To have a successful remote access implementation, you need to make sure you have all the necessary ingredients. Namely, you are required to have the following: a remote client, VPN Concentrator, PPP or equivalent Layer 2 protocol, and IPSec, PPTP, or L2TP tunneling protocol. To illustrate these components, look at Figure 4.1, which displays a typical IPSec remote access scenario with Cisco components. Figure 4.1. IPSec remote access scenario.
In this hypothetical remote access example, Mr. Ed, located at the remote end of the IPSec tunnel, is using a workstation with Internet connectivity to connect to the central location. The workstation's adapter that connects to the Internet utilizes PPP for a Layer 2 protocol and learns its public IP address of 172.16.1.2 dynamically from the ISP. To initiate the IPSec tunnel, as well as handle authentication and encryption services, Mr. Ed is required to install the Cisco VPN Unity Client on his workstation. The Unity Client initiates the IPSec tunnel to the VPN Concentrator's public interface IP address of 192.168.1.101. Assuming a typical configuration, the VPN Concentrator issues an internal IP address of 10.1.1.100 for the IPSec tunnel to the client via a DHCP server, configured pool, or per user assignment. When Mr. Ed needs to send secure data that is destined for a device or station at the main office, the Unity Client encapsulates (using ESP protocol in tunnel mode) the internal IP header and payload. In addition, the client creates a new IP header with the workstation adapter as the source address and the public IP address of the VPN Concentrator as the destination address for routability. When the VPN Concentrator receives the data, it removes the header, authenticates and decrypts the original packet, and delivers the datagram to the internal destination address of the original internal IP header. |