If you can't read please download the document
Upload
maiminh92
View
294
Download
0
Tags:
Embed Size (px)
DESCRIPTION
VPN
Citation preview
800 East 96th StreetIndianapolis, Indiana 46240 USA
Cisco Press
Comparing, Designing, and Deploying VPNs
Mark Lewis, CCIE No. 6280
ii
Comparing, Designing, and Deploying VPNs
Mark Lewis
Copyright 2006 Cisco Systems, Inc.
Cisco Press logo is a trademark of Cisco Systems, Inc.
Published by:Cisco Press800 East 96th Street Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
First Printing April 2006
Library of Congress Cataloging-in-Publication Number: 2003114910
ISBN: 1-58705-179-6
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-ized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Corporate and Government Sales
Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.
For more information, please contact
U.S. Corporate and Government Sales,
1-800-382-3419 or [email protected].
For sales outside the U.S., please contact
International Sales,
Warning and Disclaimer
This book is designed to provide information about virtual private networks (VPN). Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.
Readers feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message.
iii
We greatly appreciate your assistance.
Publisher John WaitEditor-in-Chief John KaneCisco Representative Anthony WolfendenCisco Press Program Manager Jeff BradyProduction Manager Patrick KanouseSenior Development Editor Christopher ClevelandCopy Editor and Indexer Keith ClineTechnical Editors Henry Benjamin, Lei Chen, Mark Newcomb, Ajay SimhaBook and Cover Designer Louisa AdairComposition Interactive Composition Corporation
iv
About the Author
Mark Lewis, CCIE No. 6280,
is technical director of MJL Network Solutions (www.mjlnet.com), a leading provider of internetworking solutions that focuses on helping enterprise and service provider customers to implement leading-edge technologies. Mark specializes in next-generation network technologies and has extensive experience designing, deploying, and migrating large-scale IP/MPLS networks. He is an active participant in the IETF, a member of the IEEE, and a certified Cisco Systems instructor. Mark is also the author of
Troubleshooting Virtual Private Networks,
published by Cisco Press.
Mark can be contacted at [email protected].
About the Technical Reviewers
Henry Benjamin, CCIE No. 4695,
holds three CCIE certifications (Routing and Switching, ISP Dial, and Commu-nications and Services). He has more than 10 years experience with Cisco networks and recently worked for Cisco in the internal IT department helping to design and implement networks throughout Australia and Asia. Henry was a key member of the CCIE global team, where he was responsible for writing new laboratory examinations and questions for the CCIE exams. Henry is an independent consultant with a large security firm in Australia. Henry is the author of
CCIE Security Exam Certification Guide
and
CCNP Practical Studies: Routing,
both published by Cisco Press.
Lei Chen, CCIE No. 6399,
received a master of science degree in computer science from DePaul University in 2000. He joined the Cisco NSITE system testing group in 2000, and then went on to support Cisco high-tier cus-tomers as part of the Cisco TAC VPN team in 2002. He has first-hand experience in troubleshooting, designing, and deploying IPsec VPNs.
Mark Newcomb, CCNP, CCDP,
is a retired network security engineer. Mark has more than 20 years experience in the networking industry, focusing on the financial and medical industries. Mark is a frequent contributor and reviewer for Cisco Press books.
Ajay Simha, CCIE No. 2970,
joined the Cisco TAC in 1996. He then went on to support tier 1 and 2 ISPs as part of the Cisco ISP Expert team. He worked as an MPLS deployment engineer from October 1999 to November 2003. Currently, he is a senior network consulting engineer in Advanced Services at Cisco working on Metro Ethernet and MPLS design and deployment. Ajay is the coauthor of the Cisco Press title
Traffic Engineering with MPLS.
v
Acknowledgments
Id like to thank a number of people who helped me to complete this book. Id like to thank Michelle, Chris, John, and Patrick at Cisco Press, who helped to get this project started in the first place and then provided indispensable help and encouragement along the way.
And Id also like to thank the technical reviewersMark Newcomb, Henry Benjamin, Ajay Simha, and Lei Chenwho all provided useful comments and suggestions.
vi
This Book Is Safari Enabled
The Safari
Enabled icon on the cover of your favorite technology book means the book is available through Safari Bookshelf. When you buy this book, you get free access to the online edition for 45 days.
Safari Bookshelf is an electronic reference library that lets you easily search thousands of technical books, find code samples, download chapters, and access technical information whenever and wherever you need it.
To gain 45-day Safari Enabled access to this book
Go to http://www.ciscopress.com/safarienabled
Complete the brief registration form
Enter the coupon code GBCR-98XD-CWIL-XSD7-VQQE
If you have difficulty registering on Safari Bookshelf or accessing the online edition, please e-mail [email protected].
vii
Contents at a Glance
Introduction xxii
Part I Understanding VPN Technology 3
Chapter 1
What Is a Virtual Private Network? 5
Part II Site-to-Site VPNs 25
Chapter 2
Designing and Deploying L2TPv3-Based Layer 2 VPNs 27
Chapter 3
Designing and Implementing AToM-Based Layer 2 VPNs 137
Chapter 4
Designing MPLS Layer 3 Site-to-Site VPNs 225
Chapter 5
Advanced MPLS Layer 3 VPN Deployment Considerations 293
Chapter 6
Deploying Site-to-Site IPsec VPNs 407
Chapter 7
Scaling and Optimizing IPsec VPNs 523
Part III Remote Access VPNs 707
Chapter 8
Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs 709
Chapter 9
Designing and Deploying IPsec Remote Access and Teleworker VPNs 805
Chapter 10
Designing and Building SSL Remote Access VPNs (WebVPN) 905
Part IV Appendixes 983
Appendix A
VPLS and IPLS Layer 2 VPNs 985
Appendix B
Answers to Review Questions 997
Index
1009
viii
Table of Contents
Introduction xxii
Part I Understanding VPN Technology 3
Chapter 1
What Is a Virtual Private Network? 5
VPN Devices 5VPN Technologies and Protocols 7
Technologies and Protocols Used to Enable Site-to-Site VPNs 7Technologies and Protocols Used to Enable Remote Access VPNs 8
Modeling and Characterizing VPNs 9Service Provider and Customer Provisioned VPNs 10Site-to-Site and Remote Access VPNs 11Service Provider Provisioned Site-to-Site VPNs 13Customer Provisioned Site-to-Site VPNs 15Service Provider and Customer Provisioned Remote Access VPNs 15Other Methods of Categorizing VPNs 16
Deploying Site-to-Site and Remote Access VPNs: A Comparison 18Site-to-Site VPN Deployment 18Remote Access VPN Deployment 19
Summary 22
Review Questions 22
Part II Site-to-Site VPNs 25
Chapter 2
Designing and Deploying L2TPv3-Based Layer 2 VPNs 27
Benefits and Drawbacks of L2TPv3-Based L2VPNs 28
L2TPv3 Pseudowire Operation 29L2TPv3 Deployment Models 30L2TPv3 Message Types 31The L2TPv3 Control Connection 34
L2TPv3 Control Connection Setup 34L2TPv3 Control Connection Teardown 36L2TPv3 Session Setup 37L2TPv3 Session Teardown 38Hello and SLI Messages 40
Configuring and Verifying L2TPv3 Pseudowires 41Deploying L2TPv3 Pseudowires with Dynamic Session Setup 42
Step 1: Configure CEF 43
ix
Step 2: Configure a Loopback Interface to Use as the Pseudowire Endpoint 43Step 3: Configure an L2TPv3 Class (Optional) 43Step 4: Configure a Pseudowire Class 45Step 5: Bind Attachment Circuits to Pseudowires 45
Implementing L2TPv3 Pseudowire-Based L2VPNs Using Static Session Configuration 93
Static L2TPv3 Sessions Without a Control Connection 93Static L2TPv3 Sessions with a Control Connection 96
L2VPN Interworking with L2TPv3 98Ethernet Mode L2VPN Interworking with L2TPv3 99IP Mode L2VPN Interworking with L2TPv3 102Resolving MTU Issues with L2VPN Interworking 112Routing Protocol Considerations with L2VPN Interworking 113
Transporting IPv6 over an IPv4 Backbone Using IPv6 Protocol Demultiplexing 114
Provisioning Quality of Service for L2TPv3 Pseudowires 118Configuring an Input QoS Policy on (Ingress) PE Router
Attachment Circuits 121Configuring an Output QoS Policy on (Egress) PE Router
Attachment Circuits 125Avoiding Packet Fragmentation and Packet Drops with L2TPv3 Pseudowires 128
Summary 134
Review Questions 134
Chapter 3
Designing and Implementing AToM-Based Layer 2 VPNs 137
Benefits and Drawbacks of AToM-Based L2VPNs 138
AToM Pseudowire Operation 139Control Channel Messages 140
AToM Pseudowire Setup 142AToM Status Signaling 150
AToM Data Channel Packet Forwarding 154
Deploying AToM Pseudowires 156Implementing AToM Pseudowires for Ethernet Traffic Transport 156
AToM Pseudowire Ethernet Port Transport 157AToM Pseudowire Ethernet VLAN (802.1Q) Transport 163
Deploying AToM Pseudowires for HDLC and PPP Traffic Transport 165Frame Relay Traffic Transport with AToM Pseudowires 171
Frame Relay Port Mode Traffic Transport 171Frame Relay DLCI-to-DLCI Switching Traffic Transport 172
Using AToM Pseudowires to Transport ATM Traffic 176ATM Cell Relay 178
x
Implementing Advanced AToM Features 188Deploying AToM Pseudowire QoS 188Tunnel Selection for AToM Pseudowires 195
Configuring PE Routers for MPLS-TE Tunnel Selection for AToM Pseudowires 195
Configuring P Routers for MPLS-TE 199Tunnel Selection for AtoM Pseudowires: Final Network Topology
and Advantages 200Verifying MPLS-TE Tunnel Selection for AToM Pseudowires 201
L2VPN Pseudowire Switching with AToM 202L2VPN Interworking with AToM Pseudowires 207
Configuring Ethernet Mode L2VPN Interworking with AToM Pseudowires 209
Configuring IP Mode L2VPN Interworking with AToM Pseudowires 209Verifying L2VPN Interworking with AToM Pseudowires 210
Configuring and Verifying Local Switching 211Local Switching Between the Same Types of Physical Interfaces 213Local Switching Between Different Interface Types 215Local Switching Between Circuits on the Same Interface 216
Resolving AToM Data Channel Packet Drop Issues 217
Summary 222
Review Questions 222
Chapter 4
Designing MPLS Layer 3 Site-to-Site VPNs 225
Advantages and Disadvantages of MPLS Layer 3 VPNs 226
MPLS Layer 3 VPNs Overview 227IP Reachability in an MPLS Layer 3 VPN 227User Packet Forwarding Between MPLS Layer 3 VPN Sites 229
A Detailed Examination of MPLS Layer 3 VPNs 231Distinguishing Customer VPN Prefixes Using Route Distinguishers (RD) 232Using Route Targets (RT) to Control Customer VPN Route Distribution 233
Deploying MPLS Layer 3 VPNs 235Configuration of PE Routers 236
Step 1: Configure a Loopback Interface for Use as the PE Routers BGP Router ID/LDP Router ID 237
Step 2: Configure LDP 237Step 3: Enable MPLS on Interfaces Connected to Other PE or P Routers 239Step 4: Configure the Backbone Network IGP 239Step 5: Configure MP-BGP for VPNv4 Route Exchange with Other
PE Routers or Route Reflectors 241Step 6: Configure the Customer VRFs 243
xi
Step 7: Configure the Customer VRF Interfaces 243Step 8: Configure the Customer VRF Routing Protocols or Static Routes
for Connectivity Between Customer VPN Sites 244Step 9: Redistribute the PE-CE Routing Protocol/Static VRF Routes
into MP-BGP 248Configuration of P Routers 250Provisioning Route Distribution for VPN Topologies 250
Full-Mesh Topology 251Hub-and-Spoke Topology 252Extranet Topology 259
Preventing Routing Loops When Customer VPN Sites Are Multihomed 269Configuring the SoO Attribute When eBGP Is Used as the PE-CE
Routing Protocol 272Configuring the SoO Attribute When eBGP Is Not Used as the PE-CE
Routing Protocol 275Implementing Internet Access for MPLS Layer 3 VPNs 277
Providing Internet Access via Separate Global Interfaces on PE Routers 278Providing Internet Access Using Route Leaking Between VRFs and
the Global Routing Table on PE Routers 282Providing Internet Access via a Shared Services VPN 287
Summary 291
Review Questions 291
Chapter 5
Advanced MPLS Layer 3 VPN Deployment Considerations 293
The Carriers Carrier Architecture 293CSC Architecture When MPLS Is
Not
Enabled Within CSC Customer Sites 294Route Advertisement in a CSC Architecture When MPLS Is Not
Enabled Within CSC Customer Sites 295Packet Forwarding in a CSC Architecture When MPLS Is Not Enabled
Between Routers Within CSC Customer Sites 304CSC Architecture When MPLS Is Enabled Within CSC Customer Sites 307
Route Advertisement in a CSC Architecture When MPLS Is Enabled Within CSC Customer Sites 307
Packet Forwarding in a CSC Architecture When MPLS Is Enabled Between Routers Within CSC Customer Sites 309
Enabling Hierarchical VPNs in a CSC Architecture 310
The Inter-Autonomous System/Interprovider MPLS VPN Architecture 315VRF-to-VRF Connectivity at ASBRs 316
Route and Label Advertisement Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs VRF-to-VRF Connectivity at ASBRs 317
xii
Packet Forwarding Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs VRF-to-VRF Connectivity at ASBRs 322
Advertisement of Labeled VPN-IPv4 (VPNv4) Between ASBRs Using MP-eBGP 325
Route and Label Advertisement Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs Using MP-eBGP Between ASBRs 325
Packet Forwarding Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs Using MP-eBGP Between ASBRs 331
Advertisement of Labeled VPN-IPv4 (VPNv4) Between Route Reflectors in Separate Autonomous Systems Using Multihop MP-eBGP 334
Route and Label Advertisement When Deploying Inter-Autonomous System MPLS VPNs with the Advertisement of Labeled VPN-IPv4 Between Route Reflectors in the Separate Autonomous Systems 335
Packet Forwarding When Deploying Inter-Autonomous System MPLS VPNs Using MP-eBGP Between Route Reflectors in Separate Autonomous Systems 346
Supporting Multicast Transport in MPLS Layer 3 VPNs 348Point-to-Point GRE Tunnels 349Multicast VPNs (MVPN) 351
The Multicast VRF and Multicast Domain 351The Default and Data MDTs 353PIM Adjacencies 359Reverse-Path Forwarding Checks in the MVPN 360Configuring PIM Between PE and P Routers in the Service Provider
MPLS VPN Backbone Network 361Advantages of Deploying MVPN 364 Configuring and Verifying MVPN 364
Implementing QoS for MPLS Layer 3 VPNs 374MPLS DiffServ Tunneling Models 377
Pipe Model/Short Pipe Model 377Uniform Model 379
Configuring MPLS QoS on Cisco Routers 380Implementing an MPLS DiffServ Pipe Model Architecture 381Implementing an MPLS DiffServ Short Pipe Model Architecture 388Implementing an MPLS DiffServ Uniform Model Architecture 390
Supporting IPv6 Traffic Transport in MPLS Layer 3 VPNs Using 6VPE 3926VPE Route Exchange 3936VPE Data Packet Forwarding 394Configuring and Verifying 6VPE 395
Summary 403
Review Questions 404
xiii
Chapter 6
Deploying Site-to-Site IPsec VPNs 407
Advantages and Disadvantages of IPsec Site-to-Site VPNs 408
IPsec: A Security Architecture for IP 409Cryptographic Algorithms 410
Authentication Algorithms 410Encryption Algorithms 415Public Key Cryptographic Algorithms 419
Security Protocols: AH and ESP 422Authentication Header (AH) 422Encapsulating Security Payload (ESP) 426AH and ESP Together 430
Security Associations 431IPsec Databases 432SA and Key Management Techniques 432
IKEv1 432IKEv2 437
Putting It All Together: IPsec Packet Processing 438Outbound Processing 438Inbound Processing 439
Deploying IPsec VPNs: Fundamental Considerations 440Selecting and Configuring IKE Policies for Automated SA and Key Management 441
Selecting the Appropriate Method of IKE Authentication 441Selecting Cryptographic Parameters for IKE Policies 461
Selecting and Configuring IPsec Transforms 467Selecting Security Protocols in an IPsec Transform Set 467Selecting Hash Algorithms in an IPsec Transform Set 468Selecting Encryption Algorithms for Use with ESP 469Selecting Compression in an IPsec Transform Set 470Configuring IPsec Transform Sets 471
Designing and Configuring Crypto Access Lists 475Pulling Everything Together with a Crypto Map 479Complete IPsec VPN Gateway Configurations 481Transporting Multiprotocol and Multicast Traffic over an IPsec VPN 485
Configuring GRE/IPsec Tunnels 485Configuring VTIs 495
Manual SA and Key Management 499Deploying IPsec VPNs with NAT/PAT 502
How NAT/PAT Breaks IPsec 503Getting Around Issues with NAT/PAT and IPsec Tunnels 517
Allowing IPsec to Traverse a Firewall 519
xiv
Summary 520
Review Questions 521
Chapter 7
Scaling and Optimizing IPsec VPNs 523
Scaling IPsec Virtual Private Networks 523Reducing the Number of IPsec Tunnels Required in a VPN 525Reducing IPsec VPN Configuration Complexity with TED and DMVPN 527
Tunnel Endpoint Discovery (TED) 528Dynamic Multipoint Virtual Private Network (DMVPN) 532
Scaling IPsec VPNs with Digital Signature Authentication 550Background to PKI Deployment 557Deploying the PKI for an IPsec VPN: Considerations 579Simplifying PKI Deployment with the IOS Certificate Server 580
Ensuring High Availability in an IPsec VPN 593High Availability with HSRP 594
Stateless IPsec High Availability 595Stateful IPsec High Availability 611
High Availability with GRE 628High Availability with Point-to-Point GRE Tunnels 628High Availability with DMVPN 642
Designing QoS for IPsec VPNs 656Using DiffServ in an IPsec VPN 656Configuring QoS with the qos pre-classify Command 659IPsec Anti-Replay Considerations with QoS 665Other Considerations When Provisioning QoS for an IPsec VPN 671
MTU and Fragmentation Considerations in an IPsec VPN 673IPsec Packet Overhead 673
Overhead Added by Security Protocols 673Overhead Added in Transport and Tunnel Modes 674Overhead Added by a GRE Tunnel 674Calculating Total Overhead 675
Ensuring That Large IPsec Packets Are Not Fragmented or Dropped 677Fragmentation of IPsec and GRE/IPsec Packets 678Fragmentation of Plain IPsec Packets 679Fragmentation of GRE/IPsec Packets 685PMTUD and IPsec Packet Drops 686Solutions for IPsec Packet Fragmentation and Drops 695
Summary 704
Review Questions 704
xv
Part III Remote Access VPNs 707
Chapter 8
Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs 709
Benefits and Drawbacks of L2TP Remote Access VPNs 711
Operation of L2TP Voluntary/Client-Initiated Tunnel Mode 712L2TPv2 Message Formats and Message Types 713L2TP/IPsec Remote Access VPN Setup (Voluntary/Client-Initiated Tunnel Mode) 716
Implementing L2TP Voluntary/Client-Initiated Tunnel Mode Remote Access VPNs 724
Configuring PSK Authentication for L2TP/IPsec Voluntary Tunnel Mode VPNs 725
Configuring a Cisco VPN 3000 Concentrator as an L2TP/IPsec VPN Gateway for PSK Authentication 725
Configuring a Cisco IOS Router as an L2TP/IPsec VPN Gateway for PSK Authentication 732
Configuring Windows L2TP/IPsec Remote Access VPN Clients for PSK Authentication 736
Implementing Digital Signature (Digital Certificate) Authentication with L2TP/IPsec Voluntary/Client-Initiated Tunnel Mode Remote Access VPNs 743
Configuring the L2TP/IPsec VPN Gateway for Digital Signature Authentication 743
Configuring Windows L2TP/IPsec Remote Access Clients for Digital Signature (Digital Certificate) Authentication 759
Verifying L2TP/IPsec Voluntary Tunnel Mode Remote Access VPNs 765Verifying L2TP/IPsec VPNs on the VPN Gateway 765Verifying L2TP/IPsec VPNs on Remote Access Client Workstations 769
Configuring L2TP/IPsec Remote Access VPNs to Transit NAT Devices 773Configuring L2TP/IPsec Remote Access Clients to Support NAT-T 773Configuring the L2TP/IPsec VPN Gateway to Support NAT-T 775Ensuring That More Than One Windows L2TP/IPsec Remote Access Client
Can Successfully Connect to a VPN Gateway from Behind the Same NAT Device (When Using NAT-T) 776
Deploying L2TP Voluntary/Client-Initiated VPNs on Cisco IOS Routers 776
Designing and Implementing L2TP Compulsory/NAS-Initiated Tunnel Mode Remote Access VPNs 782
L2TP Compulsory Tunnel Mode Setup: LAC Perspective 784L2TP Compulsory Tunnel Mode Setup: LNS Perspective 786Configuring the LAC for Compulsory Tunnel Mode 788Configuring Tunnel Definitions on a RADIUS Server 790Configuring the LNS for Compulsory Tunnel Mode 794
xvi
Integrating L2TP Remote Access VPNs with MPLS VPNs 798
Summary 802
Review Questions 803
Chapter 9
Designing and Deploying IPsec Remote Access and Teleworker VPNs 805
Comparing IPsec Remote Access VPNs with Other Types of Remote Access VPNs 806
Understanding IKE in an IPsec Remote Access VPN Environment 807Resolving Issues Relating to User Authentication 810
Extended Authentication Within IKE (Xauth) 810Hybrid Authentication Mode for IKE 812IKE Challenge/Response for Authenticated Cryptographic Keys
(CRACK) 813Resolving Issues Relating to Negotiation of Attributes Such as IP Addresses, DNS Server Addresses, and WINS Server Addresses 814
Deploying IPsec Remote Access VPNs Using Preshared Key and Digital Signature Authentication 816
Implementing IPsec Remote Access VPNs Using Preshared Key Authentication 816
Configuring an IPsec Remote Access VPN Gateway for Preshared Key Authentication 817
Configuring the Cisco VPN Client for IKE Preshared Key Authentication 832Designing and Deploying IPsec Remote Access VPNs Using Digital Signature Authentication 833
Implementing Digital Signature Authentication on IPsec Remote Access VPN Gateways 834
Deploying IKE Digital Signature Authentication on IPsec Remote Access VPN Clients 844
Implementing IPsec Remote Access VPNs Using Hybrid Authentication 847Deploying Hybrid Authentication on the Cisco VPN 3000 Concentrator 848Configuring Hybrid Authentication on Cisco VPN Clients 849
Verifying and Debugging IPsec Remote Access VPNs 850Verifying IPsec Remote Access VPNs on Cisco VPN 3000 Concentrators 850Verifying IPsec Remote Access VPNs on Cisco IOS VPN Gateways 852Verifying IPsec Remote Access VPNs on the Cisco ASA 858Verifying IPsec Remote Access VPNs on Cisco VPN Clients 860
Configuring NAT Transparency for IPsec Remote Access VPNs 862Overcoming Issues with NAT/PAT When Using Cisco VPN 3000
Concentrators 863Overcoming Issues with NAT/PAT When Using Cisco IOS VPN
Gateways 864
xvii
Overcoming Issues with NAT/PAT When Using the Cisco ASA 5500 865Configuring NAT/PAT Transparency on Cisco VPN Clients 865
IPsec Remote Access/Telecommuter VPNs Using Easy VPN (EZVPN) 865Integrating IPsec with MPLS VPNs 869
Providing IPsec Remote Access Connectivity to MPLS VPNs 870Integrating IPsec Site-to-Site VPNs with MPLS VPNs 876
High Availability: Enabling Redundancy for IPsec Remote Access VPNs 880Load Balancing of IPsec Remote Access VPN Connections over a Number
of VPN Gateways at the Same Central Site 881Failover Between a Number of VPN Gateways at the Same Central Site
Using VRRP 887Using Backup VPN Gateways (Servers) at Geographically Dispersed VPN
Gateways 889Placing IPsec Remote Access VPN Gateways in Relation to Firewalls 892Considerations When Building Wireless IPsec VPNs 894Allowing or Disallowing Split Tunneling for Remote Access VPN Clients 898
Summary 901
Review Questions 902
Chapter 10
Designing and Building SSL Remote Access VPNs (WebVPN) 905
Comparing SSL VPNs to Other Types of Remote Access VPNs 906
Understanding the Operation of SSL Remote Access VPNs 907SSL Overview: TCP, the Record Layer, and the Handshake Protocol 908Establishing an SSL Connection Between a Remote Access VPN User and an SSL VPN Gateway Using an RSA Handshake 910
SSL Connection Establishment: ClientHello Message 913SSL Connection Establishment: ServerHello, Certificate, and ServerHelloDone
Messages 914SSL Connection Establishment: ClientKeyExchange, ChangeCipherSpec,
and Finished Messages 916SSL Handshake: SSLv2, SSLv3, or TLS? 918
Understanding the SSL RSA Handshake with Client Authentication 920Resuming an SSL Session 922Closing an SSL Connection 923
Using Clientless SSL Remote Access VPNs (WebVPN) on the Cisco VPN 3000 Concentrator 924
Completing Basic SSL Remote Access VPN Access Configuration Tasks on the Cisco VPN 3000 Concentrator 925
Step 1: Enroll and Obtain a (SSL) Certificate for the VPN 3000 Concentrator from a Certificate Authority (Optional) 925
Step 2: Enable WebVPN for Relevant User Groups 926
xviii
Step 3: Specify Acceptable Versions of SSL and Configure Cryptographic Algorithms Associated with SSL Cipher Suites (Optional) 926
Step 4: Enable SSL on the VPN 3000 Concentrators Public Interface 928Configuring File and Web Server Access via SSL Remote Access VPNs 930
Step 1: Configure One or More NetBIOS Name Servers 931Step 2: Configure WebVPN File Servers and Shares 931Step 3: Enable File Access for the WebVPN User Group(s) 932
Enabling TCP Applications over Clientless SSL Remote Access VPNs 937Configuring E-mail Proxy for SSL Remote Access VPN Users 943
Implementing Full Network Access Using the Cisco SSL VPN Client 948Installing and Enabling the Cisco VPN Client Software 948Understanding Remote Access Connectivity When Using the Cisco SSL VPN Client 950
Strengthening SSL Remote Access VPNs Security by Implementing Cisco Secure Desktop 952
Installing the Cisco Secure Desktop 954Configuring the Cisco Secure Desktop for Windows Clients 954
Configuring the Windows Cache Cleaner 957Configuring VPN Feature Policy Settings 958Configuring Secure Desktop Options 959
Configuring Cache Cleaner Options for Mac and Linux Users 961Enabling the Cisco Secure Desktop 962
Enabling SSL VPNs (WebVPN) on Cisco IOS Devices 963Step 1: Configure Domain Name and Name Server Addresses 964Step 2: Configure Remote AAA for Remote Access User Login Authentication 964
Step 3: Enroll the IOS Router with a CA and Obtain an Identity Certificate 965Step 4: Enable WebVPN 966Step 5: Configure Basic SSL Parameters 966Step 6: Customize Login and Home Pages (Optional) 967Step 7: Specify URLs 969Step 8: Configure Port Forwarding 969
Deploying SSL VPNs (WebVPN) on the ASA 5500 970Step 1: Configure the HTTP Server 971Step 2: Enable WebVPN on the Outside Interface 971Step 3: Configure the WebVPN User Group Policy and Attributes 971Step 4: Configure Remote Access User Authentication 972Step 5: Specify URL Lists 973Step 6: Configure File Access, Entry, and Browsing 974Step 7: Configure Port Forwarding 975
xix
Step 8: Configure E-mail Proxy 976Step 9: Specify an SSL Trustpoint, SSL Version, and SSL Encryption Algorithm (Optional) 977
Specifying an SSL Trustpoint 977Restricting Acceptable SSL Versions 977Configuring the Cryptographic Algorithms That the ASA Will Negotiate
with Remote Access Clients 978Step 10: Customize Login and Home Pages (Optional) 978Verifying SSL VPNs on the ASA 979
Summary 980
Review Questions 981
Part IV Appendixes 983
Appendix A
VPLS and IPLS Layer 2 VPNs 985
Understanding VPLS 985Ensuring a Loop-Free Topology in a VPLS 987Frame Forwarding over a VPLS 989VPLS MAC Address Learning 990Hierarchical VPLS (H-VPLS) Deployments 990
Understanding IPLS 991Unicast and Broadcast/Multicast Pseudowires in IPLS 992Unicast and Broadcast/Multicast Forwarding in IPLS 994
Summary: Comparing VPLS and IPLS 995
Appendix B
Answers to Review Questions 997
Chapter 1 997
Chapter 2 997
Chapter 3 998
Chapter 4 999
Chapter 5 1000
Chapter 6 1002
Chapter 7 1003
Chapter 8 1004
Chapter 9 1005
Chapter 10 1006
Index
1009
xx
Icons Used in This Book
PC PC withSoftware
SunWorkstation
Macintosh
Terminal File Server
WebServer
Cisco WorksWorkstation
Printer Laptop IBMMainframe
Front EndProcessor
ClusterController
Modem
DSU/CSU
Router Bridge Hub DSU/CSU
CatalystSwitch
MultilayerSwitch
ATMSwitch
ISDN/Frame RelaySwitch
CommunicationServer
Gateway
AccessServer
Network Cloud
TokenRing
Token Ring
Line: Ethernet
FDDI
FDDI
Line: Serial Line: Switched Serial
xxi
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Command Reference. The Command Reference describes these conventions as follows:
Boldface
indicates commands and keywords that are entered literally as shown. In actual con-figuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a
show
command).
Italics
indicate arguments for which you supply actual values.
Vertical bars | separate alternative, mutually exclusive elements.
Square brackets [ ] indicate optional elements.
Braces { } indicate a required choice.
Braces within brackets [{ }] indicate a required choice within an optional element.
xxii
Introduction
As the number and sophistication of virtual private network (VPN) technologies has grown, the com-plexity of choice, design, and deployment has also increased.
It is now possible to implement site-to-site VPNs, remote access VPNs, LAN-to-LAN VPNs, trusted VPNs, secure VPNs, L1VPNs, L2VPNs, L3VPNs, VPWS VPNs, VPLS VPNs, IPLS VPNs, network-based VPNs, C(P)E-based VPNs, multiservice VPNs, provider-provisioned VPNs, customer-provi-sioned VPNs, Internet VPNs, intranet VPNs, extranet VPNs, point-to-point VPNs, multipoint-to-multi-point VPNs, overlay VPNs, peer (-to-peer) VPNs, connection-oriented VPNs, connectionless VPNs, and clientless VPNs.
And then there are L2TPv3-based VPNs, AToM-based VPNs, MPLS Layer 3 VPNs, L2F VPNs, L2TPv2 VPNs, PPTP VPNs, and SSL VPNs.
No wonder VPNs can be confusing!
This book shows you how to navigate the spaghetti soup of VPN terminology and acronyms and how to differentiate and select the appropriate VPN type.
But, the ability to differentiate and select the appropriate VPN type is not enough! After you have decided which VPN type is appropriate, the next steps are its design and deployment.
Thankfully, this book also steers you through the design and deployment phases and shows you how each individual VPN technology works in detail, what its capabilities are, how it can be configured, and what the advanced design and implementation considerations are.
Motivation for the Book
Although existing material describes the various VPN technologies, it became obvious to me that a requirement exists for a single book that not only clarifies the differences between the various VPN types and technologies but also describes those various VPN technologies in detail. Hopefully, this book fulfills that requirement and clears up a lot of the confusion that has hitherto existed with regard to VPNs.
Who Should Read This Book?
In this book, you will find in-depth coverage of site-to-site VPN technologies such as L2TPv3, AToM, MPLS Layer 3 (RFC2547bis) VPNs, IPsec, VPLS, and IPLS. You will also find detailed examinations of remote access VPN technologies, including L2TPv2/3, IPsec, and SSL. In addition, you will find information about how to integrate remote access VPN technologies with site-to-site VPNs.
So, who will find this breadth and depth of VPN technology coverage useful? It will be very useful to network architects, network implementation engineers, network support staff, and IT manager/CIOs involved with selecting, designing, deploying, and supporting VPNs. It will also be helpful to people preparing for networking tests such as the Security and Service Provider CCIE exams.
How This Book Is Organized
This book is organized such that it can either be dipped into for information on a specific VPN type or it can be read from cover to cover.
xxiii
If you are in the process of comparing and evaluating different VPN types with a view to their deploy-ment in your network, or are preparing for a networking exam that includes coverage of VPN technolo-gies, you may want to read Chapter 1 (which gives a high-level comparison), followed by one or more of the following chapters that deal with specific VPN technologies.
If, on the other hand, you are looking to improve and deepen your knowledge of VPN technologies in general, you might want to read the book cover to cover.
The book is arranged as follows:
Chapter 1, What Is a VPN?
Chapter 1 poses (and answers) the deceptively simple ques-tion What is a VPN? In this chapter, you will find a high-level discussion and comparison of the various VPN types and technologies, which will clarify what the various VPN terms mean and how the technologies work. By the end of this chapter, the previously confused will be a lot more clear about what a VPN really is.
Chapter 2, Designing and Deploying L2TPv3-Based Layer 2 VPNs (L2VPN)
L2TP has evolved from a tunneling protocol for PPP to become, in its latest incarnation (L2TPv3), a universal transport mechanism for a host of protocols such as Ethernet, Frame Relay, ATM (cell-relay and AAL5), HDLC, and PPP. This chapter discusses in-depth L2TPv3s advantages and disadvantages, how it operates, and how L2TPv3-based Layer 2 VPNs can be designed and deployed.
Chapter 3, Designing and Implementing AToM-Based Layer 2 VPNs (L2VPN)
Any Transport over MPLS (AToM) provides a similar transport mechanism to L2TPv3, but over MPLS rather than IP. It, too, can transport protocols including Ethernet, Frame Relay, and ATM, and as such can be used to consolidate service provider networks and build Layer 2 VPNs. AToMs underlying technology, configuration, verification, and advanced design con-siderations are examined in this chapter.
Chapter 4, Designing MPLS Layer 3 Site-to-Site VPNs
MPLS Layer 3 VPNs provide a highly scalable VPN architecture that provides any-to-any connectivity and can support real-time applications such as voice and video. This chapter provides a detailed discussion of the principles of its operation, its configuration, the provision of complex topologies, and Internet access.
Chapter 5, Advanced MPLS Layer 3 VPN Deployment Considerations
Building on the foundation of Chapter 4, this chapter describes how MPLS Layer 3 VPNs can be extended to support carrier customers, interprovider and inter-autonomous system VPNs, QoS, and cus-tomer IPv6 VPNs.
Chapter 6, Deploying Site-to-Site IPsec VPNs
IPsec remains a popular choice for imple-menting site-to-site VPNs. In this chapter, you can find a description of the algorithms and mechanisms that underlie IPsec, together with an in-depth discussion of the fundamentals of IPsec site-to-site VPN configuration using preshared key, encrypted nonce, and digital certifi-cate authentication. Also included is detailed information about issues with IPsec and NAT (and how to get around them).
xxiv
Chapter 7, Scaling and Optimizing IPsec VPNs
This chapter builds on the discussion of the fundamentals of site-to-site IPsec VPNs in Chapter 6 by describing their scaling and optimization. Specific topics covered include Tunnel Endpoint Discovery (TED), Dynamic Multipoint VPN (DMVPN), scaling IPsec VPNs using digital signature authentication, quality of service (QoS), and avoiding the performance degradation caused by IPsec packet fragmentation.
Chapter 8, Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs
L2TP can be used to implement industry-standard remote access VPNs. This chapter provides comprehensive information about designing and deploying L2TP voluntary tunnel mode/client-initiated and compulsory tunnel mode/NAS-initiated remote access VPNs. Methods of securing L2TP remote access VPNs using IPsec as well as the integration of L2TP remote access VPNs with MPLS Layer 3 VPNs are also discussed.
Chapter 9, Designing and Deploying IPsec Remote Access and Teleworker VPNs
IPsec can not only be used to provision site-to-site VPNs, but can also be used to implement remote access VPNs. A thorough description of their design and deployment is included in this chapter. The chapter describes configuration as well as special considerations, including the integration of IPsec remote access VPNs with MPLS Layer 3 VPNs, provisioning high avail-ability, and allowing or disallowing split tunneling.
Chapter 10, Designing and Building SSL Remote Access VPNs (WebVPN)
Although SSL is a relative newcomer as a VPN technology, it can provide significant advantages, espe-cially if remote access users need to access the corporate network from insecure locations such as Internet cafs and airport kiosks.
In this chapter, you will find detailed information on designing and deploying both clientless remote access SSL VPNs, and SSL remote access VPNs using the Cisco SSL VPN Client. Also included is an examination of the Cisco Secure Desktop, which enables users to greatly improve the security of SSL VPN connections from insecure locations.
Appendix A, VPLS and IPLS Layer 2 VPNs
This appendix describes two VPN technol-ogies that provide multipoint Ethernet connectivity for customer sites. VPLS provides multi-point, multiprotocol connectivity, but does involve a relatively high degree of complexity; whereas IPLS provides multipoint, IP-only connectivity with a lower degree of complexity.
Appendix B, Answers to Review Questions
You will find the answers to the review questions at the end of each chapter here.
P
A
R
T
I
Understanding VPN TechnologyChapter 1 What Is a Virtual Private Network?