1© 2003, Cisco Systems, Inc. All rights reserved.
Deploying VPN
Eric Vyncke
Cisco Systems
Field Distinguished Engineer
222© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Forewords
Focus mainly on VPN for oneone organization
333© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Cisco Definition of VPNCisco Definition of VPN
• Using Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPN
• Deployment Examples
444© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
A Virtual Private Network Carries Private
Traffic Over a Public Network
Virtual Private Network (VPN) Defined
“
”Cisco 'official' definitionCisco 'official' definition
555© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
What Is a “Public” Network?
• In this context, any network shared among different administrative domains
• A shared network such as the Internet
• A privately owned network which services many external/internal customers
666© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
What is 'Private' Traffic?
• Can be anything desired by an organization
Confidentiality => IPSec
IP Routing independance (address and IGP) => MPLS & RFC 2547
QoS end to end
Efficient multicast
777© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
The Three Categories of VPN
RemoteOffice
MainOffice
WAN VPN
POP
HomeOffice
POP
MobileWorker
Remote Access VPNRemote Access VPN
Secure, scalable, Secure, scalable, encrypted tunnels encrypted tunnels across a public across a public network, client network, client softwaresoftware
Remote Access VPNRemote Access VPN
Secure, scalable, Secure, scalable, encrypted tunnels encrypted tunnels across a public across a public network, client network, client softwaresoftwareBusiness
Partner
Extranet VPNExtranet VPN
Extends WANs to Extends WANs to business business partnerspartners
Extranet VPNExtranet VPN
Extends WANs to Extends WANs to business business partnerspartners
Intranet VPNIntranet VPN
Low cost, tunneled Low cost, tunneled connections with connections with rich VPN services, rich VPN services, like IPSec like IPSec encryption and encryption and QoS to ensure QoS to ensure reliable throughputreliable throughput
Intranet VPNIntranet VPN
Low cost, tunneled Low cost, tunneled connections with connections with rich VPN services, rich VPN services, like IPSec like IPSec encryption and encryption and QoS to ensure QoS to ensure reliable throughputreliable throughput
888© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Technologies
• A large choice
BGP/MPLS VPN
IPSec
Layer 3: IPinIP, GRE, IPv6 over IPv4
Layer 2: L2TP
IEEE 802.1q VLAN
My main focus
999© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Another Cisco Taxonomy
L2VPN
MPLS VPN Network Based IPSec
L3VPN
Network Based VPN
IPSec/GRE
CPE Based
VPN
101010© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Cisco Definition of VPN
• Using Layer 3 Tunnels & RoutingUsing Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPN
• Deployment Examples
111111© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Examples
• The most common layer 3 tunnels are
IP in IP: RFC 2003
GRE: RFC 2784
• The most common layer 2 tunnels are
PPTP, L2F: deprecated
L2TP: RFC 2661
L2TPv3: aka UTI
Default on Cisco routers
121212© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
IPSec Tunnel Mode Encapsulation
Original IP headerProtocol=p
IP payload
20 bytes
Original IP datagram
IPSec packet with new IP header (on the wire)
Original IP headerProtocol=p
IP payloadESP headerProtocol=4
External IP headerProtocol=50 (ESP)
20 bytes 20 bytes16 bytes
ESPtrailer
2-10 bytes
IPSec ESP without ESP auth encapsulation (after encapsulation)
Original IP headerProtocol=p
ESP headerProtocol=4 (IPinIP)
20 bytes16 bytes
ESP trailer
2-10 bytes
IP payload
Encrypted payload
131313© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
IPinIP + IPSec Transport Mode
Original IP headerProtocol=p
IP payload
20 bytes
Original IP datagram
External IP headerProtocol=4 (IPinIP)
20 bytes
IPinIP Encapsulation
Original IP headerProtocol=p
20 bytes
IP payload
After IPSec Transport Mode
Original IP headerProtocol=p
IP payloadESP headerProtocol=4
20 bytes16 bytes
ESPtrailer
2-10 bytes
External IP headerProtocol=50 (ESP)
20 bytes
Encrypted payload
141414© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Differences with IPSec Tunnel Mode
• Same syntax (bits on the wire):
IPSec Tunnel Mode
IPinIP + IPSec Transport Mode
• Is it the same semantic ? NoNo
• Because SPD is now replaced by routing
Ease of deployment
Resiliency
Less security
151515© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Difference: SPD & SAD
• IPinIP + IPSec Transport Mode
<L3 endpoint, L3 endpoint, IPinIP, *,*>
Usually one pair of SA
• IPSec Tunnel Mode
<protected net., protected net.,*,*,*>
Can potentially be multiple pairs of SA
Trivial selectorsEasy provisioning
One pair of SA Very scalable
161616© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Difference: Cisco Router IOS view
• IPinIP + IPSec: is a L3 tunnel interface
Routing Protocol
Multicast, ..
• IPSec Tunnel mode: is not
This means strong resilience
And fast re-routing
171717© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Difference: SA Selection
• IPinIP + IPSec Transport Mode
L3 tunnel is selected by FIB
FIB is dynamic (insecure)FIB is dynamic (insecure)
• IPSec Tunnel Mode
IPSec SA selected by SAD
SAD is static (secure)
181818© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Traffic can be Routed Through 2 HubsCentral Site
Hub 1 (active) Hub 2 (active)
+ Easier.+ Hub are always under 50% load.- Asymmetric routing
191919© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Traffic can be Load BalancedCentral Site
Hub 1 (active) Hub 2 (active)
Need to tune IGP Need to tune IGP to always select to always select the GREEN the GREEN tunnels.tunnels.
+ Symmetric routing+ Both hubs running at 50%
202020© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Using Layer 3 Tunnels & Routing
• Security of the AboveSecurity of the Above
• Existing Techniques for Dynamic VPN
• Deployment Examples
282828© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Using Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPNExisting Techniques for Dynamic VPN
• Deployment Examples
292929© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Next Hop Resolution Protocol, RFC 2332
• IETF protocol
• Used on NBMA Non Broadcast Multi-Access networks (Frame Relay, X.25, …) to discover peers
• Can also be used on multi-point GRE, mGRE
Specific kind of GRE tunnel
Fan-out like: one hub and multiple spokes
Hub can speak direct to all spokes
Spokes can only talk to hub
• Cannot be used over IPinIP since NHRP does not run over IP
303030© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
NHRP over mGRE
NHRP Server
NHRP Client YNHRP Client X
mGRE
IP: X
-Y
NHRP: resolu
tion
request f
or Y
2.2.2.2 3.3.3.3
NHRP: resolution
Reply: Y is through 3.3.3.3
NHRP CacheClient Y is via 3.3.3.3
NH
RP
: re
gis
trat
ion
R
equ
est:
Y is
3.3
.3.3
NH
RP
: re
gi s
trat
i on
Rep
l y:
OK
NHRP Cache
Client Y is via 3.3.3.3
313131© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Tunnel Endpoint Discovery
Alice
Bob
X1
Y
A to Bmust be protected
no SA => send probe
IP: A to B
IKE: A to B (proxy=X1)
Traffic to Bmust be protected
no SA & probe received=> block & answer probe
IKE: Y to X1
Proposed to IETFProposed to IETFIPSP WGIPSP WG
Proposed to IETFProposed to IETFIPSP WGIPSP WG
X2
323232© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
NRHP, TED and Routing
• NHRP+mGRE requires routing inside the GRE tunnel to learn about connected networks
• TED requires routing in the core to learn about connected networks
333333© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Agenda
• Using Layer 3 Tunnels & Routing
• Security of the Above
• Existing Techniques for Dynamic VPN
• Deployment ExamplesDeployment Examples
343434© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #1: 1500 Nodes Hierarchical Network With IPX
• Customer: large retail bank
• Requirements:
Mix of IP and IPX traffic
Large scale 1500 nodes
Hierarchical structure: branch, regional office
Bandwidth: 128 kbps, 512 kbps & 10 Mbps
Outsourced IP services
353535© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #1: Issues
• Large scale
Need to use a layered structure
• Mix of IPX & IP
Use of GRE encapsulation
• High Availability (Resilience)
Use routing protocol (EIGRP for IP & IPX)
• Outsourced IP services
1 router managed by IP Service Provider
1 router managed by customer (IPSec)
363636© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #1: IPSec Overlay Network
HQapprox. 2;200 tunnels per router,can be split over several routers
ROapprox. 600;15 tunnels to branches4 tunnels to BO
BOapprox. 800;1 tunnel per branch
373737© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #2: MPLS BGP VPN & IPSec
• Customer: SP for a bank
• Requirements
Outsourced network: connectivity & security
Double management ?
Interworking with MPLS (RFC 2547)
300 Nodes
383838© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #2: Network
MPLS Network
2 Mbps
Green VPNGreen VPN
Red VPNRed VPN
Use of Tunnel Endpoint Discovery
393939© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #3: Mapping IPSec Remote Access to another VPN
• SP customer
• Wants to connect remote user over a remote access IPSec VPN to
Specific L3 VPN: GRE, BGP/MPLS
Specific L2 VPN: Frame Relay, 802.1Q VLAN
• Solution: IPSec termination in different VRF based on IKE identity
404040© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop
Case #3: IPSec to BGP/MPLS VPN
MPLS NetworkInternet
IPSec-AGGPE
PE
PE
Branch Office
Telecommuter/SOHO
Remote Access
Customer A
Customer B
InternetGateway
MPLS/VPNIPSec VPN
Mapping offnet users into BGP/MPLS VPNs.