IPsec Virtual Private Network Fundamentals By James Henry Carmouche, - CCIE No 6085 Publisher: Cisco Press Pub Date: July 19, 2006 Print ISBN-10: 1-58705-207-5 Print ISBN-13: 978-1-58705-207-1 Pages: 480 Table of Contents | Index An introduction to designing and configuring Cisco IPsec VPNs Understand the basics of the IPsec protocol and learn implementation best practices Study up-to-date IPsec design, incorporating current Cisco innovations in the security and VPN marketplace Learn how to avoid common pitfalls related to IPsec deployment Reinforce theory with case studies, configuration examples showing how IPsec maps to real-world solutions IPsec Virtual Private Network Fundamentals provides a basic working knowledge of IPsec on various Cisco routing and switching platforms It provides the foundation necessary to understand the different components of Cisco IPsec implementation and how it can be successfully implemented in a variety of network topologies and markets (service provider, enterprise, financial, government) This book views IPsec as an emerging requirement in most major vertical markets, explaining the need for increased information authentication, confidentiality, and non-repudiation for secure transmission of confidential data The book is written using a layered approach, starting with basic explanations of why IPsec was developed and the types of organizations relying on IPsec to secure data transmissions It then outlines the basic IPsec/ISAKMP fundamentals that were developed to meet demand for secure data transmission The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics including high availability solutions and public key infrastructure (PKI) Sample topology diagrams and configuration examples are provided in each chapter to reinforce the fundamentals expressed in text and to assist readers in translating concepts into practical deployment scenarios Additionally, comprehensive case studies are incorporated throughout to map topics to real-world solutions IPsec Virtual Private Network Fundamentals By James Henry Carmouche, - CCIE No 6085 Publisher: Cisco Press Pub Date: July 19, 2006 Print ISBN-10: 1-58705-207-5 Print ISBN-13: 978-1-58705-207-1 Pages: 480 Table of Contents | Index Copyright About the Author About the Technical Reviewers Acknowledgments Command Syntax Conventions Introduction Methodology Who Should Read This Book? How This Book Is Organized Part I: Introductory Concepts and Configuration/Troubleshooting Chapter 1 Introduction to VPN Technologies VPN Overview of Common Terms Characteristics of an Effective VPN VPN Technologies Common VPN Deployments Business Drivers for VPNs IPsec VPNs and the Cisco Security Framework Summary Chapter 2 IPsec Fundamentals Overview of Cryptographic Components Public Key Encryption Methods The IP Security Protocol (IPsec) IKE and ISAKMP Summary Chapter 3 Basic IPsec VPN Topologies and Configurations Site-to-Site IPsec VPN Deployments Site-to-Site IPsec VPN Deployments and GRE (IPsec+GRE) Hub-and-Spoke IPsec VPN Deployments Remote Access VPN Deployments Summary Chapter 4 Common IPsec VPN Issues IPsec Diagnostic Tools within Cisco IOS Common Configuration Issues with IPsec VPNs Architectural and Design Issues with IPsec VPNs Summary Part II: Designing VPN Architectures Chapter 5 Designing for High Availability Network and Path Redundancy IPSec Tunnel Termination Redundancy Managing Peer and Path Availability Managing Path Symmetry Load Balancing, Load Sharing, and High Availability Summary Chapter 6 Solutions for Local Site-to-Site High Availability Using Multiple Crypto Interfaces for High Availability Stateless IPsec VPN High-Availability Alternatives Stateful IPsec VPN High-Availability Alternatives Summary Chapter 7 Solutions for Geographic Site-to-Site High Availability Geographic IPsec VPN HA with Reverse Route Injection and Multiple IPsec Peers Geographic IPsec VPN High Availability with IPsec+GRE and Encrypted Routing Protocols Dynamic Multipoint Virtual Private Networks Summary Chapter 8 Handling Vendor Interoperability with High Availability Vendor Interoperability Impact on Peer Availability Vendor Interoperability Impact on Path Availability Vendor Interoperability Design Considerations and Options Summary Chapter 9 Solutions for Remote-Access VPN High Availability IPsec RAVPN Concentrator High Availability Using Virtual Interfaces for Tunnel Termination IPsec RAVPN Concentrator HA Using the VCA Protocol IPsec RAVPN Geographic HA Design Options Summary Chapter 10 Further Architectural Options for IPsec IPsec VPN Termination On-a-Stick In-Path Versus Out-of-Path Encryption with IPsec Separate Termination of IPsec and GRE (GRE-Offload) Summary Part III: Advanced Topics Chapter 11 Public Key Infrastructure and IPsec VPNs PKI Background PKI Components Life of a Public Key Certificate PKI and the IPSec Protocol SuiteWhere PKI Fits into the IPSec model OCSP and CRL Scalability Case Studies and Sample Configurations Summary Chapter 12 Solutions for Handling Dynamically Addressed Peers Dynamic Crypto Maps Tunnel Endpoint Discovery Case StudyUsing Dynamic Addressing with Low-Maintenance Small Home Office Deployments Summary Appendix A Resources Books RFCs Web and Other Resources Index Copyright IPsec Virtual Private Network Fundamentals James Henry Carmouche, CCIE No 6085 Copyright © 2007 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing June 2006 Library of Congress Cataloging-inPublication Number: 2004107143 Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Warning and Disclaimer This book is designed to provide information about IPsec virtual private networks Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The authors, Cisco Press, and Cisco Systems, Inc shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information please contact: U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the U.S please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers' feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Publisher Paul Boger Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Production Manager Patrick Kanouse Development Editor Andrew Cupp Project Editor Interactive Composition Corporation Copy Editor Interactive Composition Corporation Technical Editors Aamer Akhter, Jason Guy, Mark J Newcomb Editorial Assistant Katherine Linder Book and Cover Designer Louisa Adair Composition Interactive Composition Corporation Indexer Tim Wright Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright â 2003 Cisco Systems, Inc All rights reserved CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0303R) Printed in the USA Dedication For my loving wife, Kristen, and my two wonderful sons, James and Charlie This would not have been possible without your unconditional love, support, and inspiration RSA signatures Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [V] [W] [X] QoS (quality of service), impact of IPsec on DiffServ flow-based IntServ quick mode negotiation, Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [V] [W] [X] RAs (registration authorities), CA interoperability, configuring rate-limiting ICMP messages, RAVPNs (remote-access VPNs) deployment model clients, clustered VPN concentrator designs, standalone VPN concentrator designs, HA DNS-based load balancing, geographic HA, DNS-based load balancing, 2nd HSRP, VCA, VRRP, 2nd 3rd reconvergence of routing protocols, impact on IPsec reconvergence, recursive routing effect on IPsec VPNs symptoms of redistribute static command, 2nd redistribution distribute lists of VPN routes redundant clustered spoke VPN design, registration authorities, CA interoperability, configuring registration process for public key certificates, remote-access VPNs business drivers SSL removing stale SAs from SADB, round-robin approach to DNS resolution, route descriptors, router-on-a-stick, IPsec VPN tunnel termination, routing, RP-based IPsec HA, RRI (Reverse Route Injection), and dynamic crypto maps impact on vendor interoperability RSA encryption, 2nd IKE authentication errors, troubleshooting signatures 2nd 3rd 4th enrollment process, 2nd IKE authentication errors, troubleshooting, life cycle of, 2nd RSVP (Resource Reservation Protocol), impact of IPsec on, Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [V] [W] [X] sample IPsec+GRE model configurations, SAs (security associations) IPsec tunnel security parameters 2nd need for proposal mismatches, troubleshooting security parameters, manual keying transport mode tunnel mode scalability of CRLs, SCEP (Simple Certificate Enrollment Protocol), SCTP (Stream Control Transmission Protocol), security wheel, sender non-repudiation, serialization delay, session authentication (SSL VPNs), SHA (Secure Hash Algorithm), shared secret keys, signing public key certificates, single points of failure for site-to-site VPNs, site-to-site IPsec VPNs, 2nd business drivers configuration, verifying configuring hub-and-spoke networks over routed domains 2nd single points of failure, eliminating site-to-site IPsec+GRE model [See IPsec+GRE model.] software-based VPN clients, SOHO deployments, applying dynamic crypto maps case study, SPI (security parameter index), SPI-based NAT, troubleshooting, SSL VPNs, cryptographic key derivation handshake process HMAC RAVPN architectures session authentication transport layer security tunnel establishment process SSO (stateful switchover), stale SAs impact on IPsec reconvergence removing from SADB standalone VPN concentrator designs, stateful IPSec HA, alternatives to failover process stateless IPsec HA, alternatives to HSRP, RRI, failover process goals of static crypto maps, symmetric encryption, 2nd shared secret keys, Diffie-Hellman secret key generation symptoms of recursive routing, Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [V] [W] [X] TED (Tunnel Endpoint Discovery), timers (HSRP), tuning, topologies [See VPN topologies.] transform sets, identifying mismatches, transforms AH creating ESP confidentiality services, data integrity and authentication services, IPComp LZS transport layer VPNs, SSL VPNs, cryptographic key derivation handshake process HMAC session authentication transport layer security tunnel establishment process transport mode, 2nd troubleshooting IKE authentication errors, peer mismatches, SA proposal mismatches, 2nd mismatched crypto ACLs NAT issues in IPsec VPN designs SPI-based NAT, NAT-T issues in IPsec VPN designs VPNs in firewalled environments TTI (Trusted Transitive Introduction), tunnel mode, tunnel termination [See also tunnels.] dual-DMZ firewall design 2nd firewalled GRE-offload with cleartext firewall paths, with dynamic crypto maps, with high-speed tunnel termination, with IKE x-Auth, "on a stick" termination NAT-on-a-stick, router-on-a-stick, termination redundancy on HSRP/VRRP virtual interfaces, using RP-based IPsec HA, with multiple peer statements, tunnels L2F establishment process load-balanced designs concentrator clustering, DNS, external load balancers, load sharing with peer statements, routing, negotiation process PPTP compulsory, tunnel negotiation process, voluntary, SA security parameters 2nd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [V] [W] [X] "validity period" field (ITU-T X.509v3-compliant certificates), VCA (Virtual Cluster Agent) protocol, RAVPN concentrator HA vendor HA interoperability design considerations interoperability with stateful IPsec HA, invalid security parameter index recovery, Phase1/2 SA lifetime expiry, SADB management, impact on path availability limitations of inability to specify multiple peers, lack of peer availability mechanisms, verifying dynamic crypto maps IPsec+GRE model, tunnel establishment message digests site-to-site VPN configuration TED Virtual Fragmentation Reassembly, voluntary tunnels, VPDNs (virtual private dialup networks), L2TP control messages, payload packets, tunnel negotiation process, Layer 2 Forwarding Protocol packet format, tunnel establishment process, PPTP compulsory tunnels, data structure, tunnel negotiation process, voluntary tunnels, VPN clients, VPN concentrators, VPN routes, redistribution, VPN topologies hub-and-spoke clustered spoke design, redundant clustered spoke design, IPsec+GRE model sample configurations, tunnel establishment, verifying, RAVPNs clients, clustered VPN concentrator designs, standalone VPN concentrator designs, site-to-site configuring, over routed domain, 2nd verifying configuration, VPN tunnel termination dual-DMZ firewall design 2nd firewalled GRE-offload with cleartext firewall paths, with dynamic crypto maps, with high-speed tunnel termination, with IKE x-Auth, "on a stick" termination NAT-on-a-stick, router-on-a-stick, termination redundancy on HSRP/VRRP virtual interfaces, using RP-based IPsec HA, with multiple peer statements, VPN3000 Clustering, VRFs (VPN Routing and Forwarding Instances), VRRP, RAVPN concentrator HA, 2nd 3rd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [V] [W] [X] wildcard preshared keys, Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [V] [W] [X] x-auth, X.509 certificates, enrollment process 2nd life cycle of 2nd xauth extension (IKE), .. .IPsec Virtual Private Network Fundamentals By James Henry Carmouche, - CCIE No 6085 Publisher: Cisco Press Pub Date: July 19, 2006 Print ISBN- 10: 1-58705-207-5 Print ISBN- 13: 978-1-58705-207-1... Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems... Web and Other Resources Index Copyright IPsec Virtual Private Network Fundamentals James Henry Carmouche, CCIE No 6085 Copyright © 2007 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA