IPsec Virtual Private Network Fundamentals

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $25.75
Usually ships in 1-2 business days
(Save 60%)
Other sellers (Paperback)
  • All (11) from $25.75   
  • New (5) from $29.95   
  • Used (6) from $25.75   


An introduction to designing and configuring Cisco IPsec VPNs

  • Understand the basics of the IPsec protocol and learn implementation best practices
  • Study up-to-date IPsec design, incorporating current Cisco innovations in the security and VPN marketplace
  • Learn how to avoid common pitfalls related to IPsec deployment
  • Reinforce theory with case studies, configuration examples showing how IPsec maps to real-world solutions

IPsec Virtual Private Network Fundamentals provides a basic working knowledge of IPsec on various Cisco routing and switching platforms. It provides the foundation necessary to understand the different components of Cisco IPsec implementation and how it can be successfully implemented in a variety of network topologies and markets (service provider, enterprise, financial, government). This book views IPsec as an emerging requirement in most major vertical markets, explaining the need for increased information authentication, confidentiality, and non-repudiation for secure transmission of confidential data. The book is written using a layered approach, starting with basic explanations of why IPsec was developed and the types of organizations relying on IPsec to secure data transmissions. It then outlines the basic IPsec/ISAKMP fundamentals that were developed to meet demand for secure data transmission. The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics including high availability solutions and public key infrastructure (PKI). Sample topology diagrams and configuration examples are provided in each chapter to reinforce the fundamentals expressed in text and to assist readers in translating concepts into practical deployment scenarios. Additionally, comprehensive case studies are incorporated throughout to map topics to real-world solutions.

Read More Show Less

Product Details

  • ISBN-13: 9781587052071
  • Publisher: Cisco Press
  • Publication date: 8/2/2006
  • Series: Fundamentals Series
  • Edition description: New Edition
  • Pages: 460
  • Product dimensions: 7.44 (w) x 9.13 (h) x 0.98 (d)

Meet the Author

James Henry Carmouche, CCIE No. 6085, currently works for Cisco Systems Enterprise Systems Engineering group in Research Triangle Park, North Carolina where he is responsible for building, validating, and evangelizing new and emerging security integration concepts in new network architectures and solution reference designs. Prior to joining ESE, Henry served as a technical marketing engineer in Cisco's Government Systems Unit in Research Triangle Park, NC, where he is responsible for bringing advanced security products to market, building technical marketing collateral and presentations, and designing new product introduction training for the GSU's newly introduced security platforms.
Read More Show Less

Table of Contents



Part I Introductory Concepts and Configuration/Troubleshooting

Chapter 1 Introduction to VPN Technologies

VPN Overview of Common Terms

Characteristics of an Effective VPN

VPN Technologies

Virtual Private Dialup Networks

Multiprotocol Label Switching VPNs

IPsec VPNs

Transport Layer VPNs

Common VPN Deployments

Site-to-Site VPNs

Remote Access VPNs

Business Drivers for VPNs

Remote Access VPN Business Drivers–A Practical Example

Site-to-Site VPN Business Drivers–A Practical Example

IPsec VPNs and the Cisco Security Framework


Chapter 2 IPsec Fundamentals

Overview of Cryptographic Components

Asymmetric Encryption

Symmetric Encryption

Message Authentication, Message Integrity, and Sender Nonrepudiation Mechanisms

Public Key Encryption Methods

RSA Public-Key Technologies

Diffie-Hellman Key Exchange

The IP Security Protocol (IPsec)

IPsec Modes

IPsec Transforms

IPsec SA

IPsec Configuration Elements

Manual Keying

The Need for Security Association and Key Management


IKE and ISAKMP Terminology and Background

IKE SA Negotiation and Maintenance

IPsec Diffie-Hellman Shared Secret Key Generation Using IKE

IKE Authentication Services

IKE Phase I Negotiation

IKE Phase II Negotiation

Configuring ISAKMP

IKE with RAVPN Extensions


Chapter 3 Basic IPsec VPN Topologies and Configurations

Site-to-Site IPsec VPN Deployments

Site-to-Site VPN Architectural Overview for a Dedicated Circuit

Site-to-Site Architectural Overview over a Routed Domain

Site-to-Site IPsec VPN Deployments and GRE (IPsec+GRE)

Site-to-Site IPsec+GRE Architectural Overview

Site-to-Site IPsec+GRE Sample Configurations

Hub-and-Spoke IPsec VPN Deployments

Hub-and-Spoke Architectural Overview

Standard Hub-and-Spoke Design without High Availability

Clustered Spoke Design to Redundant Hubs

Redundant Clustered Spoke Design to Redundant Hubs

Remote Access VPN Deployments

RAVPN Architectural Overview

RAVPN Clients

Standalone VPN Concentrator Designs

Clustered VPN Concentrator Designs


Chapter 4 Common IPsec VPN Issues

IPsec Diagnostic Tools within Cisco IOS

Common Configuration Issues with IPsec VPNs

IKE SA Proposal Mismatches

IKE Authentication Failures and Errors

IPsec SA Proposal Mismatches

Crypto-Protected Address Space Issues (Crypto ACL Errors)

Architectural and Design Issues with IPsec VPNs

Troubleshooting IPsec VPNs in Firewalled Environments

NAT Issues in IPsec VPN Designs

The Influence of IPsec on Traffic Flows Requiring QoS

Solving Fragmentation Issues in IPsec VPNs

The Effect of Recursive Routing on IPsec VPNs


Part II Designing VPN Architectures

Chapter 5 Designing for High Availability

Network and Path Redundancy

IPSec Tunnel Termination Redundancy

Multiple Physical Interface HA with Highly Available Tunnel Termination Interfaces

Tunnel Termination HA Using HSRP/VRRP Virtual Interfaces

HA with Multiple Peer Statements

RP-based IPSec HA

Managing Peer and Path Availability

Peer Availability

Path Availability

Managing Path Symmetry

Load Balancing, Load Sharing, and High Availability

Load-Sharing with Peer Statements


Domain Name System (DNS)

Cisco VPN3000 Concentrator Clustering

IPSec Session Load-Balancing Using External Load Balancers


Chapter 6 Solutions for Local Site-to-Site High Availability

Using Multiple Crypto Interfaces for High Availability

Impact of Routing Protocol Reconvergence on IPsec Reconvergence

Impact of Stale SAs on IPsec Reconvergence

Impact of IPsec and ISAKMP SA Renegotiation on IPsec Reconvergence

Stateless IPsec VPN High-Availability Alternatives

Solution Overview for Stateless IPsec High Availability

Stateless High Availability Failover Process

Stateful IPsec VPN High-Availability Alternatives

Solution Overview for Stateful IPsec High Availability

Stateful High Availability Failover Process


Stateless IPsec VPN High Availability Design Summary

Stateful IPsec VPN High Availability Design Summary

Chapter 7 Solutions for Geographic Site-to-Site High Availability

Geographic IPsec VPN HA with Reverse Route Injection and Multiple IPsec Peers

Solution Overview for RRI with Multiple IPsec Peers

Geographic IPsec VPN High Availability with IPsec+GRE and Encrypted Routing


Solution Overview for IPsec+GRE with Encrypted Routing Protocols

Dynamic Multipoint Virtual Private Networks

DMVPN Solution Design Drivers

DMVPN Component-Level Overview and System Operation


Chapter 8 Handling Vendor Interoperability with High Availability

Vendor Interoperability Impact on Peer Availability

The Inability to Specify Multiple Peers

Lack of Peer Availability Mechanisms

Vendor Interoperability Impact on Path Availability

IPSec HA Design Considerations for Platforms with Limited Routing

Protocol Support

IPSec HA Design Considerations for Lack of RRI Support

IPSec HA Design Considerations for Lack of Generic Routing Encapsulation (GRE)


Vendor Interoperability Design Considerations and Options

Phase 1 and 2 SA Lifetime Expiry

SADB Management with Quick Mode Delete Notify Messages

Invalid Security Parameter Index Recovery

Vendor Interoperability with Stateful IPSec HA


Chapter 9 Solutions for Remote-Access VPN High Availability

IPsec RAVPN Concentrator High Availability Using Virtual Interfaces for Tunnel


IPsec RAVPN Concentrator High Availability Using VRRP

IPsec RAVPN Concentrator HA Using HSRP

IPsec RAVPN Concentrator HA Using the VCA Protocol

IPsec RAVPN Geographic HA Design Options

VPN Concentrator Session Load Balancing Using DNS

VPN Concentrator Redundancy Using Multiple Peers


Chapter 10 Further Architectural Options for IPsec

IPsec VPN Termination On-a-Stick

IPsec with Router-on-a-Stick Design Overview

Case Study: Small Branch IPsec VPN Tunnel Termination with NAT On-a-Stick

In-Path Versus Out-of-Path Encryption with IPsec

Out-of-Path Encryption Design Overview

Case Study: Firewalled Site-to-Site IPsec VPN Tunnel Termination

Separate Termination of IPsec and GRE (GRE-Offload)

GRE-Offload Design Overview

Case Study: Large-Scale IPsec VPN Tunnel Termination with GRE Offload


Part III Advanced Topics

Chapter 11 Public Key Infrastructure and IPsec VPNs

PKI Background

PKI Components

Public Key Certificates

Registration Authorities

Certificate Revocation Lists and CRL Issuers

Certificate Authorities

PKI Cryptographic Endpoints

Life of a Public Key Certificate

RSA Signatures and X.509v3 Certificates

Generating Asymmetric Keypairs on Cryptographic Endpoints

Registration and Endpoint Authentication

Receipt and Authentication of the CA’s Certificate

Forwarding and Signing of Public Keys

Obtaining and Using Public Key Certificates

PKI and the IPSec Protocol Suite–Where PKI Fits into the IPSec model

OCSP and CRL Scalability


Case Studies and Sample Configurations

Case Study 1: PKI Integration of Cryptographic Endpoints

Case Study 2: PKI with CA and RA

Case Study 3: PKI with Redundant CAs (CA Hierarchy)


Chapter 12 Solutions for Handling Dynamically Addressed Peers

Dynamic Crypto Maps

Dynamic Crypto Map Impact on VPN Behavior

Dynamic Crypto Map Configuration and Verification

Tunnel Endpoint Discovery

TED Configuration and Verification

Case Study–Using Dynamic Addressing with Low-Maintenance Small Home Office



Appendix A Resources



Web and Other Resources


Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 2 Customer Reviews
  • Anonymous

    Posted November 16, 2006

    You've Got to be Kidding

    Left out of this book are solid explanations of the fundamentals. I understand VPN technology well enough to know that this book presents its material in a fragmented and incomplete manner.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 26, 2006

    mostly about IPsec

    Ostensibly, this book is about both the general topic of Virtual Private Networks and Cisco's IPsec. In reality, it is mostly about the latter. (The book is from Cisco Press, isn't it?) The explanations of VPN are quite well done, to be sure. Applicable to any vendor's VPN offerings, not just Cisco's. But it is how IPsec works that constitutes most of the text. En route, there are also nice discussions of the underlying cryptographic processes. No maths is presented. Just qualitative explanations of various public key encryption methods. If you are a sysadmin, you should already be familiar with much of this PKI material. Cisco has clearly sweated out the details of some heavy duty cryptographic processes, to ensure the privacy of the IPsec VPNs. The book also exposes you to some low level IP packet formatting issues. The idea of a VPN tunnel rests on these foundations, of encapsulating messages at one end of the tunnel, and being able to unwrap them at the other end. I get the feeling that the typical sysadmin who deploys IPsec between her 2 networks that need a VPN, won't actually need to know much of the cryptographic discussion in the book. Perhaps to make some initial configuration decisions. But on a day-to-day basis, once IPsec is set up, maintenance seems minimal. Which suggests good design by Cisco.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 2 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)