800 East 96th StreetIndianapolis, Indiana 46240 USA

Cisco Press

Comparing, Designing, and Deploying VPNs

Mark Lewis, CCIE No. 6280

ii

Comparing, Designing, and Deploying VPNs

Mark Lewis

Copyright 2006 Cisco Systems, Inc.

Cisco Press logo is a trademark of Cisco Systems, Inc.

Published by:Cisco Press800 East 96th Street Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

First Printing April 2006

Library of Congress Cataloging-in-Publication Number: 2003114910

ISBN: 1-58705-179-6

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-ized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.

For more information, please contact

U.S. Corporate and Government Sales,

1-800-382-3419 or corpsales@pearsontechgroup.com.

For sales outside the U.S., please contact

International Sales,

international@pearsoned.com.

Warning and Disclaimer

This book is designed to provide information about virtual private networks (VPN). Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

Readers feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message.

iii

We greatly appreciate your assistance.

Publisher John WaitEditor-in-Chief John KaneCisco Representative Anthony WolfendenCisco Press Program Manager Jeff BradyProduction Manager Patrick KanouseSenior Development Editor Christopher ClevelandCopy Editor and Indexer Keith ClineTechnical Editors Henry Benjamin, Lei Chen, Mark Newcomb, Ajay SimhaBook and Cover Designer Louisa AdairComposition Interactive Composition Corporation

iv

About the Author

Mark Lewis, CCIE No. 6280,

is technical director of MJL Network Solutions (www.mjlnet.com), a leading provider of internetworking solutions that focuses on helping enterprise and service provider customers to implement leading-edge technologies. Mark specializes in next-generation network technologies and has extensive experience designing, deploying, and migrating large-scale IP/MPLS networks. He is an active participant in the IETF, a member of the IEEE, and a certified Cisco Systems instructor. Mark is also the author of

Troubleshooting Virtual Private Networks,

published by Cisco Press.

Mark can be contacted at mark@mjlnet.com.

About the Technical Reviewers

Henry Benjamin, CCIE No. 4695,

holds three CCIE certifications (Routing and Switching, ISP Dial, and Commu-nications and Services). He has more than 10 years experience with Cisco networks and recently worked for Cisco in the internal IT department helping to design and implement networks throughout Australia and Asia. Henry was a key member of the CCIE global team, where he was responsible for writing new laboratory examinations and questions for the CCIE exams. Henry is an independent consultant with a large security firm in Australia. Henry is the author of

CCIE Security Exam Certification Guide

and

CCNP Practical Studies: Routing,

both published by Cisco Press.

Lei Chen, CCIE No. 6399,

received a master of science degree in computer science from DePaul University in 2000. He joined the Cisco NSITE system testing group in 2000, and then went on to support Cisco high-tier cus-tomers as part of the Cisco TAC VPN team in 2002. He has first-hand experience in troubleshooting, designing, and deploying IPsec VPNs.

Mark Newcomb, CCNP, CCDP,

is a retired network security engineer. Mark has more than 20 years experience in the networking industry, focusing on the financial and medical industries. Mark is a frequent contributor and reviewer for Cisco Press books.

Ajay Simha, CCIE No. 2970,

joined the Cisco TAC in 1996. He then went on to support tier 1 and 2 ISPs as part of the Cisco ISP Expert team. He worked as an MPLS deployment engineer from October 1999 to November 2003. Currently, he is a senior network consulting engineer in Advanced Services at Cisco working on Metro Ethernet and MPLS design and deployment. Ajay is the coauthor of the Cisco Press title

Traffic Engineering with MPLS.

v

Acknowledgments

Id like to thank a number of people who helped me to complete this book. Id like to thank Michelle, Chris, John, and Patrick at Cisco Press, who helped to get this project started in the first place and then provided indispensable help and encouragement along the way.

And Id also like to thank the technical reviewersMark Newcomb, Henry Benjamin, Ajay Simha, and Lei Chenwho all provided useful comments and suggestions.

vi

This Book Is Safari Enabled

The Safari

Enabled icon on the cover of your favorite technology book means the book is available through Safari Bookshelf. When you buy this book, you get free access to the online edition for 45 days.

Safari Bookshelf is an electronic reference library that lets you easily search thousands of technical books, find code samples, download chapters, and access technical information whenever and wherever you need it.

To gain 45-day Safari Enabled access to this book

Go to http://www.ciscopress.com/safarienabled

Complete the brief registration form

Enter the coupon code GBCR-98XD-CWIL-XSD7-VQQE

If you have difficulty registering on Safari Bookshelf or accessing the online edition, please e-mail customer-service@safaribooksonline.com.

vii

Contents at a Glance

Introduction xxii

Part I Understanding VPN Technology 3

Chapter 1

What Is a Virtual Private Network? 5

Part II Site-to-Site VPNs 25

Chapter 2

Designing and Deploying L2TPv3-Based Layer 2 VPNs 27

Chapter 3

Designing and Implementing AToM-Based Layer 2 VPNs 137

Chapter 4

Designing MPLS Layer 3 Site-to-Site VPNs 225

Chapter 5

Advanced MPLS Layer 3 VPN Deployment Considerations 293

Chapter 6

Deploying Site-to-Site IPsec VPNs 407

Chapter 7

Scaling and Optimizing IPsec VPNs 523

Part III Remote Access VPNs 707

Chapter 8

Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs 709

Chapter 9

Designing and Deploying IPsec Remote Access and Teleworker VPNs 805

Chapter 10

Designing and Building SSL Remote Access VPNs (WebVPN) 905

Part IV Appendixes 983

Appendix A

VPLS and IPLS Layer 2 VPNs 985

Appendix B

Answers to Review Questions 997

Index

1009

viii

Table of Contents

Introduction xxii

Part I Understanding VPN Technology 3

Chapter 1

What Is a Virtual Private Network? 5

VPN Devices 5VPN Technologies and Protocols 7

Technologies and Protocols Used to Enable Site-to-Site VPNs 7Technologies and Protocols Used to Enable Remote Access VPNs 8

Modeling and Characterizing VPNs 9Service Provider and Customer Provisioned VPNs 10Site-to-Site and Remote Access VPNs 11Service Provider Provisioned Site-to-Site VPNs 13Customer Provisioned Site-to-Site VPNs 15Service Provider and Customer Provisioned Remote Access VPNs 15Other Methods of Categorizing VPNs 16

Deploying Site-to-Site and Remote Access VPNs: A Comparison 18Site-to-Site VPN Deployment 18Remote Access VPN Deployment 19

Summary 22

Review Questions 22

Part II Site-to-Site VPNs 25

Chapter 2

Designing and Deploying L2TPv3-Based Layer 2 VPNs 27

Benefits and Drawbacks of L2TPv3-Based L2VPNs 28

L2TPv3 Pseudowire Operation 29L2TPv3 Deployment Models 30L2TPv3 Message Types 31The L2TPv3 Control Connection 34

L2TPv3 Control Connection Setup 34L2TPv3 Control Connection Teardown 36L2TPv3 Session Setup 37L2TPv3 Session Teardown 38Hello and SLI Messages 40

Configuring and Verifying L2TPv3 Pseudowires 41Deploying L2TPv3 Pseudowires with Dynamic Session Setup 42

Step 1: Configure CEF 43

ix

Step 2: Configure a Loopback Interface to Use as the Pseudowire Endpoint 43Step 3: Configure an L2TPv3 Class (Optional) 43Step 4: Configure a Pseudowire Class 45Step 5: Bind Attachment Circuits to Pseudowires 45

Implementing L2TPv3 Pseudowire-Based L2VPNs Using Static Session Configuration 93

Static L2TPv3 Sessions Without a Control Connection 93Static L2TPv3 Sessions with a Control Connection 96

L2VPN Interworking with L2TPv3 98Ethernet Mode L2VPN Interworking with L2TPv3 99IP Mode L2VPN Interworking with L2TPv3 102Resolving MTU Issues with L2VPN Interworking 112Routing Protocol Considerations with L2VPN Interworking 113

Transporting IPv6 over an IPv4 Backbone Using IPv6 Protocol Demultiplexing 114

Provisioning Quality of Service for L2TPv3 Pseudowires 118Configuring an Input QoS Policy on (Ingress) PE Router

Attachment Circuits 121Configuring an Output QoS Policy on (Egress) PE Router

Attachment Circuits 125Avoiding Packet Fragmentation and Packet Drops with L2TPv3 Pseudowires 128

Summary 134

Review Questions 134

Chapter 3

Designing and Implementing AToM-Based Layer 2 VPNs 137

Benefits and Drawbacks of AToM-Based L2VPNs 138

AToM Pseudowire Operation 139Control Channel Messages 140

AToM Pseudowire Setup 142AToM Status Signaling 150

AToM Data Channel Packet Forwarding 154

Deploying AToM Pseudowires 156Implementing AToM Pseudowires for Ethernet Traffic Transport 156

AToM Pseudowire Ethernet Port Transport 157AToM Pseudowire Ethernet VLAN (802.1Q) Transport 163

Deploying AToM Pseudowires for HDLC and PPP Traffic Transport 165Frame Relay Traffic Transport with AToM Pseudowires 171

Frame Relay Port Mode Traffic Transport 171Frame Relay DLCI-to-DLCI Switching Traffic Transport 172

Using AToM Pseudowires to Transport ATM Traffic 176ATM Cell Relay 178

x

Implementing Advanced AToM Features 188Deploying AToM Pseudowire QoS 188Tunnel Selection for AToM Pseudowires 195

Configuring PE Routers for MPLS-TE Tunnel Selection for AToM Pseudowires 195

Configuring P Routers for MPLS-TE 199Tunnel Selection for AtoM Pseudowires: Final Network Topology

and Advantages 200Verifying MPLS-TE Tunnel Selection for AToM Pseudowires 201

L2VPN Pseudowire Switching with AToM 202L2VPN Interworking with AToM Pseudowires 207

Configuring Ethernet Mode L2VPN Interworking with AToM Pseudowires 209

Configuring IP Mode L2VPN Interworking with AToM Pseudowires 209Verifying L2VPN Interworking with AToM Pseudowires 210

Configuring and Verifying Local Switching 211Local Switching Between the Same Types of Physical Interfaces 213Local Switching Between Different Interface Types 215Local Switching Between Circuits on the Same Interface 216

Resolving AToM Data Channel Packet Drop Issues 217

Summary 222

Review Questions 222

Chapter 4

Designing MPLS Layer 3 Site-to-Site VPNs 225

Advantages and Disadvantages of MPLS Layer 3 VPNs 226

MPLS Layer 3 VPNs Overview 227IP Reachability in an MPLS Layer 3 VPN 227User Packet Forwarding Between MPLS Layer 3 VPN Sites 229

A Detailed Examination of MPLS Layer 3 VPNs 231Distinguishing Customer VPN Prefixes Using Route Distinguishers (RD) 232Using Route Targets (RT) to Control Customer VPN Route Distribution 233

Deploying MPLS Layer 3 VPNs 235Configuration of PE Routers 236

Step 1: Configure a Loopback Interface for Use as the PE Routers BGP Router ID/LDP Router ID 237

Step 2: Configure LDP 237Step 3: Enable MPLS on Interfaces Connected to Other PE or P Routers 239Step 4: Configure the Backbone Network IGP 239Step 5: Configure MP-BGP for VPNv4 Route Exchange with Other

PE Routers or Route Reflectors 241Step 6: Configure the Customer VRFs 243

xi

Step 7: Configure the Customer VRF Interfaces 243Step 8: Configure the Customer VRF Routing Protocols or Static Routes

for Connectivity Between Customer VPN Sites 244Step 9: Redistribute the PE-CE Routing Protocol/Static VRF Routes

into MP-BGP 248Configuration of P Routers 250Provisioning Route Distribution for VPN Topologies 250

Full-Mesh Topology 251Hub-and-Spoke Topology 252Extranet Topology 259

Preventing Routing Loops When Customer VPN Sites Are Multihomed 269Configuring the SoO Attribute When eBGP Is Used as the PE-CE

Routing Protocol 272Configuring the SoO Attribute When eBGP Is Not Used as the PE-CE

Routing Protocol 275Implementing Internet Access for MPLS Layer 3 VPNs 277

Providing Internet Access via Separate Global Interfaces on PE Routers 278Providing Internet Access Using Route Leaking Between VRFs and

the Global Routing Table on PE Routers 282Providing Internet Access via a Shared Services VPN 287

Summary 291

Review Questions 291

Chapter 5

Advanced MPLS Layer 3 VPN Deployment Considerations 293

The Carriers Carrier Architecture 293CSC Architecture When MPLS Is

Not

Enabled Within CSC Customer Sites 294Route Advertisement in a CSC Architecture When MPLS Is Not

Enabled Within CSC Customer Sites 295Packet Forwarding in a CSC Architecture When MPLS Is Not Enabled

Between Routers Within CSC Customer Sites 304CSC Architecture When MPLS Is Enabled Within CSC Customer Sites 307

Route Advertisement in a CSC Architecture When MPLS Is Enabled Within CSC Customer Sites 307

Packet Forwarding in a CSC Architecture When MPLS Is Enabled Between Routers Within CSC Customer Sites 309

Enabling Hierarchical VPNs in a CSC Architecture 310

The Inter-Autonomous System/Interprovider MPLS VPN Architecture 315VRF-to-VRF Connectivity at ASBRs 316

Route and Label Advertisement Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs VRF-to-VRF Connectivity at ASBRs 317

xii

Packet Forwarding Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs VRF-to-VRF Connectivity at ASBRs 322

Advertisement of Labeled VPN-IPv4 (VPNv4) Between ASBRs Using MP-eBGP 325

Route and Label Advertisement Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs Using MP-eBGP Between ASBRs 325

Packet Forwarding Between Autonomous Systems When Deploying Inter-Autonomous System MPLS VPNs Using MP-eBGP Between ASBRs 331

Advertisement of Labeled VPN-IPv4 (VPNv4) Between Route Reflectors in Separate Autonomous Systems Using Multihop MP-eBGP 334

Route and Label Advertisement When Deploying Inter-Autonomous System MPLS VPNs with the Advertisement of Labeled VPN-IPv4 Between Route Reflectors in the Separate Autonomous Systems 335

Packet Forwarding When Deploying Inter-Autonomous System MPLS VPNs Using MP-eBGP Between Route Reflectors in Separate Autonomous Systems 346

Supporting Multicast Transport in MPLS Layer 3 VPNs 348Point-to-Point GRE Tunnels 349Multicast VPNs (MVPN) 351

The Multicast VRF and Multicast Domain 351The Default and Data MDTs 353PIM Adjacencies 359Reverse-Path Forwarding Checks in the MVPN 360Configuring PIM Between PE and P Routers in the Service Provider

MPLS VPN Backbone Network 361Advantages of Deploying MVPN 364 Configuring and Verifying MVPN 364

Implementing QoS for MPLS Layer 3 VPNs 374MPLS DiffServ Tunneling Models 377

Pipe Model/Short Pipe Model 377Uniform Model 379

Configuring MPLS QoS on Cisco Routers 380Implementing an MPLS DiffServ Pipe Model Architecture 381Implementing an MPLS DiffServ Short Pipe Model Architecture 388Implementing an MPLS DiffServ Uniform Model Architecture 390

Supporting IPv6 Traffic Transport in MPLS Layer 3 VPNs Using 6VPE 3926VPE Route Exchange 3936VPE Data Packet Forwarding 394Configuring and Verifying 6VPE 395

Summary 403

Review Questions 404

xiii

Chapter 6

Deploying Site-to-Site IPsec VPNs 407

Advantages and Disadvantages of IPsec Site-to-Site VPNs 408

IPsec: A Security Architecture for IP 409Cryptographic Algorithms 410

Authentication Algorithms 410Encryption Algorithms 415Public Key Cryptographic Algorithms 419

Security Protocols: AH and ESP 422Authentication Header (AH) 422Encapsulating Security Payload (ESP) 426AH and ESP Together 430

Security Associations 431IPsec Databases 432SA and Key Management Techniques 432

IKEv1 432IKEv2 437

Putting It All Together: IPsec Packet Processing 438Outbound Processing 438Inbound Processing 439

Deploying IPsec VPNs: Fundamental Considerations 440Selecting and Configuring IKE Policies for Automated SA and Key Management 441

Selecting the Appropriate Method of IKE Authentication 441Selecting Cryptographic Parameters for IKE Policies 461

Selecting and Configuring IPsec Transforms 467Selecting Security Protocols in an IPsec Transform Set 467Selecting Hash Algorithms in an IPsec Transform Set 468Selecting Encryption Algorithms for Use with ESP 469Selecting Compression in an IPsec Transform Set 470Configuring IPsec Transform Sets 471

Designing and Configuring Crypto Access Lists 475Pulling Everything Together with a Crypto Map 479Complete IPsec VPN Gateway Configurations 481Transporting Multiprotocol and Multicast Traffic over an IPsec VPN 485

Configuring GRE/IPsec Tunnels 485Configuring VTIs 495

Manual SA and Key Management 499Deploying IPsec VPNs with NAT/PAT 502

How NAT/PAT Breaks IPsec 503Getting Around Issues with NAT/PAT and IPsec Tunnels 517

Allowing IPsec to Traverse a Firewall 519

xiv

Summary 520

Review Questions 521

Chapter 7

Scaling and Optimizing IPsec VPNs 523

Scaling IPsec Virtual Private Networks 523Reducing the Number of IPsec Tunnels Required in a VPN 525Reducing IPsec VPN Configuration Complexity with TED and DMVPN 527

Tunnel Endpoint Discovery (TED) 528Dynamic Multipoint Virtual Private Network (DMVPN) 532

Scaling IPsec VPNs with Digital Signature Authentication 550Background to PKI Deployment 557Deploying the PKI for an IPsec VPN: Considerations 579Simplifying PKI Deployment with the IOS Certificate Server 580

Ensuring High Availability in an IPsec VPN 593High Availability with HSRP 594

Stateless IPsec High Availability 595Stateful IPsec High Availability 611

High Availability with GRE 628High Availability with Point-to-Point GRE Tunnels 628High Availability with DMVPN 642

Designing QoS for IPsec VPNs 656Using DiffServ in an IPsec VPN 656Configuring QoS with the qos pre-classify Command 659IPsec Anti-Replay Considerations with QoS 665Other Considerations When Provisioning QoS for an IPsec VPN 671

MTU and Fragmentation Considerations in an IPsec VPN 673IPsec Packet Overhead 673

Overhead Added by Security Protocols 673Overhead Added in Transport and Tunnel Modes 674Overhead Added by a GRE Tunnel 674Calculating Total Overhead 675

Ensuring That Large IPsec Packets Are Not Fragmented or Dropped 677Fragmentation of IPsec and GRE/IPsec Packets 678Fragmentation of Plain IPsec Packets 679Fragmentation of GRE/IPsec Packets 685PMTUD and IPsec Packet Drops 686Solutions for IPsec Packet Fragmentation and Drops 695

Summary 704

Review Questions 704

xv

Part III Remote Access VPNs 707

Chapter 8

Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs 709

Benefits and Drawbacks of L2TP Remote Access VPNs 711

Operation of L2TP Voluntary/Client-Initiated Tunnel Mode 712L2TPv2 Message Formats and Message Types 713L2TP/IPsec Remote Access VPN Setup (Voluntary/Client-Initiated Tunnel Mode) 716

Implementing L2TP Voluntary/Client-Initiated Tunnel Mode Remote Access VPNs 724

Configuring PSK Authentication for L2TP/IPsec Voluntary Tunnel Mode VPNs 725

Configuring a Cisco VPN 3000 Concentrator as an L2TP/IPsec VPN Gateway for PSK Authentication 725

Configuring a Cisco IOS Router as an L2TP/IPsec VPN Gateway for PSK Authentication 732

Configuring Windows L2TP/IPsec Remote Access VPN Clients for PSK Authentication 736

Implementing Digital Signature (Digital Certificate) Authentication with L2TP/IPsec Voluntary/Client-Initiated Tunnel Mode Remote Access VPNs 743

Configuring the L2TP/IPsec VPN Gateway for Digital Signature Authentication 743

Configuring Windows L2TP/IPsec Remote Access Clients for Digital Signature (Digital Certificate) Authentication 759

Verifying L2TP/IPsec Voluntary Tunnel Mode Remote Access VPNs 765Verifying L2TP/IPsec VPNs on the VPN Gateway 765Verifying L2TP/IPsec VPNs on Remote Access Client Workstations 769

Configuring L2TP/IPsec Remote Access VPNs to Transit NAT Devices 773Configuring L2TP/IPsec Remote Access Clients to Support NAT-T 773Configuring the L2TP/IPsec VPN Gateway to Support NAT-T 775Ensuring That More Than One Windows L2TP/IPsec Remote Access Client

Can Successfully Connect to a VPN Gateway from Behind the Same NAT Device (When Using NAT-T) 776

Deploying L2TP Voluntary/Client-Initiated VPNs on Cisco IOS Routers 776

Designing and Implementing L2TP Compulsory/NAS-Initiated Tunnel Mode Remote Access VPNs 782

L2TP Compulsory Tunnel Mode Setup: LAC Perspective 784L2TP Compulsory Tunnel Mode Setup: LNS Perspective 786Configuring the LAC for Compulsory Tunnel Mode 788Configuring Tunnel Definitions on a RADIUS Server 790Configuring the LNS for Compulsory Tunnel Mode 794

xvi

Integrating L2TP Remote Access VPNs with MPLS VPNs 798

Summary 802

Review Questions 803

Chapter 9

Designing and Deploying IPsec Remote Access and Teleworker VPNs 805

Comparing IPsec Remote Access VPNs with Other Types of Remote Access VPNs 806

Understanding IKE in an IPsec Remote Access VPN Environment 807Resolving Issues Relating to User Authentication 810

Extended Authentication Within IKE (Xauth) 810Hybrid Authentication Mode for IKE 812IKE Challenge/Response for Authenticated Cryptographic Keys

(CRACK) 813Resolving Issues Relating to Negotiation of Attributes Such as IP Addresses, DNS Server Addresses, and WINS Server Addresses 814

Deploying IPsec Remote Access VPNs Using Preshared Key and Digital Signature Authentication 816

Implementing IPsec Remote Access VPNs Using Preshared Key Authentication 816

Configuring an IPsec Remote Access VPN Gateway for Preshared Key Authentication 817

Configuring the Cisco VPN Client for IKE Preshared Key Authentication 832Designing and Deploying IPsec Remote Access VPNs Using Digital Signature Authentication 833

Implementing Digital Signature Authentication on IPsec Remote Access VPN Gateways 834

Deploying IKE Digital Signature Authentication on IPsec Remote Access VPN Clients 844

Implementing IPsec Remote Access VPNs Using Hybrid Authentication 847Deploying Hybrid Authentication on the Cisco VPN 3000 Concentrator 848Configuring Hybrid Authentication on Cisco VPN Clients 849

Verifying and Debugging IPsec Remote Access VPNs 850Verifying IPsec Remote Access VPNs on Cisco VPN 3000 Concentrators 850Verifying IPsec Remote Access VPNs on Cisco IOS VPN Gateways 852Verifying IPsec Remote Access VPNs on the Cisco ASA 858Verifying IPsec Remote Access VPNs on Cisco VPN Clients 860

Configuring NAT Transparency for IPsec Remote Access VPNs 862Overcoming Issues with NAT/PAT When Using Cisco VPN 3000

Concentrators 863Overcoming Issues with NAT/PAT When Using Cisco IOS VPN

Gateways 864

xvii

Overcoming Issues with NAT/PAT When Using the Cisco ASA 5500 865Configuring NAT/PAT Transparency on Cisco VPN Clients 865

IPsec Remote Access/Telecommuter VPNs Using Easy VPN (EZVPN) 865Integrating IPsec with MPLS VPNs 869

Providing IPsec Remote Access Connectivity to MPLS VPNs 870Integrating IPsec Site-to-Site VPNs with MPLS VPNs 876

High Availability: Enabling Redundancy for IPsec Remote Access VPNs 880Load Balancing of IPsec Remote Access VPN Connections over a Number

of VPN Gateways at the Same Central Site 881Failover Between a Number of VPN Gateways at the Same Central Site

Using VRRP 887Using Backup VPN Gateways (Servers) at Geographically Dispersed VPN

Gateways 889Placing IPsec Remote Access VPN Gateways in Relation to Firewalls 892Considerations When Building Wireless IPsec VPNs 894Allowing or Disallowing Split Tunneling for Remote Access VPN Clients 898

Summary 901

Review Questions 902

Chapter 10

Designing and Building SSL Remote Access VPNs (WebVPN) 905

Comparing SSL VPNs to Other Types of Remote Access VPNs 906

Understanding the Operation of SSL Remote Access VPNs 907SSL Overview: TCP, the Record Layer, and the Handshake Protocol 908Establishing an SSL Connection Between a Remote Access VPN User and an SSL VPN Gateway Using an RSA Handshake 910

SSL Connection Establishment: ClientHello Message 913SSL Connection Establishment: ServerHello, Certificate, and ServerHelloDone

Messages 914SSL Connection Establishment: ClientKeyExchange, ChangeCipherSpec,

and Finished Messages 916SSL Handshake: SSLv2, SSLv3, or TLS? 918

Understanding the SSL RSA Handshake with Client Authentication 920Resuming an SSL Session 922Closing an SSL Connection 923

Using Clientless SSL Remote Access VPNs (WebVPN) on the Cisco VPN 3000 Concentrator 924

Completing Basic SSL Remote Access VPN Access Configuration Tasks on the Cisco VPN 3000 Concentrator 925

Step 1: Enroll and Obtain a (SSL) Certificate for the VPN 3000 Concentrator from a Certificate Authority (Optional) 925

Step 2: Enable WebVPN for Relevant User Groups 926

xviii

Step 3: Specify Acceptable Versions of SSL and Configure Cryptographic Algorithms Associated with SSL Cipher Suites (Optional) 926

Step 4: Enable SSL on the VPN 3000 Concentrators Public Interface 928Configuring File and Web Server Access via SSL Remote Access VPNs 930

Step 1: Configure One or More NetBIOS Name Servers 931Step 2: Configure WebVPN File Servers and Shares 931Step 3: Enable File Access for the WebVPN User Group(s) 932

Enabling TCP Applications over Clientless SSL Remote Access VPNs 937Configuring E-mail Proxy for SSL Remote Access VPN Users 943

Implementing Full Network Access Using the Cisco SSL VPN Client 948Installing and Enabling the Cisco VPN Client Software 948Understanding Remote Access Connectivity When Using the Cisco SSL VPN Client 950

Strengthening SSL Remote Access VPNs Security by Implementing Cisco Secure Desktop 952

Installing the Cisco Secure Desktop 954Configuring the Cisco Secure Desktop for Windows Clients 954

Configuring the Windows Cache Cleaner 957Configuring VPN Feature Policy Settings 958Configuring Secure Desktop Options 959

Configuring Cache Cleaner Options for Mac and Linux Users 961Enabling the Cisco Secure Desktop 962

Enabling SSL VPNs (WebVPN) on Cisco IOS Devices 963Step 1: Configure Domain Name and Name Server Addresses 964Step 2: Configure Remote AAA for Remote Access User Login Authentication 964

Step 3: Enroll the IOS Router with a CA and Obtain an Identity Certificate 965Step 4: Enable WebVPN 966Step 5: Configure Basic SSL Parameters 966Step 6: Customize Login and Home Pages (Optional) 967Step 7: Specify URLs 969Step 8: Configure Port Forwarding 969

Deploying SSL VPNs (WebVPN) on the ASA 5500 970Step 1: Configure the HTTP Server 971Step 2: Enable WebVPN on the Outside Interface 971Step 3: Configure the WebVPN User Group Policy and Attributes 971Step 4: Configure Remote Access User Authentication 972Step 5: Specify URL Lists 973Step 6: Configure File Access, Entry, and Browsing 974Step 7: Configure Port Forwarding 975

xix

Step 8: Configure E-mail Proxy 976Step 9: Specify an SSL Trustpoint, SSL Version, and SSL Encryption Algorithm (Optional) 977

Specifying an SSL Trustpoint 977Restricting Acceptable SSL Versions 977Configuring the Cryptographic Algorithms That the ASA Will Negotiate

with Remote Access Clients 978Step 10: Customize Login and Home Pages (Optional) 978Verifying SSL VPNs on the ASA 979

Summary 980

Review Questions 981

Part IV Appendixes 983

Appendix A

VPLS and IPLS Layer 2 VPNs 985

Understanding VPLS 985Ensuring a Loop-Free Topology in a VPLS 987Frame Forwarding over a VPLS 989VPLS MAC Address Learning 990Hierarchical VPLS (H-VPLS) Deployments 990

Understanding IPLS 991Unicast and Broadcast/Multicast Pseudowires in IPLS 992Unicast and Broadcast/Multicast Forwarding in IPLS 994

Summary: Comparing VPLS and IPLS 995

Appendix B

Answers to Review Questions 997

Chapter 1 997

Chapter 2 997

Chapter 3 998

Chapter 4 999

Chapter 5 1000

Chapter 6 1002

Chapter 7 1003

Chapter 8 1004

Chapter 9 1005

Chapter 10 1006

Index

1009

xx

Icons Used in This Book

PC PC withSoftware

SunWorkstation

Macintosh

Terminal File Server

WebServer

Cisco WorksWorkstation

Printer Laptop IBMMainframe

Front EndProcessor

ClusterController

Modem

DSU/CSU

Router Bridge Hub DSU/CSU

CatalystSwitch

MultilayerSwitch

ATMSwitch

ISDN/Frame RelaySwitch

CommunicationServer

Gateway

AccessServer

Network Cloud

TokenRing

Token Ring

Line: Ethernet

FDDI

FDDI

Line: Serial Line: Switched Serial

xxi

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Command Reference. The Command Reference describes these conventions as follows:

Boldface

indicates commands and keywords that are entered literally as shown. In actual con-figuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a

show

command).

Italics

indicate arguments for which you supply actual values.

Vertical bars | separate alternative, mutually exclusive elements.

Square brackets [ ] indicate optional elements.

Braces { } indicate a required choice.

Braces within brackets [{ }] indicate a required choice within an optional element.

xxii

Introduction

As the number and sophistication of virtual private network (VPN) technologies has grown, the com-plexity of choice, design, and deployment has also increased.

It is now possible to implement site-to-site VPNs, remote access VPNs, LAN-to-LAN VPNs, trusted VPNs, secure VPNs, L1VPNs, L2VPNs, L3VPNs, VPWS VPNs, VPLS VPNs, IPLS VPNs, network-based VPNs, C(P)E-based VPNs, multiservice VPNs, provider-provisioned VPNs, customer-provi-sioned VPNs, Internet VPNs, intranet VPNs, extranet VPNs, point-to-point VPNs, multipoint-to-multi-point VPNs, overlay VPNs, peer (-to-peer) VPNs, connection-oriented VPNs, connectionless VPNs, and clientless VPNs.

And then there are L2TPv3-based VPNs, AToM-based VPNs, MPLS Layer 3 VPNs, L2F VPNs, L2TPv2 VPNs, PPTP VPNs, and SSL VPNs.

No wonder VPNs can be confusing!

This book shows you how to navigate the spaghetti soup of VPN terminology and acronyms and how to differentiate and select the appropriate VPN type.

But, the ability to differentiate and select the appropriate VPN type is not enough! After you have decided which VPN type is appropriate, the next steps are its design and deployment.

Thankfully, this book also steers you through the design and deployment phases and shows you how each individual VPN technology works in detail, what its capabilities are, how it can be configured, and what the advanced design and implementation considerations are.

Motivation for the Book

Although existing material describes the various VPN technologies, it became obvious to me that a requirement exists for a single book that not only clarifies the differences between the various VPN types and technologies but also describes those various VPN technologies in detail. Hopefully, this book fulfills that requirement and clears up a lot of the confusion that has hitherto existed with regard to VPNs.

Who Should Read This Book?

In this book, you will find in-depth coverage of site-to-site VPN technologies such as L2TPv3, AToM, MPLS Layer 3 (RFC2547bis) VPNs, IPsec, VPLS, and IPLS. You will also find detailed examinations of remote access VPN technologies, including L2TPv2/3, IPsec, and SSL. In addition, you will find information about how to integrate remote access VPN technologies with site-to-site VPNs.

So, who will find this breadth and depth of VPN technology coverage useful? It will be very useful to network architects, network implementation engineers, network support staff, and IT manager/CIOs involved with selecting, designing, deploying, and supporting VPNs. It will also be helpful to people preparing for networking tests such as the Security and Service Provider CCIE exams.

How This Book Is Organized

This book is organized such that it can either be dipped into for information on a specific VPN type or it can be read from cover to cover.

xxiii

If you are in the process of comparing and evaluating different VPN types with a view to their deploy-ment in your network, or are preparing for a networking exam that includes coverage of VPN technolo-gies, you may want to read Chapter 1 (which gives a high-level comparison), followed by one or more of the following chapters that deal with specific VPN technologies.

If, on the other hand, you are looking to improve and deepen your knowledge of VPN technologies in general, you might want to read the book cover to cover.

The book is arranged as follows:

Chapter 1, What Is a VPN?

Chapter 1 poses (and answers) the deceptively simple ques-tion What is a VPN? In this chapter, you will find a high-level discussion and comparison of the various VPN types and technologies, which will clarify what the various VPN terms mean and how the technologies work. By the end of this chapter, the previously confused will be a lot more clear about what a VPN really is.

Chapter 2, Designing and Deploying L2TPv3-Based Layer 2 VPNs (L2VPN)

L2TP has evolved from a tunneling protocol for PPP to become, in its latest incarnation (L2TPv3), a universal transport mechanism for a host of protocols such as Ethernet, Frame Relay, ATM (cell-relay and AAL5), HDLC, and PPP. This chapter discusses in-depth L2TPv3s advantages and disadvantages, how it operates, and how L2TPv3-based Layer 2 VPNs can be designed and deployed.

Chapter 3, Designing and Implementing AToM-Based Layer 2 VPNs (L2VPN)

Any Transport over MPLS (AToM) provides a similar transport mechanism to L2TPv3, but over MPLS rather than IP. It, too, can transport protocols including Ethernet, Frame Relay, and ATM, and as such can be used to consolidate service provider networks and build Layer 2 VPNs. AToMs underlying technology, configuration, verification, and advanced design con-siderations are examined in this chapter.

Chapter 4, Designing MPLS Layer 3 Site-to-Site VPNs

MPLS Layer 3 VPNs provide a highly scalable VPN architecture that provides any-to-any connectivity and can support real-time applications such as voice and video. This chapter provides a detailed discussion of the principles of its operation, its configuration, the provision of complex topologies, and Internet access.

Chapter 5, Advanced MPLS Layer 3 VPN Deployment Considerations

Building on the foundation of Chapter 4, this chapter describes how MPLS Layer 3 VPNs can be extended to support carrier customers, interprovider and inter-autonomous system VPNs, QoS, and cus-tomer IPv6 VPNs.

Chapter 6, Deploying Site-to-Site IPsec VPNs

IPsec remains a popular choice for imple-menting site-to-site VPNs. In this chapter, you can find a description of the algorithms and mechanisms that underlie IPsec, together with an in-depth discussion of the fundamentals of IPsec site-to-site VPN configuration using preshared key, encrypted nonce, and digital certifi-cate authentication. Also included is detailed information about issues with IPsec and NAT (and how to get around them).

xxiv

Chapter 7, Scaling and Optimizing IPsec VPNs

This chapter builds on the discussion of the fundamentals of site-to-site IPsec VPNs in Chapter 6 by describing their scaling and optimization. Specific topics covered include Tunnel Endpoint Discovery (TED), Dynamic Multipoint VPN (DMVPN), scaling IPsec VPNs using digital signature authentication, quality of service (QoS), and avoiding the performance degradation caused by IPsec packet fragmentation.

Chapter 8, Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs

L2TP can be used to implement industry-standard remote access VPNs. This chapter provides comprehensive information about designing and deploying L2TP voluntary tunnel mode/client-initiated and compulsory tunnel mode/NAS-initiated remote access VPNs. Methods of securing L2TP remote access VPNs using IPsec as well as the integration of L2TP remote access VPNs with MPLS Layer 3 VPNs are also discussed.

Chapter 9, Designing and Deploying IPsec Remote Access and Teleworker VPNs

IPsec can not only be used to provision site-to-site VPNs, but can also be used to implement remote access VPNs. A thorough description of their design and deployment is included in this chapter. The chapter describes configuration as well as special considerations, including the integration of IPsec remote access VPNs with MPLS Layer 3 VPNs, provisioning high avail-ability, and allowing or disallowing split tunneling.

Chapter 10, Designing and Building SSL Remote Access VPNs (WebVPN)

Although SSL is a relative newcomer as a VPN technology, it can provide significant advantages, espe-cially if remote access users need to access the corporate network from insecure locations such as Internet cafs and airport kiosks.

In this chapter, you will find detailed information on designing and deploying both clientless remote access SSL VPNs, and SSL remote access VPNs using the Cisco SSL VPN Client. Also included is an examination of the Cisco Secure Desktop, which enables users to greatly improve the security of SSL VPN connections from insecure locations.

Appendix A, VPLS and IPLS Layer 2 VPNs

This appendix describes two VPN technol-ogies that provide multipoint Ethernet connectivity for customer sites. VPLS provides multi-point, multiprotocol connectivity, but does involve a relatively high degree of complexity; whereas IPLS provides multipoint, IP-only connectivity with a lower degree of complexity.

Appendix B, Answers to Review Questions

You will find the answers to the review questions at the end of each chapter here.

P

A

R

T

I

Understanding VPN TechnologyChapter 1 What Is a Virtual Private Network?