cc/td/doc/product/vpn/solution/aswan15
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Deployment Models
Overview
IPSec Off-Net Access

Deployment Models


Overview

This section describes deployment models for the Cisco network-based IPSec VPN solution Release 1.5:

IPSec to MPLS VPN Configuration

In this topology, the service provider has an existing MPLS backbone and operates a MPLS VPN that interconnects all customer sites. This includes remote customer sites that are part of the MPLS VPN.

This service model enables secure off-net access to MPLS VPNs through IPSec. It allows MPLS providers to extend access to their on-net MPLS VPNs to include worldwide Internet access. Customers who wish to deploy a dynamic routing model can use GRE combined with IPSec.

A remote customer site initiates an IPSec session from the CE that terminates on a unique interface on the aggregating Cisco 7200 provider edge (PE) router. The Cisco 7200 PE then maps the site from the interface to its respective VPN.

The service provider can either:

IPSec MPLS PE Configuration

In this model a Cisco 7200 series router serves as an aggregating router and as a PE and uses VRFs to provide multiple routing instances with each instance independent of others (Figure 2-1).


Figure 2-1   IPSec into MPLS VPN Configuration


A VRF consists of an IP routing table, a derived Cisco express forwarding (CEF) table and a set of interfaces that use this forwarding table. You can associate the VRF with one or more VPNs.

As a PE on the MPLS network, the Cisco 7200 advertises the connected routes to the remote PEs containing the same VPN.

For information on configuring IPSec to MPLS VPN, refer to Chapter 2 in the Cisco Network-Based IPSec VPN Solution Release 1.5 Implementation Guide.

IPSec Aggregator Configuration

This setup uses the Multi-VRF on CE routers feature of Cisco IOS software (Figure 2-2).


Figure 2-2   IPSec into MPLS VPN Configuration


This feature brings PE functionality to the CE and uses VRF interfaces to form a VLAN-like setup on the customer side. Each VRF on the CE then maps to a VRF on the PE on separate logical or physical interfaces.

You can connect the IPSec aggregating router to the PE through various L2 technologies, including Frame Relay, ATM, or 802.1q interfaces. Each interface forwards remote sessions traffic belonging to a specific VPN.

A typical scenario: You have a GSR as a PE but want to terminate IPSec too. Terminate IPSec on a Cisco 7200 router and map to the appropriate VRF. The Cisco 7200 router on the MPLS side connects to the GSR 802.1q interface with each 802.1q mapped to the appropriate VRF.

For information on configuring IPSec to MPLS VPN, refer to Chapter 2 in the Cisco Network-Based IPSec VPN Solution Release 1.5 Implementation Guide.

IPSec to L2VPN Using L3 Routing Configuration

The IPSec to L2VPN model is very similar to the IPSec to MPLS topology described in the previous section, except the service provider has an L2 core instead of an MPLS core (Figure 2-3).


Figure 2-3   IPSec to L2VPN Configuration


The L2 core can be Frame Relay, ATM, 802.1q, or wireless.

This topology enables an L2 service provider to extend secured access service beyond its core into the Internet. Sessions terminate on the aggregator platform, similarly to the IPSec to MPLS model.You can then perform an L3 lookup in the routing table and send it out of the appropriate L2VPN VRF interface (Frame Relay, ATM, or 802.1q).

At an L3 level, the IPSec aggregator connects directly to the customer site that has L2 service. The service provider does not need to address the customer routing issue in its core. The IPSec aggregator and the L2 customer site can use either static routes or a dynamic routing protocol to establish end-to-end connectivity.

For information on configuring IPSec to L2VPN, refer to Chapter 3 in the Cisco Network-Based IPSec VPN Solution Release 1.5 Implementation Guide.

IPSec to IPSec Configuration

In this model, the IPSec aggregator aggregates any remote sites/clients and then forwards the information to a headend enterprise VPN device (Figure 2-4).


Figure 2-4   IPSec to IPSec Configuration


Because traffic is going over an open IP network, IPSec provides the necessary encryption over the IP backbone. This also permits private overlapping IP addressing schemes between enterprises.

For information on configuring IPSec to IPSec, refer to Chapter 4 in the Cisco Network-Based IPSec VPN Solution Release 1.5 Implementation Guide.

IPSec to GRE Configuration

The IPSec to GRE model is useful when the service provider has a IP backbone but still wants to provide VPN-like functionality (Figure 2-5).


Figure 2-5   IPSec to GRE Configuration


Remote sites and clients terminate as in the IPSec to IPSec model, however they are then encapsulated into GRE and forwarded to a customer headend router that is the other endpoint for GRE.

Using GRE also lets you run a routing protocol on per-VRF basis with the headend customer router. The GRE tunnels towards the headend can also be encrypted.

The packets traveling from remote clients and sites are decrypted, routed to the GRE tunnel interface where they are encapsulated with the GRE header. The GRE packet is then encrypted by IPSec to provide secure connectivity across the IP backbone.

For information on configuring IPSec to GRE, refer to Chapter 5 in the Cisco Network-Based IPSec VPN Solution Release 1.5 Implementation Guide.

PE to PE Encryption Configuration

The PE to PE encryption configuration is useful when the service provider wants to encrypt the traffic between the PE devices and an MPLS network (Figure 2-6).


Figure 2-6   PE to PE Encryption Configuration


A service provider may want to use this configuration because:

This model allows a service provider to encrypt the traffic between PE devices while continuing to maintain the traffic separation that MPLS provides.

In this configuration, the service provider creates a network of GRE tunnels between all PE devices. Because the VPN tag is maintained across the MPLS network, only a single GRE tunnel is required between two PEs to service all the VPNs.

The MPLS PE is configured to route all traffic to the IPSec PE through a GRE tunnel which that is encrypted. Similarly, the IPSec PE is configured to route all traffic to the MPLS PE through the same encrypted GRE tunnel. Tag switching is configured on the tunnel endpoints.

For information on configuring PE to PE Encryption, refer to Chapter 5 in the Cisco Network-Based IPSec VPN Solution Release 1.5 Implementation Guide.

IPSec Off-Net Access

off-net access is typically required for:

Site-to-Site Considerations

IPSec site-to-site access is for use by remote sites that require access to a specific VPN. It requires that you preconfigure each remote site (with IPSec access configuration) to communicate with the edge of the VPN. Because each site is a remote location requiring dynamic routing, you must configure a GRE tunnel for each site.

IPSec operates in:

off-net sites using the peer-to-peer IPSec model access network-based VPN through:

In the Cisco network-based IPSec VPN solution Release 1.5, IPSec in tunnel mode is used in each possible instance (because VPNs require tunnels).

You must use GRE tunnels to enable dynamic routing between off-net sites and the network-based VPN.

off-net sites typically connect to the network-based VPN in a pre-provisioned hub-and-spoke topology using IPSec tunnel mode and IPSec-protected GRE.

Operational Considerations

In an off-net site, the IPSec VPN may begin in the customer edge router (the router with the WAN interface to the Internet) or in a device behind the WAN.

If the IPSec VPN originates in the customer edge router, you must provision the router for both Internet access as well as IPSec VPN. You (service provider) and the ISP may both manage this configuration (the customer may also manage parts of the configuration that you and the ISP are not responsible for).

Joint management is not necessary (except that the customer may choose to jointly manage the device) when the IPSec VPN is in a device separate from the WAN router. For the purposes of this document, the following assumptions are made:

You (the service provider) are responsible for configuring:

When an on-net customer subscribes for service, the customer typically provides the location of the headquarter site, and on-net and off-net branch sites. This information identifies the set of PE routers necessary to service the customer.

The customer also provides the following information:

You (the service provider) can use this information to configure all necessary PEs router to provide VPN access over the MPLS backbone in a specified topology. For each on-net or off-net CE router that is brought online, you (the service provider) must configure PE-CE connectivity.

For the peer-to-peer IPSec model, there are no mechanisms for a device to autoconfigure. You must pre-provision configuration information on a peer by peer basis, one end at a CE router and one end at a PE router.


Note   ISC assumes IP connectivity to the CE routers and that the IP address of the CE router is known.

Remote VPN Access Considerations

IPSec Unity Client

The Unity protocol operates:

RADIUS servers can be used to:

For more information on the Unity client, see http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_software_versions_home.html .

Unity Client Operation

If the IKE SA negotiates use of XAUTH:

1. The client waits for a challenge and responds.

2. The server authenticates the user, typically using AAA.

3. The client requests MODE-CONFIG parameters from the server. These include:

For more information on the Unity client, see http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_software_versions_home.html .

Mapping Unity Client into VRF

The Unity protocol maps to a VRF in the same way as the peer-to-peer model described in the section titled "Mapping Unity Client into VRF" section. The Unity client must be configured with the IP address (or FQDN) of the appropriate tunnel-end point address. The group name that you configure on the Unity client for preshared key authentication is also used as the identity. You can also use RSA digital signature authentication where the DN name serves as the identify.

Figure 2-7 shows a typical connection sequence for remote sites.


Figure 2-7   Connection Sequence


Sequence of Operations—Site-to-Site Connection

The following provides typical connection sequences for remote sites (see Figure 2-7).

1. At the remote site CE4, 10.1.1.1 initiates a FTP file transfer to 10.2.1.1 on the corporate side of a network behind REM-CE3. CE4 connects to the Internet gateway by way of an access technology (dial, digital subscriber line [DSL], or cable).

2. When the packet reaches CE4, CE4 performs a route lookup for the destination address and then determines the outbound interface through which to send the packet.

3. After determining the outbound interface, CE4 checks for all the features defined on the outbound interface; this includes a crypto map check.

4. CE4 determines crypto map is configured on the egress interface and identifies the Security Policy Database (SPD) for the crypto entry.

5. CE4 determines from SPD that this traffic is interesting (meaning that it should be protected).

6. CE4 determines if existing SA in the SADB covers this policy.


Note    If there is no Security Association, CE4 initiate an IKE exchange to the IPSec-Agg PE to negotiate transforms and their corresponding proposals.

7. CE4 sends IKE SA offer (des, sha, D-H Group, lifetime). ISKAMP Phase 1, Main mode begins.

8. IPSec-Agg PE returns policy match accepting offer.

9. CE4 initiates D-H and Nonce (i) exchange to IPSec-Agg PE.

10. IPSec-Agg PE responds to CE4 with D-H and Nonce (r) exchange.

11. CE4 authenticates D-H Apply sha hash (bidirectional IKE SA established).

12. IPSec-Agg PE authenticates D-H Apply sha hash (bidirectional IKE SA is established. ISKAMP Phase 1, Main mode ends.


Note    After is established (that is, IKE SAs are established), the IPSec session maps to the VRF.

13. CE4 sends IPSec offer (transform, mode, lifetime, authen). ISKAMP Phase 2, Quick Mode begins.

14. IPSec-Agg PE identifies policy match and accepts offer.

15. If PFS (perfect forward secrecy) is enabled, CE4 initiates a new D-H exchange to generate new Keying Material (KEYMAT).

16. IPSec-Agg PE initiates D-H exchange or refresh key for IPSec. Unidirectional SA is established; ISKAMP Phase 2, Quick mode ends.


Note    Routing updates can be exchanged with the CE4 if GRE tunnels are configured for that purpose. Otherwise, static routes corresponding to the remote LAN must be defined in the VRF.

17. IPSec SAs are associated with the VRF in the SADB table; CE4 transmits packets using SA associated with the egress interface.

18. IPSec-Agg PE checks incoming encrypted packets for decryption and the encryption SA is found. IPSec-Agg PE decrypts the packet and places it in the VRF associated with the SA.

19. IPSec-Agg PE selects an MPLS label for the address of the remote site (10.1.1.1).

20. IPSec-AGG PE advertises the route to REM-PE.

21. CE3 receives the route advertisement and installs the route to 10.1.1.1.

22. IPSec-AGG PE sends the data to CE3 through MPLS using previously learned label for 10.2.1.1.

Sequence of Operations—Remote Access Connection

The client connection is very similar, however the Unity client negotiates SAs differently. The following provides typical connection sequences for remote access (see Figure 2-7).

1. For remote access, a user/client (for example, 170.20.1.1) sends packets (for transfer to main office or to another site) by way of an access technology [dial, digital subscriber line (DSL), or cable].

2. User/client launches custom-installed VPN client and uses a predefined server profile for IPSec-VPN connectivity.

3. DNS resolves server name to a public IP address.

4. Client sends IKE SA offer (des, sha, D-H Group, lifetime). ISKAMP Phase 1, Main mode begins.

5. IPSec-Agg PE returns policy match.

6. Client initiates D-H exchange to IPSec-Agg PE.

7. IPSec-Agg PE responds to client with D-H exchange.

8. Client authenticates D-H Apply sha hash (bidirectional IKE SA established).

9. IPSec-Agg PE authenticates D-H Apply sha hash. The bidirectional IKE SA is established; ISKAMP Phase 1, Main mode ends. IPSec-Agg PE associates IKE SA with the VRF defined in the profile.

10. At user/client, XAUTH prompts for user name and password and forwards to IPSec-Agg PE.

11. IPSec-Agg PE sends authentication request to RADIUS server.

12. RADIUS server accepts (or rejects) request and notifies IPSec-Agg PE.

13. Client requests Mode-Config from IPSec-Agg PE.

14. IPSec-Agg PE sends authorization request to RADIUS server (or provides requested info to client).

15. RADIUS server (or IPSec-Agg PE) provides Mode-Config info to client.

16. Client sends IPSec offer (transform, mode, lifetime, authen). ISKAMP Phase 2, Quick Mode begins.

17. IPSec-Agg PE identifies policy match and accepts offer.

18. Client initiates D-H exchange or refresh key for IPSec.

19. IPSec-Agg PE initiates D-H exchange or refresh key for IPSec. Unidirectional SA established; ISKAMP Phase 2, Quick Mode ends.

20. CE4 transmits packets using SA associated with the egress interface.

21. IPSec-Agg PE checks incoming encrypted packets for decryption and locates the encryption SA. The IPSec-Agg PE decrypts the packet and places it in the VRF associated with the SA.

22. IPSec-Agg PE selects an MPLS label for the address of the remote site (10.1.1.1).

23. IPSec-AGG PE advertises the route to REM-PE.

24. CE3 receives the route advertisement and installs the route to 10.1.1.1.

25. IPSec-AGG PE sends the data to CE3 through MPLS using a previously learned label for 10.2.1.1.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue May 20 14:32:25 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.