Cisco Site-to-Site VPN Basics

When designing a Site to Site VPN solution, there are mainly three components to consider:

Choosing VPN LAN Topology: the overall logical network architecture which depicts the way in which different sites are interconnected with each other. When choosing between different VPN LAN Topology, traffic pattern must be gathered and analyzed as well as connectivity requirements should be determined. Besides, existing physical network topology also needs to be taken into consideration here.

image
VPN WAN Technology & Security Mechanisms Selection: IPsec provides many different encapsulation methods (Authentication Header [AH] and Encapsulating Security Payload [ESP]) as well as several working mode (transport mode, tunnel mode, and a mixed hybrid mode used by Group Encrypted Transport [GET VPN]). GET is a mixed encapsulation method that is usually
considered as a non-tunneling mode and therefore is not recommended for use over public networks.
Besides, most implementation use IPSec Tunnel mode or a combination of IPSec and Generic Routing Encapsulation (GRE) as a method of transport. Additional factors to be assessed are:

  • Configuration Scalability: the easiness of managing the whole VPN sites and adding or deleting an new VPN site.
  • Authentication Scalability: in large scale deployments which consist of many remote VPN sites, different authentication mechanisms and key exchange procedure vary significantly in the complexity of authenticating peers and key management.
    Using a pre-shared key that must be manually shared between peers will not scale well. The number of passwords that need to be shared among peers is found with the formula n*(n-1)/2. A network that is fully meshed with 100 nodes would require manually sharing 4500 passwords. Using Public Key Infrastructure (PKI) to provide authentication using certificates provides a scalable solution but requires a properly deployed and maintained PKI and supporting infrastructure to already be in place.
  • General Guidelines for choosing the best VPN WAN Technology
    1) A VPN technology that supports tunneling must be chosen if the transport network does not route internal VPN address spaces. All Cisco IOS Software IPsec VPN technologies except GET VPN use IP tunneling.
    2) Fully meshed networks demand configuration and authentication on every device. This can be achieved by deploying PKI-based authentication.
    3) Hub-and-spoke implementations require high configuration and authentication scalability on the hub device. This makes a hub-and-spoke network much easier to deploy in some cases.

VPN WAN technologies and comparison among them

  • Individual IPsec Tunnels: This technology is implemented using Virtual Tunnel Interfaces (VTI) or GRE over IPsec tunnels. A separate point-to-point tunnel must be provisioned for each and every tunnel peering, limiting this solution with very low configuration scalability. If pre-shared keys are used for authentication between the two peers, this solution is considered to have low authentication scalability. Individual IPsec tunnels are adequate for any transport and can therefore be used across the public Internet, but should be used only in environments where the number of tunnels is very small.
  • Cisco Easy VPN: Created to support hub-and-spoke networks, Easy VPN provides very high hub configuration scalability and authentication scalability using either pre-shared keys or PKI. Although this book does not cover Easy VPN configuration for site-to-site VPNs, it is very similar to Easy VPN remote access VPN deployment. Easy VPN does support IP tunneling; therefore, it is adequate for users over any transport network, including the Internet.
  • Cisco Dynamic Multipoint VPN (DMVPN): DMVPN is based on a hub-and-spoke configuration but allows spoke-to-spoke tunnels to be dynamically and automatically provisioned. Configuration scalability is high because only spoke-to-hub peering needs to be configured, and as long as PKI is used for authentication, authentication scalability is high as well. DMVPN can be used in hub-and-spoke, partial mesh, and full mesh environments. It is also adequate for connections that traverse public networks, such as the Internet, because it supports IP tunnels.
  • Cisco GET VPN: Cisco GET VPN uses a mixed encapsulation in which the IP addressing of the packets does not get changed as it is encapsulated. Because of this, it can only be deployed over networks that can route the internal addresses, such as Multiprotocol Label Switching (MPLS) or private WAN circuits. GET VPNs cannot be deployed over the Internet because of this. Cisco GET defaults to a full mesh topology with a small number of policy/authentication hubs called key servers. Because of this, Cisco GET provides high configuration and authentication scalability.

image