1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field...
-
Upload
jonathon-malter -
Category
Documents
-
view
219 -
download
3
Transcript of 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field...
![Page 1: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/1.jpg)
1© 2003, Cisco Systems, Inc. All rights reserved.
Deploying VPN
Eric Vyncke
Cisco Systems
Field Distinguished Engineer
![Page 2: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/2.jpg)
222© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Forewords
Focus mainly on VPN for oneone organization
![Page 3: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/3.jpg)
333© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Cisco Definition of VPNCisco Definition of VPN
• Using Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPN
• Deployment Examples
![Page 4: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/4.jpg)
444© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
A Virtual Private Network Carries Private
Traffic Over a Public Network
Virtual Private Network (VPN) Defined
“
”Cisco 'official' definitionCisco 'official' definition
![Page 5: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/5.jpg)
555© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
What Is a “Public” Network?
• In this context, any network shared among different administrative domains
• A shared network such as the Internet
• A privately owned network which services many external/internal customers
![Page 6: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/6.jpg)
666© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
What is 'Private' Traffic?
• Can be anything desired by an organization
Confidentiality => IPSec
IP Routing independance (address and IGP) => MPLS & RFC 2547
QoS end to end
Efficient multicast
![Page 7: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/7.jpg)
777© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
The Three Categories of VPN
RemoteOffice
MainOffice
WAN VPN
POP
HomeOffice
POP
MobileWorker
Remote Access VPNRemote Access VPN
Secure, scalable, Secure, scalable, encrypted tunnels encrypted tunnels across a public across a public network, client network, client softwaresoftware
Remote Access VPNRemote Access VPN
Secure, scalable, Secure, scalable, encrypted tunnels encrypted tunnels across a public across a public network, client network, client softwaresoftwareBusiness
Partner
Extranet VPNExtranet VPN
Extends WANs to Extends WANs to business business partnerspartners
Extranet VPNExtranet VPN
Extends WANs to Extends WANs to business business partnerspartners
Intranet VPNIntranet VPN
Low cost, tunneled Low cost, tunneled connections with connections with rich VPN services, rich VPN services, like IPSec like IPSec encryption and encryption and QoS to ensure QoS to ensure reliable throughputreliable throughput
Intranet VPNIntranet VPN
Low cost, tunneled Low cost, tunneled connections with connections with rich VPN services, rich VPN services, like IPSec like IPSec encryption and encryption and QoS to ensure QoS to ensure reliable throughputreliable throughput
![Page 8: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/8.jpg)
888© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Technologies
• A large choice
BGP/MPLS VPN
IPSec
Layer 3: IPinIP, GRE, IPv6 over IPv4
Layer 2: L2TP
IEEE 802.1q VLAN
My main focus
![Page 9: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/9.jpg)
999© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Another Cisco Taxonomy
L2VPN
MPLS VPN Network Based IPSec
L3VPN
Network Based VPN
IPSec/GRE
CPE Based
VPN
![Page 10: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/10.jpg)
101010© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Cisco Definition of VPN
• Using Layer 3 Tunnels & RoutingUsing Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPN
• Deployment Examples
![Page 11: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/11.jpg)
111111© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Examples
• The most common layer 3 tunnels are
IP in IP: RFC 2003
GRE: RFC 2784
• The most common layer 2 tunnels are
PPTP, L2F: deprecated
L2TP: RFC 2661
L2TPv3: aka UTI
Default on Cisco routers
![Page 12: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/12.jpg)
121212© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
IPSec Tunnel Mode Encapsulation
Original IP headerProtocol=p
IP payload
20 bytes
Original IP datagram
IPSec packet with new IP header (on the wire)
Original IP headerProtocol=p
IP payloadESP headerProtocol=4
External IP headerProtocol=50 (ESP)
20 bytes 20 bytes16 bytes
ESPtrailer
2-10 bytes
IPSec ESP without ESP auth encapsulation (after encapsulation)
Original IP headerProtocol=p
ESP headerProtocol=4 (IPinIP)
20 bytes16 bytes
ESP trailer
2-10 bytes
IP payload
Encrypted payload
![Page 13: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/13.jpg)
131313© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
IPinIP + IPSec Transport Mode
Original IP headerProtocol=p
IP payload
20 bytes
Original IP datagram
External IP headerProtocol=4 (IPinIP)
20 bytes
IPinIP Encapsulation
Original IP headerProtocol=p
20 bytes
IP payload
After IPSec Transport Mode
Original IP headerProtocol=p
IP payloadESP headerProtocol=4
20 bytes16 bytes
ESPtrailer
2-10 bytes
External IP headerProtocol=50 (ESP)
20 bytes
Encrypted payload
![Page 14: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/14.jpg)
141414© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Differences with IPSec Tunnel Mode
• Same syntax (bits on the wire):
IPSec Tunnel Mode
IPinIP + IPSec Transport Mode
• Is it the same semantic ? NoNo
• Because SPD is now replaced by routing
Ease of deployment
Resiliency
Less security
![Page 15: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/15.jpg)
151515© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Difference: SPD & SAD
• IPinIP + IPSec Transport Mode
<L3 endpoint, L3 endpoint, IPinIP, *,*>
Usually one pair of SA
• IPSec Tunnel Mode
<protected net., protected net.,*,*,*>
Can potentially be multiple pairs of SA
Trivial selectorsEasy provisioning
One pair of SA Very scalable
![Page 16: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/16.jpg)
161616© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Difference: Cisco Router IOS view
• IPinIP + IPSec: is a L3 tunnel interface
Routing Protocol
Multicast, ..
• IPSec Tunnel mode: is not
This means strong resilience
And fast re-routing
![Page 17: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/17.jpg)
171717© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Difference: SA Selection
• IPinIP + IPSec Transport Mode
L3 tunnel is selected by FIB
FIB is dynamic (insecure)FIB is dynamic (insecure)
• IPSec Tunnel Mode
IPSec SA selected by SAD
SAD is static (secure)
![Page 18: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/18.jpg)
181818© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Traffic can be Routed Through 2 HubsCentral Site
Hub 1 (active) Hub 2 (active)
+ Easier.+ Hub are always under 50% load.- Asymmetric routing
![Page 19: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/19.jpg)
191919© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Traffic can be Load BalancedCentral Site
Hub 1 (active) Hub 2 (active)
Need to tune IGP Need to tune IGP to always select to always select the GREEN the GREEN tunnels.tunnels.
+ Symmetric routing+ Both hubs running at 50%
![Page 20: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/20.jpg)
202020© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Using Layer 3 Tunnels & Routing
• Security of the AboveSecurity of the Above
• Existing Techniques for Dynamic VPN
• Deployment Examples
![Page 21: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/21.jpg)
282828© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Using Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPNExisting Techniques for Dynamic VPN
• Deployment Examples
![Page 22: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/22.jpg)
292929© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Next Hop Resolution Protocol, RFC 2332
• IETF protocol
• Used on NBMA Non Broadcast Multi-Access networks (Frame Relay, X.25, …) to discover peers
• Can also be used on multi-point GRE, mGRE
Specific kind of GRE tunnel
Fan-out like: one hub and multiple spokes
Hub can speak direct to all spokes
Spokes can only talk to hub
• Cannot be used over IPinIP since NHRP does not run over IP
![Page 23: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/23.jpg)
303030© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
NHRP over mGRE
NHRP Server
NHRP Client YNHRP Client X
mGRE
IP: X
-Y
NHRP: resolu
tion
request f
or Y
2.2.2.2 3.3.3.3
NHRP: resolution
Reply: Y is through 3.3.3.3
NHRP CacheClient Y is via 3.3.3.3
NH
RP
: re
gis
trat
ion
R
equ
est:
Y is
3.3
.3.3
NH
RP
: re
gi s
trat
i on
Rep
l y:
OK
NHRP Cache
Client Y is via 3.3.3.3
![Page 24: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/24.jpg)
313131© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Tunnel Endpoint Discovery
Alice
Bob
X1
Y
A to Bmust be protected
no SA => send probe
IP: A to B
IKE: A to B (proxy=X1)
Traffic to Bmust be protected
no SA & probe received=> block & answer probe
IKE: Y to X1
Proposed to IETFProposed to IETFIPSP WGIPSP WG
Proposed to IETFProposed to IETFIPSP WGIPSP WG
X2
![Page 25: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/25.jpg)
323232© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
NRHP, TED and Routing
• NHRP+mGRE requires routing inside the GRE tunnel to learn about connected networks
• TED requires routing in the core to learn about connected networks
![Page 26: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/26.jpg)
333333© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Using Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPN
• Deployment ExamplesDeployment Examples
![Page 27: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/27.jpg)
343434© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #1: 1500 Nodes Hierarchical Network With IPX
• Customer: large retail bank
• Requirements:
Mix of IP and IPX traffic
Large scale 1500 nodes
Hierarchical structure: branch, regional office
Bandwidth: 128 kbps, 512 kbps & 10 Mbps
Outsourced IP services
![Page 28: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/28.jpg)
353535© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #1: Issues
• Large scale
Need to use a layered structure
• Mix of IPX & IP
Use of GRE encapsulation
• High Availability (Resilience)
Use routing protocol (EIGRP for IP & IPX)
• Outsourced IP services
1 router managed by IP Service Provider
1 router managed by customer (IPSec)
![Page 29: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/29.jpg)
363636© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #1: IPSec Overlay Network
HQapprox. 2;200 tunnels per router,can be split over several routers
ROapprox. 600;15 tunnels to branches4 tunnels to BO
BOapprox. 800;1 tunnel per branch
![Page 30: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/30.jpg)
373737© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #2: MPLS BGP VPN & IPSec
• Customer: SP for a bank
• Requirements
Outsourced network: connectivity & security
Double management ?
Interworking with MPLS (RFC 2547)
300 Nodes
![Page 31: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/31.jpg)
383838© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #2: Network
MPLS Network
2 Mbps
Green VPNGreen VPN
Red VPNRed VPN
Use of Tunnel Endpoint Discovery
![Page 32: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/32.jpg)
393939© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #3: Mapping IPSec Remote Access to another VPN
• SP customer
• Wants to connect remote user over a remote access IPSec VPN to
Specific L3 VPN: GRE, BGP/MPLS
Specific L2 VPN: Frame Relay, 802.1Q VLAN
• Solution: IPSec termination in different VRF based on IKE identity
![Page 33: 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c775503460f9492cb03/html5/thumbnails/33.jpg)
404040© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #3: IPSec to BGP/MPLS VPN
MPLS NetworkInternet
IPSec-AGGPE
PE
PE
Branch Office
Telecommuter/SOHO
Remote Access
Customer A
Customer B
InternetGateway
MPLS/VPNIPSec VPN
Mapping offnet users into BGP/MPLS VPNs.