IPSec VPN Design [Electronic resources] نسخه متنی

Introduction

VPNs are becoming more important for both enterprises and service providers. IPSec specifically is one of the more popular technologies for deploying IP-based VPNs. There are many books in the market that go into technical details of IPSec protocols and cover product level configuration, but they do not address overall design issues for deploying IPSec VPNs.

The Goals of This Book

The objective of this book is to provide you with a good understanding of design and architectural issues of IPSec VPNs. This book will also give you guidance on enabling value-added services and integrating IPSec VPNs with other Layer 3 (MPLS VPN) technologies.

Who Should Read This Book

The primary audience for this book is network engineers involved in design, deployment, and troubleshooting of IPSec VPNs. The assumption in this book is that you have a good understanding of basic IP routing, although IPSec knowledge is not a prerequisite.

How This Book Is Organized

The book is divided into three general parts. Part I covers the general architecture of IPSec, including its protocols and Cisco IOS IPSec implementation details. Part II, beginning with Chapter 5, examines the IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. Part II also covers dynamic configuration models used to simplify IPSec VPNs designs, and presents a case study. Part III, beginning with Chapter 8, covers design issues in adding services to an IPSec VPN such as voice, multicast, and integrating IPSec VPNs with MPLs VPNs. The book is organized as follows:

Part I, "Introduction and Concepts"

- Chapter 1, "Introduction to VPNs" Provides an introduction to VPN concepts and covers a brief introduction to various VPN technologies.

- Chapter 2, "IPSec Overview" Gives an overview of IPSec protocols and describes differences between transport mode and tunnel mode. Cisco IOS IPSec packet processing is also explained in this chapter.

- Chapter 3, "Enhanced IPSec Features" Introduces advanced IPSec features that improve IPSec VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives. This chapter also explains the challenges of IPSec interoperating with Network Address Translation (NAT) and Path Maximum Transmission Unit detection (PMTUD) and how to overcome these challenges.

- Chapter 4, "IPSec Authentication and Authorization Models" Explores IPSec features that are primarily called upon for the remote access users such as Extended Authentication (XAUTH) and Mode-configuration (MODE-CFG). It also explains the Cisco EzVPN connection model and digital certificate concepts.

Part II, "Design and Deployment"

- Chapter 5, "IPSec VPN Architectures" Covers various IPSec connections models such as native IPSec, GRE, and remote access. Deployment architectures for each of the connection models are explored with pros and cons for each architecture.

- Chapter 6, "Designing Fault-Tolerant IPSec VPNs" Discusses how to introduce fault tolerance into VPN architectures and describes the caveats with the various fault-tolerance methods.

- Chapter 7, "Auto-Configuration Architectures for Site-to-Site IPSec VPNs" Covers mechanisms to alleviate the configuration complexity of a large-scale IPSec VPN; Tunnel Endpoint Discovery (TED) and Dynamic Multipoint VPNs (DMVPN) are the two mechanisms discussed in depth.

Part III, "Service Enhancements"

- Chapter 8, "IPSec and Application Interoperability" Examines the issues with IPSec VPNs in the context of the running applications such as voice and multicast over the VPN.

- Chapter 9, "Network-Based IPSec VPNs" Concludes by introducing the concept of network-based VPNs.