The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:
Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
Italics indicate arguments for which you supply actual values.
Vertical bars (|) separate alternative, mutually exclusive elements.
Square brackets [ ] indicate optional elements.
Braces { } indicate a required choice.
Braces within brackets [{ }] indicate a required choice within an optional element.
VPNs are becoming more important for both enterprises and service providers. IPSec specifically is one of the more popular technologies for deploying IP-based VPNs. There are many books in the market that go into technical details of IPSec protocols and cover product level configuration, but they do not address overall design issues for deploying IPSec VPNs.
The objective of this book is to provide you with a good understanding of design and architectural issues of IPSec VPNs. This book will also give you guidance on enabling value-added services and integrating IPSec VPNs with other Layer 3 (MPLS VPN) technologies.
The primary audience for this book is network engineers involved in design, deployment, and troubleshooting of IPSec VPNs. The assumption in this book is that you have a good understanding of basic IP routing, although IPSec knowledge is not a prerequisite.
The book is divided into three general parts. Part I covers the general architecture of IPSec, including its protocols and Cisco IOS IPSec implementation details. Part II, beginning with Chapter 5, examines the IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. Part II also covers dynamic configuration models used to simplify IPSec VPNs designs, and presents a case study. Part III, beginning with Chapter 8, covers design issues in adding services to an IPSec VPN such as voice, multicast, and integrating IPSec VPNs with MPLs VPNs. The book is organized as follows:
Part I, “Introduction and Concepts”
Chapter 1, “Introduction to VPNs”—. Provides an introduction to VPN concepts and covers a brief introduction to various VPN technologies.
Chapter 2, “IPSec Overview”—. Gives an overview of IPSec protocols and describes differences between transport mode and tunnel mode. Cisco IOS IPSec packet processing is also explained in this chapter.
Chapter 3, “Enhanced IPSec Features”—. Introduces advanced IPSec features that improve IPSec VPN scalability and fault tolerance, such as dead peer detection and control plane keepalives. This chapter also explains the challenges of IPSec interoperating with Network Address Translation (NAT) and Path Maximum Transmission Unit detection (PMTUD) and how to overcome these challenges.
Chapter 4, “IPSec Authentication and Authorization Models”—. Explores IPSec features that are primarily called upon for the remote access users such as Extended Authentication (XAUTH) and Mode-configuration (MODE-CFG). It also explains the Cisco EzVPN connection model and digital certificate concepts.
Part II, “Design and Deployment”
Chapter 5, “IPSec VPN Architectures”—. Covers various IPSec connections models such as native IPSec, GRE, and remote access. Deployment architectures for each of the connection models are explored with pros and cons for each architecture.
Chapter 6, “Designing Fault-Tolerant IPSec VPNs”—. Discusses how to introduce fault tolerance into VPN architectures and describes the caveats with the various fault-tolerance methods.
Chapter 7, “Auto-Configuration Architectures for Site-to-Site IPSec VPNs”—. Covers mechanisms to alleviate the configuration complexity of a large-scale IPSec VPN; Tunnel Endpoint Discovery (TED) and Dynamic Multipoint VPNs (DMVPN) are the two mechanisms discussed in depth.
Part III, “Service Enhancements”