Tài liệu IPsec VPN WAN Design Overview ppt

Contents
v
IPsec VPN WAN Design Overview
OL-9021-01
Disadvantages 39
Most Common Uses 40
Virtual Tunnel Interface Design 40
Design Overview 40
Advantages 42
Disadvantages 42
Most Common Uses 42
Design Comparison 43
Major Feature Support 43
Platform Support 43
Selecting a Design 44
Scaling a Design 45
Critical Scalability Criteria 45
Number of Branch Offices 45
Connection Speeds 46
IPsec Throughput 46
Routing Peers 48
Quality of Service 48
High Availability 48
IP Multicast 49
Internet Access Strategy 49
Integrated Services 50
Appendix A—Evaluating Design Scalability 51
Test Methodology 51
Traffic Mix 51
Finding Limits 52
Conservative Results 52
Cisco Platforms Evaluated 53
Appendix B—References and Recommended Reading 54
Appendix C—Acronyms 54

Contents
vi
IPsec VPN WAN Design Overview
OL-9021-01
Corporate Headquarters:
Copyright © 2006 Cisco Systems, Inc. All rights reserved.
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
IPsec VPN WAN Design Overview
This design guide defines the comprehensive functional components that are required to build a
site-to-site virtual private network (VPN) system in the context of enterprise wide area network (WAN)
connectivity. This design overview defines, at a high level, the available design choices for building an
IPsec VPN WAN, and describes the factors that influence the choice. Individual design guides provide
more detailed design and implementation descriptions for each of the major design types.
This design overview is part of an ongoing series that addresses VPN solutions using the latest VPN
technologies from Cisco, and based on practical design principles that have been tested to scale.
Introduction
This document serves as a design guide for those intending to deploy a site-to-site VPN based on IP
Security (IPsec). The designs presented in this document focus on Cisco IOS VPN router platforms.
The primary topology described in this document is a hub-and-spoke design, where the primary
enterprise resources are located in a large central site, with a number of smaller sites or branch offices
connected directly to the central site over a VPN. A high-level diagram of this topology is shown in
Figure 1.
8
IPsec VPN WAN Design Overview
OL-9021-01
Introduction
Figure 1 Hub-and-Spoke VPN Topology
The introduction of dynamic multipoint VPN (DMVPN) makes a design with hub-and-spoke
connections feasible, as well as the ability to create temporary connections between spoke sites using
IPsec encryption. This topology is shown in Figure 2.
Figure 2 DMVPN Spoke-to-Spoke VPN Topology
Corporate
Network
Central Site
Medium Branch Offices
132161
Internet
Large Branch Offices
Small Branch
Offices
Corporate
Network
Central Site
132162
Internet
Hub-and-spoke tunnel
Spoke-to-spoke tunnel
Branches
Branches
9
IPsec VPN WAN Design Overview
OL-9021-01
Introduction
This design guide begins with an overview of various VPN solutions, followed by critical selection
criteria as well as a guide to scaling a solution. Finally, a platform overview is presented.
Target Audience
This design guide is targeted at systems engineers to provide guidelines and best practices for customer
deployments.
Scope of Work
The following design topologies are currently within the scope of this design guide:
• IPsec Direct Encapsulation
• Point-to-Point (p2p) Generic Route Encapsulation (GRE) over IPsec
• Dynamic Multipoint VPN (DMVPN)
• Virtual Tunnel Interface (VTI)
The following major features and services are currently within the scope of this design guide:
• Dead Peer Detection (DPD)
• Reverse Route Injection (RRI)
• Internet Key Exchange (IKE) authentication using digital signatures or certificates
• Cisco VPN routers running Cisco IOS
• EIGRP and OSPF as dynamic Interior Gateway Protocol (IGP) routing protocols across the VPN
• Quality of service (QoS) and Voice and Video Enabled IPsec VPN (V3PN)
• Hot Standby Routing Protocol (HSRP) and Stateful Switchover (SSO) as appropriate for high
availability
• IP multicast services over the VPN
The following features and services are currently outside the scope of this design overview and the
design guides it provides:
• Easy VPN authentication and design topology
• Cisco non-IOS platforms including PIX Series and VPN3000 Series
• Remote access applications (client-based)
• Layer 2 tunneling protocols such as Layer 2 Tunneling Protocol (L2TPv3), Point-to-Point Tunneling
Protocol (PPTP), and WebVPN (SSL/TLS VPNs)
• MPLS-based VPNs
• Network Management
Design Guide Structure
This design overview is part of a series of design guides, each based on different technologies for the
IPsec VPN WAN architecture. (See Figure 3.) Each technology uses IPsec as the underlying transport
mechanism for each VPN.
10
IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview
Figure 3 IPsec VPN WAN Design Guides
The operation of IPsec is outlined in this guide, as well as the criteria for selecting a specific IPsec VPN
WAN technology.
IP Security Overview
The purpose of this overview is to introduce IP Security (IPsec) and its application in VPNs. For a more
in-depth understanding of IPsec, see the Cisco SAFE documentation at the following URL:
http://www.cisco.com/go/safe.
Introduction to IPsec
The IPsec standard provides a method to manage authentication and data protection between multiple
crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key
Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol
(ESP) and Authentication Header (AH).
IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms
are more efficient and easier to implement in hardware. These algorithms need a secure method of key
exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide
this capability.
This solution requires a standards-based way to secure data from eavesdropping and modification. IPsec
provides such a method. IPsec provides a choice of transform sets so that a user can choose the strength
of their data protection. IPsec also has several Hashed Message Authentication Codes (HMAC) from
which to choose, each giving different levels of protection for attacks such as man-in-the-middle, packet
replay (anti-replay), and data integrity attacks.
IPsec VPN WAN Design Overview
(OL-9021-01)
Topologies
Point-to-Point GRE over IPsec
Design Guide
(OL-9023-01)
Virtual Tunnel Interface (VTI)
Design Guide
(OL-9025-01)
Service and Specialized Topics
IPsec VPN Redundancy and Load Sharing
Design Guide
(OL-9025-01)
Voice and Video IPsec VPN (V3PN): QoS and IPsec
Design Guide
(OL-9027-01)
Multicast over IPsec VPN Design Guide
(OL
-9028-01)
Digital Certification/PKI for IPsec VPN
Design Guide
(OL
-9029-01)
Enterprise QoS Design Guide
(OL
-9030-01)
Dynamic Multipoint VPN (DMVPN)
Design Guide
(OL-9024-01)
IPsec Direct Encapsulation
Design Guide
(OL-9022-01)
148756
11
IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview
Tunneling Protocols
Tunneling protocols vary in the features they support, the problems they are designed to solve, and the
amount of security they provide to the data being transported. The designs presented in this architecture
focus on the use of IPsec as a tunneling protocol alone, and IPsec used in conjunction with Generic Route
Encapsulation (GRE) and Virtual Tunnel Interfaces (VTI).
When used alone, IPsec provides a private, resilient network for IP unicast only, where support is not
required for IP multicast, dynamic IGP routing protocols, or non IP protocols. When support for one or
more of these features is required, IPsec should be used in conjunction with either GRE or VTI.
The p2p GRE over IPsec design allows for all three features described in the preceding paragraph, while
a DMVPN design or a VTI design fulfills only the IP multicast and dynamic IGP routing protocol
requirements.
Other possible tunneling protocols include the following:
• Secure Sockets Layer/Transport Layer Security (SSL/TLS)
• VPN (WebVPN)
• Point-to-Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
These protocols are based on user- or client-to-gateway VPN connections, commonly called remote
access solutions, and are not implemented in this solution.
IPsec Protocols
The following sections describe the two IP protocols used in the IPsec standard: ESP and AH.
Encapsulating Security Protocol
The ESP header (IP protocol 50) forms the core of the IPsec protocol. This protocol, in conjunction with
an agreed-upon set of security parameters or transform set, protects data by rendering it indecipherable.
This protocol encrypts the data portion of the packet only and uses other protections (HMAC) for other
protections (data integrity, anti-replay, man-in-the-middle). Optionally, it can also provide for
authentication of the protected data. Figure 4 illustrates how ESP encapsulates an IP packet.
12
IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview
Figure 4 Encapsulating Security Protocol (ESP)
Authentication Header (AH)
The AH protocol (IP protocol 51) forms the other part of IPsec. The AH does not encrypt data in the
usual sense, by hiding the data, but it adds a tamper-evident seal to the data. It also protects the
non-mutable fields in the IP header carrying the data, which includes the address fields of the IP header.
The AH protocol should not be used alone when there is a requirement for data confidentiality. Figure 5
illustrates how AH encapsulates an IP packet.
132163
Encrypted
ESP
Hdr
IP
Hdr
New IP
Hdr
Data
IP
Hdr
Data
Transport Mode
ESP
Trailer
ESP
Auth
Authenticated
Encrypted
ESP
Hdr
IP
Hdr
Data
Tunnel Mode
ESP
Trailer
ESP
Auth
Authenticated
13
IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview
Figure 5 Authentication Header (AH)
Using ESP and AH Together
It is possible to use ESP and AH together on the same IPsec Security Association (SA). ESP includes
the same authentication as AH, as well as providing data encryption and protection. Only the use of ESP
alone is shown in the architecture described in this guide.
IPsec Modes
IPsec has the following two modes of forwarding data across a network:
• Tunnel mode
• Transport mode
Each differs in its application as well as in the amount of overhead added to the passenger packet. These
modes are described in more detail in the next two sections.
Tunnel Mode
Tunnel mode works by encapsulating and protecting an entire IP packet. Because tunnel mode
encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the
packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in
this new header. These addresses can be specified in the configuration in Cisco IOS routers. Tunnel mode
can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional
packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely
considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and
destination IP addresses of the original packet, and hides that information from the unprotected network.
This helps prevent social engineering attacks.
132164
AH
IP
Hdr
New IP
Hdr
Data
IP
Hdr
Data
Transport Mode
Authenticated except for mutable fields
IP
Hdr
Data
Tunnel Mode
Authenticated except for mutable fields in New IP Header
AH
14
IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview
Figure 6 illustrates the expansion of the IP packet.
Figure 6 IPsec Tunnel Mode
Transport Mode
IPsec transport mode works by inserting the ESP or AH header between the IP header and the next
protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic
is being protected by IPsec are visible in the IP header of the post-encrypted packet. This mode of IPsec
can be susceptible to traffic analysis attacks. However, because no additional IP header is added, it
results in less packet expansion. Transport mode can be deployed with either or both ESP and AH.
Transport mode can be used with p2p GRE over IPsec, because this design hides the addresses of the end
stations by adding their own IP header. If the source IP or destination IP address is an RFC 1918
compliant address, the packet cannot be transmitted over the public Internet, and these addresses cannot
transit a Network Address Translation (NAT) or Port Address Translation (PAT) device without
invalidating the HMAC of the crypto packet.
Figure 7 illustrates the expansion of the IP packet.
Figure 7 IPsec Transport Mode
132165
New IP
Hdr
IP
Hdr
Data
To be protected
IPSec
Hdr
IP
Hdr
Data
Tunnel Mode
132166
IP
Hdr
Data
To be protected
IPSec
Hdr
IP
Hdr
Data
Transport Mode

Xem chi tiết: Tài liệu IPsec VPN WAN Design Overview ppt