Overview of Design Considerations Cisco IOS - IPsec Solutions Static and Dynamic Crypto Maps Summary
DESIGNING SITE-TO-SITE IPSEC VPNS
by Boštjan Šuštar
MORE TO EXPLORE
Download article (0.5 MB) All IP Corner articles Submit feedback Want to be notified of new IP Cornerarticles? Please register.
Overview of Design Considerations
When designing a network solution, we often are faced with a myriad of parameters that influence the design process and the selection of the final solution. A network designer ideally would want to control as many parameters as possible apart from the business requirements, which is the basic set of requirements that guide us to theright solution. This study will focus on designing a solution for site-to-site virtual private networks (VPNs), using IPsec to provide virtualization and strong security for data in transit over the untrusted transport network. Ideal Design Process In an ideal environment, we would use a design process that can be split into the following major steps: Step 1. Identify business and technicalrequirements In this step, we collect information about the applications and protocols that will be using this VPN service; their importance, performance and reliability requirements; technical specifications, quality of service requirements, etc. Identify the most appropriate solution based on the given requirements In this step, we process the requirements and try to map them to the solution that isbest suited for this VPN. Select the most appropriate equipment and transport network based on the selected solution and technical requirements In the last step, we select the equipment that supports the chosen solution. Ideally, this is where the design process ends. In reality, however, we may need to return to the previous step and fine-tune the solution to minimize the cost if the requiredequipment is too expensive.
Realistic Design Process In reality, we often are faced with additional initial requirements that precede and may affect the selection of the solution. Very often, the transport network already is chosen. For example, a cost-cutting migration from a Frame Relay or ATM-based WAN to an MPLS VPN or the Internet sets the selection of the transportnetwork as one of the business requirements. The designer cannot influence the selection of this transport network. On the contrary, the designer has to take into consideration the characteristics of the selected transport network, because not all IPsec implementation options are viable for every type of transport network. Another example of reversed design order is when the equipment has been chosenand purchased before having a detailed design and understanding of the influence of the selected equipment on the final solution. The designer simply must hope that the chosen equipment supports at least one acceptable solution for implementing a site-tosite IPsec-based VPN.
Cisco IOS - IPsec Solutions
A series of articles will cover solutions using the following major implementation optionswith Cisco IOS routers: Static and dynamic crypto maps Point-to-point GRE tunnels over IPsec Static and dynamic virtual tunnel interfaces (VTIs) Dynamic multipoint VPNs (DMVPNs) Group Encrypted Transport VPN (GET VPN) Dynamic Group VPN (DGVPN) This first article focuses on the oldest and most proven implementation option: using static and dynamic crypto maps.
Static and Dynamic Crypto Maps
"Onceupon a time, in the land of IP, there was a wide area network (WAN) providing connectivity between clients and servers, and all was well. Then, suddenly, bad things started to happen, and paranoia spread throughout the land. Firewalls grew around hamlets to protect them from the unknown beyond the realm of calm, but then packets were forced to travel thorough the dark forests of the WAN. There...