviated by using hardware accelerators (this is often a good idea in live deployments, especially on hub-site routers).

Having examined some of the main advantages and disadvantages of IPsec site-to-site VPNs, it is now time to discuss their underlying operation.

IPsec A Security Architecture for IP

Part I: Understanding VPN Technology

What Is a Virtual Private Network?

Part II: Site-to-Site VPNs

Designing and Deploying L2TPv3-Based Layer 2 VPNs

Designing and Implementing AToM-Based Layer 2 VPNs

Designing MPLS Layer 3 Site-to-Site VPNs

Advanced MPLS Layer 3 VPN Deployment Considerations

Deploying Site-to-Site IPsec VPNs

Scaling and Optimizing IPsec VPNs

Part III: Remote Access VPNs

Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs

Designing and Deploying IPsec Remote Access and Teleworker VPNs

Designing and Building SSL Remote Access VPNs (WebVPN)

Part IV: Appendixes

Designing and Building SSL Remote Access VPNs (WebVPN)

Appendix B. Answers to Review Questions

Comparing, Designing, and Deploying VPHs
Comparing, Designing, and Deploying VPNs
ISBN: 1587051796
EAN: 2147483647
Year: 2007
Pages: 124
Authors: Mark Lewis © 2008-2020.
If you may any questions please contact us: