IPsec Virtual Private Network Fundamentals
  • IPsec Virtual Private Network Fundamentals
  • IPsec Virtual Private Network Fundamentals

IPsec Virtual Private Network Fundamentals

by James Henry Carmouche
     
 

ISBN-10: 1587052075

ISBN-13: 9781587052071

Pub. Date: 08/02/2006

Publisher: Cisco Press

An introduction to designing and configuring Cisco IPsec VPNs

  • Understand the basics of the IPsec protocol and learn implementation best practices
  • Study up-to-date IPsec design, incorporating current Cisco innovations in the security and VPN marketplace
  • Learn how to avoid common pitfalls related to IPsec deployment
  • Reinforce theory with case
  • …  See more details below

    Overview

    An introduction to designing and configuring Cisco IPsec VPNs

  • Understand the basics of the IPsec protocol and learn implementation best practices
  • Study up-to-date IPsec design, incorporating current Cisco innovations in the security and VPN marketplace
  • Learn how to avoid common pitfalls related to IPsec deployment
  • Reinforce theory with case studies, configuration examples showing how IPsec maps to real-world solutions

    IPsec Virtual Private Network Fundamentals provides a basic working knowledge of IPsec on various Cisco routing and switching platforms. It provides the foundation necessary to understand the different components of Cisco IPsec implementation and how it can be successfully implemented in a variety of network topologies and markets (service provider, enterprise, financial, government). This book views IPsec as an emerging requirement in most major vertical markets, explaining the need for increased information authentication, confidentiality, and non-repudiation for secure transmission of confidential data. The book is written using a layered approach, starting with basic explanations of why IPsec was developed and the types of organizations relying on IPsec to secure data transmissions. It then outlines the basic IPsec/ISAKMP fundamentals that were developed to meet demand for secure data transmission. The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics including high availability solutions and public key infrastructure (PKI). Sample topology diagrams and configuration examples are provided in each chapter to reinforce the fundamentals expressed in text and to assist readers in translating concepts into practical deployment scenarios. Additionally, comprehensive case studies are incorporated throughout to map topics to real-world solutions.

  • Read More

    Product Details

    ISBN-13:
    9781587052071
    Publisher:
    Cisco Press
    Publication date:
    08/02/2006
    Series:
    Fundamentals Series
    Edition description:
    New Edition
    Pages:
    460
    Product dimensions:
    7.44(w) x 9.13(h) x 0.98(d)

    Table of Contents

    Contents

    Introduction

    Part I Introductory Concepts and Configuration/Troubleshooting

    Chapter 1 Introduction to VPN Technologies

    VPN Overview of Common Terms

    Characteristics of an Effective VPN

    VPN Technologies

    Virtual Private Dialup Networks

    Multiprotocol Label Switching VPNs

    IPsec VPNs

    Transport Layer VPNs

    Common VPN Deployments

    Site-to-Site VPNs

    Remote Access VPNs

    Business Drivers for VPNs

    Remote Access VPN Business Drivers–A Practical Example

    Site-to-Site VPN Business Drivers–A Practical Example

    IPsec VPNs and the Cisco Security Framework

    Summary

    Chapter 2 IPsec Fundamentals

    Overview of Cryptographic Components

    Asymmetric Encryption

    Symmetric Encryption

    Message Authentication, Message Integrity, and Sender Nonrepudiation Mechanisms

    Public Key Encryption Methods

    RSA Public-Key Technologies

    Diffie-Hellman Key Exchange

    The IP Security Protocol (IPsec)

    IPsec Modes

    IPsec Transforms

    IPsec SA

    IPsec Configuration Elements

    Manual Keying

    The Need for Security Association and Key Management

    IKE and ISAKMP

    IKE and ISAKMP Terminology and Background

    IKE SA Negotiation and Maintenance

    IPsec Diffie-Hellman Shared Secret Key Generation Using IKE

    IKE Authentication Services

    IKE Phase I Negotiation

    IKE Phase II Negotiation

    Configuring ISAKMP

    IKE with RAVPN Extensions

    Summary

    Chapter 3 Basic IPsec VPN Topologies and Configurations

    Site-to-Site IPsec VPN Deployments

    Site-to-Site VPN Architectural Overview for a Dedicated Circuit

    Site-to-Site Architectural Overview over a Routed Domain

    Site-to-Site IPsec VPN Deployments and GRE (IPsec+GRE)

    Site-to-Site IPsec+GRE Architectural Overview

    Site-to-Site IPsec+GRE Sample Configurations

    Hub-and-Spoke IPsec VPN Deployments

    Hub-and-Spoke Architectural Overview

    Standard Hub-and-Spoke Design without High Availability

    Clustered Spoke Design to Redundant Hubs

    Redundant Clustered Spoke Design to Redundant Hubs

    Remote Access VPN Deployments

    RAVPN Architectural Overview

    RAVPN Clients

    Standalone VPN Concentrator Designs

    Clustered VPN Concentrator Designs

    Summary

    Chapter 4 Common IPsec VPN Issues

    IPsec Diagnostic Tools within Cisco IOS

    Common Configuration Issues with IPsec VPNs

    IKE SA Proposal Mismatches

    IKE Authentication Failures and Errors

    IPsec SA Proposal Mismatches

    Crypto-Protected Address Space Issues (Crypto ACL Errors)

    Architectural and Design Issues with IPsec VPNs

    Troubleshooting IPsec VPNs in Firewalled Environments

    NAT Issues in IPsec VPN Designs

    The Influence of IPsec on Traffic Flows Requiring QoS

    Solving Fragmentation Issues in IPsec VPNs

    The Effect of Recursive Routing on IPsec VPNs

    Summary

    Part II Designing VPN Architectures

    Chapter 5 Designing for High Availability

    Network and Path Redundancy

    IPSec Tunnel Termination Redundancy

    Multiple Physical Interface HA with Highly Available Tunnel Termination Interfaces

    Tunnel Termination HA Using HSRP/VRRP Virtual Interfaces

    HA with Multiple Peer Statements

    RP-based IPSec HA

    Managing Peer and Path Availability

    Peer Availability

    Path Availability

    Managing Path Symmetry

    Load Balancing, Load Sharing, and High Availability

    Load-Sharing with Peer Statements

    Routing

    Domain Name System (DNS)

    Cisco VPN3000 Concentrator Clustering

    IPSec Session Load-Balancing Using External Load Balancers

    Summary

    Chapter 6 Solutions for Local Site-to-Site High Availability

    Using Multiple Crypto Interfaces for High Availability

    Impact of Routing Protocol Reconvergence on IPsec Reconvergence

    Impact of Stale SAs on IPsec Reconvergence

    Impact of IPsec and ISAKMP SA Renegotiation on IPsec Reconvergence

    Stateless IPsec VPN High-Availability Alternatives

    Solution Overview for Stateless IPsec High Availability

    Stateless High Availability Failover Process

    Stateful IPsec VPN High-Availability Alternatives

    Solution Overview for Stateful IPsec High Availability

    Stateful High Availability Failover Process

    Summary

    Stateless IPsec VPN High Availability Design Summary

    Stateful IPsec VPN High Availability Design Summary

    Chapter 7 Solutions for Geographic Site-to-Site High Availability

    Geographic IPsec VPN HA with Reverse Route Injection and Multiple IPsec Peers

    Solution Overview for RRI with Multiple IPsec Peers

    Geographic IPsec VPN High Availability with IPsec+GRE and Encrypted Routing

    Protocols

    Solution Overview for IPsec+GRE with Encrypted Routing Protocols

    Dynamic Multipoint Virtual Private Networks

    DMVPN Solution Design Drivers

    DMVPN Component-Level Overview and System Operation

    Summary

    Chapter 8 Handling Vendor Interoperability with High Availability

    Vendor Interoperability Impact on Peer Availability

    The Inability to Specify Multiple Peers

    Lack of Peer Availability Mechanisms

    Vendor Interoperability Impact on Path Availability

    IPSec HA Design Considerations for Platforms with Limited Routing

    Protocol Support

    IPSec HA Design Considerations for Lack of RRI Support

    IPSec HA Design Considerations for Lack of Generic Routing Encapsulation (GRE)

    Support

    Vendor Interoperability Design Considerations and Options

    Phase 1 and 2 SA Lifetime Expiry

    SADB Management with Quick Mode Delete Notify Messages

    Invalid Security Parameter Index Recovery

    Vendor Interoperability with Stateful IPSec HA

    Summary

    Chapter 9 Solutions for Remote-Access VPN High Availability

    IPsec RAVPN Concentrator High Availability Using Virtual Interfaces for Tunnel

    Termination

    IPsec RAVPN Concentrator High Availability Using VRRP

    IPsec RAVPN Concentrator HA Using HSRP

    IPsec RAVPN Concentrator HA Using the VCA Protocol

    IPsec RAVPN Geographic HA Design Options

    VPN Concentrator Session Load Balancing Using DNS

    VPN Concentrator Redundancy Using Multiple Peers

    Summary

    Chapter 10 Further Architectural Options for IPsec

    IPsec VPN Termination On-a-Stick

    IPsec with Router-on-a-Stick Design Overview

    Case Study: Small Branch IPsec VPN Tunnel Termination with NAT On-a-Stick

    In-Path Versus Out-of-Path Encryption with IPsec

    Out-of-Path Encryption Design Overview

    Case Study: Firewalled Site-to-Site IPsec VPN Tunnel Termination

    Separate Termination of IPsec and GRE (GRE-Offload)

    GRE-Offload Design Overview

    Case Study: Large-Scale IPsec VPN Tunnel Termination with GRE Offload

    Summary

    Part III Advanced Topics

    Chapter 11 Public Key Infrastructure and IPsec VPNs

    PKI Background

    PKI Components

    Public Key Certificates

    Registration Authorities

    Certificate Revocation Lists and CRL Issuers

    Certificate Authorities

    PKI Cryptographic Endpoints

    Life of a Public Key Certificate

    RSA Signatures and X.509v3 Certificates

    Generating Asymmetric Keypairs on Cryptographic Endpoints

    Registration and Endpoint Authentication

    Receipt and Authentication of the CA’s Certificate

    Forwarding and Signing of Public Keys

    Obtaining and Using Public Key Certificates

    PKI and the IPSec Protocol Suite–Where PKI Fits into the IPSec model

    OCSP and CRL Scalability

    OCSP

    Case Studies and Sample Configurations

    Case Study 1: PKI Integration of Cryptographic Endpoints

    Case Study 2: PKI with CA and RA

    Case Study 3: PKI with Redundant CAs (CA Hierarchy)

    Summary

    Chapter 12 Solutions for Handling Dynamically Addressed Peers

    Dynamic Crypto Maps

    Dynamic Crypto Map Impact on VPN Behavior

    Dynamic Crypto Map Configuration and Verification

    Tunnel Endpoint Discovery

    TED Configuration and Verification

    Case Study–Using Dynamic Addressing with Low-Maintenance Small Home Office

    Deployments

    Summary

    Appendix A Resources

    Books

    RFCs

    Web and Other Resources

    Index

    Read More

    Customer Reviews

    Average Review:

    Write a Review

    and post it to your social network

         

    Most Helpful Customer Reviews

    See all customer reviews >