Embed Size (px)
Citation preview
1
Interop LabsInterop LabsVPN Interoperability DemoVPN Interoperability Demo
Las Vegas, NevadaLas Vegas, Nevada
May, 1999May, 1999
2
VPN Interoperability:VPN Interoperability:What are you seeing?What are you seeing?
World’s Largest Public VPN World’s Largest Public VPN Interoperability DemonstrationInteroperability Demonstration
All IPSEC (IP Security) compliantAll IPSEC (IP Security) compliant All using IKE/ISAKMP (Internet Key All using IKE/ISAKMP (Internet Key
Exchange)Exchange)
3
VPN Interoperability:VPN Interoperability:What are you not seeing?What are you not seeing?
Not every product supports the same set Not every product supports the same set of SA establishment profilesof SA establishment profiles– 3DES versus DES3DES versus DES– Subnet versus Host-based SAsSubnet versus Host-based SAs– ISAKMP versus IPSEC profile setsISAKMP versus IPSEC profile sets
Not all SW versions seen here are Not all SW versions seen here are shipping/releasedshipping/released
SA re-establishment not well definedSA re-establishment not well defined
4
VPN Interoperability:VPN Interoperability:What are the pieces?What are the pieces?
12 vendors12 vendors 65 site-to-site tunnels65 site-to-site tunnels IP traffic with TCP and UDPIP traffic with TCP and UDP ESP Tunneling EncryptionESP Tunneling Encryption Authentication within ESPAuthentication within ESP IKE/ISAKMP key management with IKE/ISAKMP key management with
preshared secretspreshared secrets
5
VPN Interoperability:VPN Interoperability:Why is this interesting?Why is this interesting?
Vendor independent VPNVendor independent VPN– You need not be locked into a single vendor solution for VPNs any You need not be locked into a single vendor solution for VPNs any
more!more!
– You can talk to other enterprises who have already chosen a VPN You can talk to other enterprises who have already chosen a VPN vendorvendor
Product flexibilityProduct flexibility– Not every vendor has every answerNot every vendor has every answer
– Mix and match to fit Mix and match to fit youryour needs needs Standards AssuranceStandards Assurance
– Vendors who successfully interoperate will not lead you down a Vendors who successfully interoperate will not lead you down a proprietary pathproprietary path
6
VPN Interoperability:VPN Interoperability:How did we do it?How did we do it?
Step1: Start with a public LANStep1: Start with a public LAN
Router
7
VPN Interoperability:VPN Interoperability:How we did it: Step 2How we did it: Step 2
Add VPN vendors Add VPN vendors
RouterVPN Adevice
VPN Bdevice
VPN Cdevice
VPN Ddevice
VPN Edevice
Mgmtstation
Mgmtstation
Mgmtstation
LAN A LAN B
LAN C LAN D LAN E
8
VPN Interoperability:VPN Interoperability:How we did it: Step 3How we did it: Step 3
Add Connectivity TestersAdd Connectivity Testers
RouterVPN Adevice
VPN Bdevice
VPN Cdevice
VPN Ddevice
VPN Edevice
Mgmtstation
Mgmtstation
Mgmtstation
Conn.Tester
Conn.Tester
Conn.Tester
Conn.Tester
Conn.Tester
LAN A LAN B
LAN C LAN D LAN E
9
VPN Interoperability:VPN Interoperability:How we did it: Step 4How we did it: Step 4
Verify VPNsVerify VPNs
RouterVPN Adevice
VPN Bdevice
VPN Cdevice
VPN Ddevice
VPN Edevice
Mgmtstation
Mgmtstation
Mgmtstation
Conn.Tester
Conn.Tester
Conn.Tester
Conn.Tester
Conn.Tester
LAN A LAN B
LAN C LAN D LAN E
VPN Interoperability:VPN Interoperability:How did we do it?How did we do it?
VPN Bdevice
VPN Edevice
Mgmtstation
Conn.Tester
Conn.Tester
1. Connectivity Tester on VPN B sends a packet to Connectivity Tester on VPN E
2. VPN B device tunnels packet in IPSEC and sends to VPN E device
3. VPN E device de-tunnels packet and sends to Connectivity Tester on VPN E
4. Connectivity Tester on VPN E receives packet and sends response to Connectivity Tester on VPN B
5. B Tester receives response and updates web page
LAN B
LAN E
11
VPN Interoperability:VPN Interoperability: See 12 VPNs in OperationSee 12 VPNs in Operation
IntelIntel
CheckpointCheckpoint
Internet Internet DynamicsDynamics
RedCreekRedCreek
Data FellowsData Fellows
FreeS/WAN
VPNetVPNetMicrosoftMicrosoft
CiscoCiscoNortelNortel
RadGuardRadGuardTimestepTimestep
12
Each VPN has a VPN device Each VPN has a VPN device and Connectivity Testerand Connectivity Tester
Management Station
Connectivity Tester
VPN Device
Some also have management stations in the iLabs
13
VPN Interoperability:VPN Interoperability:VPN Device connectionsVPN Device connections
VPN Devices have VPN Devices have two connectionstwo connections– One to its One to its privateprivate
network network (unencrypted (unencrypted clients/servers)clients/servers)
– One to the One to the publicpublic network (encrypted network (encrypted traffic only)traffic only)
– Connectivity Tester Connectivity Tester is on the private is on the private networknetwork
14
VPN Interoperability:VPN Interoperability:Connectivity TesterConnectivity Tester
The Connectivity Tester on each LAN shows VPN encrypted connectivity between vendors.
Vendor logos indicate a successful tunnel between this tester and the other products shown
15
VPN Interoperability:VPN Interoperability:Protocol AnalysisProtocol Analysis
W W G and W W G and Shomiti protocol Shomiti protocol analyzers are analyzers are available to available to watch IPSEC SA watch IPSEC SA establishmentestablishment
16
VPN Interoperability:VPN Interoperability:Participating VPN Products Participating VPN Products (1 of 2)(1 of 2)
Nortel Networks Contivity ExtranetSwitch 4000
Check Point SoftwareTech.
FireWall-1
Cisco Systems Cisco 7206
Internet Dynamics Conclave Firewall
Microsoft Windows 2000
Radguard cIPro-VPN
17
VPN Interoperability:VPN Interoperability:Participating VPN Products Participating VPN Products (2 of 2)(2 of 2)
RedCreek Ravlin 10
Intel LanRover VPNGateway
Timestep Permit/Gate 4500
VPNet VSU-1100
DataFellows
F-Secure VPN+
Linux FreeS/WAN
18
VPN Interoperability:VPN Interoperability:Interop VPN Labs TeamInterop VPN Labs Team
Craig Watkins [email protected]
Joel Snyder Opus [email protected]
Jan Trumbo Opus [email protected]
Allen Gwinn [email protected]
ChrisLiljenstolpe
Cable and [email protected]
