Customer Needs
For this scenario, let’s say you and I have a customer with offices in New York and Raleigh, North Carolina. The office in New York has a local area network and a single router, R1, that connects to the Internet. Router 2 (R2) is used to provide Internet access for the site in Raleigh. Figure 7-1 is a topology diagram of this network.
The site in New York has file servers that contain sensitive customer data, and the users at the site in Raleigh will need access to that data. In addition, users in New York need the ability to securely access some of the computers in Raleigh that have file sharing services enabled. Both sites are using private IP addresses for the LAN that cannot be forwarded directly over the Internet.
The customer has asked us for a recommendation to allow file services between the two offices that can be done securely. The customer also wants to ensure that the data as it is being sent over the networks does not become altered or corrupted in transit. The customer is also concerned about a possible attacker, who is on the Internet at some location other than the offices at New York or Raleigh being able to fool one of the routers by pretending to be the other router and connecting to the network. At the current time, the company does not need additional remote access to the networks other than directly between the two sites.
You and I go back to our office and consider the customer’s network and requirements. As we consider the VPN options that provide security, we remember that IPsec can perform the following:
Confidentiality: Using symmetrical encryption algorithms such as 3DES, IDEA, AES, and so on to encrypt clear text into cipher text.
Data integrity: Using hashing algorithms such as MD5 or SHA and Hashed Message Authentication Code (HMAC) to verify that data has not been manipulated during its transit across the network.
Authentication: Done by authenticating the VPN peers near the beginning of a VPN session, using PSKs or digital signatures (leveraging digital certificates).
Hiding the private address space from the Internet: Because IPsec’s Encapsulation Security Protocol (ESP) in tunnel mode encrypts and encapsulates the original packet, and then places a new IP header before forwarding the packet, the Internet sees only the packet as being from the global IP address of one router and destined to the global address of the second router.
IPsec uses two methods for encryption: tunnel and transport mode. If IPsec tunnel mode is used, the IP header and the payload are encrypted. When transport mode is used, only the packet payload is encrypted.
IPsec technologies and methods look like a perfect fit for the customer. Before we go too much further, you want to verify that the Internet connection for R1 and R2 are working, and that R1 and R2 have reachability to each other. You can do so with a simple ping to the global address of R2 from R1. If there is filtering of Internet Control Message Protocol (ICMP), which is used by the ping utility, it does not necessarily mean that the IPsec will not work, as the protocols for IPsec may still be allowed between the routers. Table 7-2 shows the critical protocols that we may need between R1 and R2.
If R1 and R2 have access lists applied inbound on their outside interfaces (G1/0), we would want to ensure that we are allowing the required protocols between the global (Internet) IP addresses of the two routers. Each router needs to believe it could reach the remote networks through specific routes, or at a minimum, a default route. If the router does not have a route, it will not try to forward a packet, and will not trigger any crypto maps that are looking for the interesting traffic. The routing decision happens before IPsec is implemented.