Advanced IPSec VPN Architecture and Design


The definitive design and deployment guide for secure virtual private networks

  • Learn about IPSec protocols and Cisco IOS IPSec packet processing
  • Understand the differences between IPSec tunnel mode and transport mode
  • Evaluate the IPSec features that improve VPN scalability and fault tolerance, such as dead...
See more details below
Paperback (New Edition)
$58.51 price
(Save 7%)$62.99 List Price
Other sellers (Paperback)
  • All (10) from $21.48   
  • New (4) from $49.24   
  • Used (6) from $21.48   
Sending request ...


The definitive design and deployment guide for secure virtual private networks

  • Learn about IPSec protocols and Cisco IOS IPSec packet processing
  • Understand the differences between IPSec tunnel mode and transport mode
  • Evaluate the IPSec features that improve VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives
  • Overcome the challenges of working with NAT and PMTUD
  • Explore IPSec remote-access features, including extended authentication, mode-configuration, and digital certificates
  • Examine the pros and cons of various IPSec connection models such as native IPSec, GRE, and remote access
  • Apply fault tolerance methods to IPSec VPN designs
  • Employ mechanisms to alleviate the configuration complexity of a large- scale IPSec VPN, including Tunnel End-Point Discovery (TED) and Dynamic Multipoint VPNs (DMVPN)
  • Add services to IPSec VPNs, including voice and multicast
  • Understand how network-based VPNs operate and how to integrate IPSec VPNs with MPLS VPNs

Among the many functions that networking technologies permit is the ability for organizations to easily and securely communicate with branch offices, mobile users, telecommuters, and business partners. Such connectivity is now vital to maintaining a competitive level of business productivity. Although several technologies exist that can enable interconnectivity among business sites, Internet-based virtual private networks (VPNs) have evolved as the most effective means to link corporate network resources to remote employees, offices, and mobile workers. VPNs provide productivity enhancements, efficient and convenient remote access to network resources, site-to-site connectivity, a high level of security, and tremendous cost savings.

IPSec VPN Design is the first book to present a detailed examination of the design aspects of IPSec protocols that enable secure VPN communication. Divided into three parts, the book provides a solid understanding of design and architectural issues of large-scale, secure VPN solutions. Part I includes a comprehensive introduction to the general architecture of IPSec, including its protocols and Cisco IOS® IPSec implementation details. Part II examines IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. This part of the book also covers dynamic configuration models used to simplify IPSec VPN designs. Part III addresses design issues in adding services to an IPSec VPN such as voice and multicast. This part of the book also shows you how to effectively integrate IPSec VPNs with MPLS VPNs.

IPSec VPN Design provides you with the field-tested design and configuration advice to help you deploy an effective and secure VPN solution in any environment.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Read More Show Less

Product Details

  • ISBN-13: 9781587051111
  • Publisher: Cisco Press
  • Publication date: 4/5/2005
  • Series: Networking Technology Series
  • Edition description: New Edition
  • Edition number: 2
  • Pages: 384
  • Product dimensions: 7.30 (w) x 9.10 (h) x 1.10 (d)

Meet the Author

Vijay Bollapragada, CCIE® No. 1606, is a senior manager in the Network Systems Integration and Test Engineering group at Cisco Systems® where he works on the architecture, design, and validation of complex network solutions.

Mohamed Khalid, CCIE No. 2435, is a technical leader working with IP VPN solutions at Cisco®. He works extensively with service providers across the globe and their associated Cisco account teams to determine technical and engineering requirements for various IP VPN architectures.

Scott Wainner is a Distinguished Systems Engineer in the U.S. Service Provider Sales Organization at Cisco Systems where he focuses on VPN architecture and solution development. In this capacity, he provides customer guidance on IP VPN architectures and drives internal development initiatives within Cisco Systems.

Read More Show Less

Table of Contents


Chapter 1 Introduction to VPNs

Motivations for Deploying a VPN

VPN Technologies

Layer 2 VPNs

Layer 3 VPNs

Remote Access VPNs


Chapter 2 IPSec Overview

Encryption Terminology

Symmetric Algorithms

Asymmetric Algorithms

Digital Signatures

IPSec Security Protocols

IPSec Transport Mode

IPSec Tunnel Mode

Encapsulating Security Header (ESP)

Authentication Header (AH)

Key Management and Security Associations

The Diffie-Hellman Key Exchange

Security Associations and IKE Operation

IKE Phase 1 Operation

IKE Phase 2 Operation

IPSec Packet Processing


Chapter 3 Enhanced IPSec Features

IKE Keepalives

Dead Peer Detection

Idle Timeout

Reverse Route Injection


Stateful Failover

SADB Transfer

SADB Synchronization

IPSec and Fragmentation


Look Ahead Fragmentation

GRE and IPSec

IPSec and NAT

Effect of NAT on AH

Effect of NAT on ESP

Effect of NAT on IKE

IPSec and NAT Solutions


Chapter 4 IPSec Authentication and Authorization Models

Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)

Mode-Configuration (MODECFG)

Easy VPN (EzVPN)

EzVPN Client Mode

Network Extension Mode

Digital Certificates for IPSec VPNs

Digital Certificates

Certificate Authority–Enrollment

Certificate Revocation


Chapter 5 IPSec VPN Architectures

IPSec VPN Connection Models

IPSec Model

The GRE Model

The Remote Access Client Model

IPSec Connection Model Summary

Hub-and-Spoke Architecture

Using the IPSec Model

Transit Spoke-to-Spoke Connectivity Using IPSec

Internet Connectivity

Scalability Using the IPSec Connection Model

GRE Model

Transit Site-to-Site Connectivity

Transit Site-to-Site Connectivity with Internet Access

Scalability of GRE Hub-and-Spoke Models

Remote Access Client Connection Model

Easy VPN (EzVPN) Client Mode

EzVPN Network Extension Mode

Scalability of Client Connectivity Models

Full-Mesh Architectures

Native IPSec Connectivity Model

GRE Model


Chapter 6 Designing Fault-Tolerant IPSec VPNs

Link Fault Tolerance

Backbone Network Fault Tolerance

Access Link Fault Tolerance

Access Link Fault Tolerance Summary

IPSec Peer Redundancy

Simple Peer Redundancy Model

Virtual IPSec Peer Redundancy Using HSRP

IPSec Stateful Failover

Peer Redundancy Using GRE

Virtual IPSec Peer Redundancy Using SLB

Server Load Balancing Concepts

IPSec Peer Redundancy Using SLB

Cisco VPN 3000 Clustering for Peer Redundancy

Peer Redundancy Summary

Intra-Chassis IPSec VPN Services Redundancy

Stateless IPSec Redundancy

Stateful IPSec Redundancy


Chapter 7 Auto-Configuration Architectures for Site-to-Site IPSec VPNs

IPSec Tunnel Endpoint Discovery

Principles of TED

Limitations with TED

TED Configuration and State

TED Fault Tolerance

Dynamic Multipoint VPN

Multipoint GRE Interfaces

Next Hop Resolution Protocol

Dynamic IPSec Proxy Instantiation

Establishing a Dynamic Multipoint VPN

DMVPN Architectural Redundancy

DMVPN Model Summary


Chapter 8 IPSec and Application Interoperability

QoS-Enabled IPSec VPNs

Overview of IP QoS Mechanisms

IPSec Implications for Classification

IPSec Implications on QoS Policies

VoIP Application Requirements for IPSec VPN Networks

Delay Implications

Jitter Implications

Loss Implications

IPSec VPN Architectural Considerations for VoIP

Decoupled VoIP and Data Architectures

VoIP over IPSec Remote Access

VoIP over IPSec-Protected GRE Architectures

VoIP Hub-and-Spoke Architecture

VoIP over DMVPN Architecture

VoIP Traffic Engineering Summary

Multicast over IPSec VPNs

Multicast over IPSec-protected GRE

Multicast on Full-Mesh Point-to-Point GRE/IPSec Tunnels

DMVPN and Multicast

Multicast Group Security

Multicast Encryption Summary


Chapter 9 Network-Based IPSec VPNs

Fundamentals of Network-Based VPNs

The Network-Based IPSec Solution: IOS Features

The Virtual Routing and Forwarding Table

Crypto Keyrings

ISAKMP Profiles

Operation of Network-Based IPSec VPNs

A Single IP Address on the PE

Front-Door and Inside VRF

Configuration and Packet Flow

Termination of IPSec on a Unique IP Address Per VRF

Network-Based VPN Deployment Scenarios

IPSec to MPLS VPN over GRE

IPSec to L2 VPNs

PE-PE Encryption



Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)