Chapter 05: Site-to-Site VPNs (Part01)

Overview

This chapter introduces the concepts of site-to-site virtual private networks using Cisco IOS features and covers the following topics:

• Concepts, technologies, and terms that IPsec VPNs use

• Site-to-site IPsec VPN configuration using the command-line interface

• Site-to-site IPsec VPN configuration using Cisco Security Device Manager

The IP Security (IPsec) virtual private network (VPN) is an essential tool for providing a secure network for business communication. This chapter addresses the different protocols and algorithms that IPsec uses and the different security services that IPsec provides. This chapter also introduces the different VPN technologies and examines the various Cisco products available and the best practices that you should use with them.

VPN Overview

Historically, a VPN was an IP tunnel. Therefore, a generic routing encapsulation (GRE) tunnel is technically a VPN, even though GRE does not encrypt. Point-to-Point Tunnel Protocol (PPTP) is another good example of a VPN. With PPTP, a client makes a Point-to-Point Protocol (PPP) dial-up connection to an Internet service provider (ISP). Once connected to the ISP, the client sends IP packets, which carries PPP frames. This second connection is established from the client to the PPTP server at his corporate head office, as an example.

---

Encapsulating Versus Decapsulating Versus Tunneling

Encapsulation takes place when a data unit is passed to the next layer down on the OSI reference model. When a packet travels from a lower layer to an upper layer, we call this process decapsulation.

When a data unit travels sideways in the OSI model, we call that tunneling. PPTP is a tunneling protocol because it is the action of a PPP frame being carried inside of an IP packet, which is in turn encapsulated in a new frame.

---

Today, the use of a VPN implies the use of encryption. With a VPN, the information from a private network is transported over a public network, such as the Internet, to form a virtual network instead of using a dedicated Layer 2 connection, as shown in Figure 5-1. To remain private, the traffic is encrypted to keep the data confidential. For the purposes of this chapter, a VPN is defined as an encrypted connection between private networks over a public network, usually the Internet.

Figure 5-1: Where VPNs Are Found

Table 5-1 lists the primary Cisco products that can be used for VPN connectivity. Ensure that the router runs an IOS that supports VPN connectivity.

Table 5-1: Cisco VPN Products
Open table as spreadsheet

VPN Application	Appropriate Cisco Product Choice
Dedicated VPN	Cisco VPN 3000 series concentrators (Note that the VPN 3000 is end-of-sale.)
	Cisco 7200 series routers
VPN-enabled routers series	Cisco SOHO 70 series routers and Cisco 800 series routers
	Cisco 1700 series modular access routers and Cisco 2600 series multiservice platforms
	Cisco 3700 series multiservice access routers and Cisco 3600 multiservice platforms
	Cisco 1800 series, Cisco 2800 series, and Cisco 3800 series integrated services routers
	Cisco 7200 series routers and Cisco 7300 series routers
	Cisco Catalyst 6500 series switches and Cisco 7600 series routers
	(Note that the SOHO 70, Cisco 800, 2600, and 3600 are end-of-sale.)
Firewall VPN	Cisco ASA 5500 series adaptive security appliances
	Cisco PIX 500 series security appliances

VPNs have many benefits:

• Cost savings: VPNs enable organizations to use cost-effective third-party Internet transport to connect remote offices and remote users to the main corporate site, thus eliminating expensive dedicated WAN links and modem banks. Furthermore, with the advent of cost-effective high-bandwidth technologies, such as digital subscriber line (DSL), organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.

• Security: VPNs provide the highest level of security by using advanced encryption and authentication protocols that protect data from unauthorized access.

• Scalability: VPNs enable corporations to use the Internet infrastructure within ISPs and devices, which makes it easy to add new users. Therefore, corporations are able to add large amounts of capacity without adding significant infrastructure.

• Compatibility with broadband technology: VPNs allow mobile workers, telecommuters, and people who want to extend their workday to take advantage of high-speed, broadband connectivity, such as DSL and cable, to gain access to their corporate networks, providing workers significant flexibility and efficiency. Furthermore, high-speed broadband connections provide a cost-effective solution for connecting remote offices.

VPN Types

Two basic types of VPN networks exist:

• Site to site

• Remote access

Site-to-Site VPNs

A site-to-site VPN, shown in Figure 5-2, is an extension of a classic WAN network. Site-to-site VPNs connect entire networks to each other; for example, they can connect a branch office network to a company headquarters network. In the past, a leased line or Frame Relay connection was required to connect sites, but because most corporations now have Internet access, these connections can be replaced with site-to-site VPNs.

Figure 5-2: Site-to-Site VPNs

In a site-to-site VPN, hosts do not have Cisco VPN Client software; they send and receive normal TCP/IP traffic through a VPN “gateway,” which could be a router, firewall, Cisco VPN concentrator, or Cisco ASA 5500 series adaptive security appliance. The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

Remote-Access VPNs

Remote access is an evolution of circuit-switching networks, such as Plain Old Telephone Service (POTS) or Integrated Services Digital Network (ISDN). Remote-access VPNs, shown in Figure 5-3, can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic. Remote-access VPNs connect individual hosts who must access their company network securely over the Internet.

Figure 5-3: Remote-Access VPN

In the past, corporations supported remote users by using dial-in networks and ISDN. With the advent of VPNs, a mobile user simply needs access to the Internet to communicate with the central office. In the case of telecommuters, their Internet connectivity is typically a broadband connection such as DSL or cable.

In a remote-access VPN, each host typically has Cisco VPN Client software. Whenever the host tries to send any traffic, the Cisco VPN Client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, the VPN gateway behaves as it does for site-to-site VPNs.

Cisco IOS Secure Sockets Layer (SSL)-based VPN, shown in Figure 5-4, is a maturing technology that provides remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they establish a connection. If application access requirements are modest, SSL VPN does not require a software client to be preinstalled on the endpoint host. This capability enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location.

Figure 5-4: SSL VPN

SSL VPNs allow users to access web pages and services, including the ability to access files, send and receive email, and run TCP-based applications, without IPsec VPN Client software. SSL VPNs are appropriate for user populations that require per-application or per-server access control, or access from non-enterprise-owned desktops.

SSL VPN currently delivers two modes of SSL VPN access:

• Clientless: In clientless mode, the remote user accesses the corporate network using the web browser on the client machine, so no applications needs to be installed locally on the user’s laptop.

• Thin client: In thin-client mode, the remote user downloads a Java applet by clicking the link provided on the corporate portal page or it could be configured for the Java applet to be downloaded. The Java applet acts as a TCP proxy on the client machine for the services made available to remote users.

In many cases, IPsec and SSL VPN are complementary because they solve different problems. This complementary approach allows a single device to address all remote-access user requirements.

The primary benefit of SSL VPN is that it is compatible with Dynamic Multipoint VPNs (DMVPN), Cisco IOS firewalls, IPsec, intrusion prevention systems (IPS), Cisco Easy VPN, and Network Address Translation (NAT).

The primary restriction of SSL VPN was that it was supported only in software, where the router CPU processed the SSL VPN connections. It used to be that the onboard VPN acceleration that was available in integrated services routers (ISR) accelerated only IPsec connections. However, the newer generation of VPN acceleration for ISR now also accelerates SSL connections.

Caution

SSL VPN does not support the same level of cryptographic security that IPsec supports.

Cisco VPN Product Family

The Cisco VPN product family, listed in Table 5-2, includes remote and site-to-site Cisco IOS VPN and firewall security routers, Cisco VPN 3000 series concentrators, Cisco PIX 500 series security appliances, and Cisco ASA 5500 series adaptive security appliances. Note that both the PIX and VPN 300 are end-of-sale. Cisco Catalyst 6500 series switches with VPN service modules (not shown in Table 5-2) were also part of the VPN product family. It is now end-of-sale and was replaced by the Cisco 7600 series/Catalyst 6500 Series Services Shared Port Adapter (SPA) Carrier-400, which can be configured with up to two Cisco IPsec VPN SPAs.

Table 5-2: Cisco VPN Products
Open table as spreadsheet

Product Choice	Remote-Access VPN	Site-to-Site VPN
Cisco VPN 3000 series concentrators	Primary role	Secondary role
Cisco VPN-enabled routers	Secondary role	Primary role
Cisco PIX 500 series security appliances	Enhances existing Cisco PIX with VPN remote-access solution	Security organization owns the VPN solution
Cisco ASA 5500 series adaptive security appliances	Supports Cisco VPN 3000 concentrator features and more	Security organization owns the VPN solution

Characteristics of the different platforms include the following:

• Cisco VPN-enabled routers and switches: Cisco VPN security routers and switches represent the best options for customers of all sizes looking to take advantage of their existing network infrastructures to deploy VPNs and security while integrating all services into a single device with the widest selection of WAN and LAN interfaces.

• Cisco VPN 3000 series concentrators: Cisco VPN 3000 series concentrators offer both IPsec and SSL VPN connectivity on a single platform without the expense of individual feature licensing.

  Note

  Cisco VPN 3000 series concentrators and the PIX are end-of-sale. For details on the specifics for end-of-sale and end-of-life devices, refer to Cisco.com.

• Cisco ASA 5500 series adaptive security appliances: The Cisco ASA 5500 series adaptive security appliances are all-in-one security appliances that deliver enterprise-class security and IPsec VPNs to small and medium-sized businesses and large enterprise networks in a modular, purpose-built appliance. Cisco ASA 5500 series adaptive security appliances incorporate a wide range of integrated security services, including firewall, IPSs, and VPNs in an easy-to-deploy, high-performance solution, along with built-in hardware VPN acceleration. By integrating VPN and security services, the Cisco ASA 5500 series adaptive security appliances provide secure VPN connectivity and communications. Cisco ASA 5500 series adaptive security appliances are ideal for clients who are looking for the best-of-breed firewall combined with comprehensive VPN support. Cisco PIX 500 series security appliances are also an excellent option for organizations whose security policies recommend separate management of the security infrastructure to set a clear demarcation between security and network operation.

• Cisco PIX 500 series security appliances: Cisco PIX 500 series security appliances provide robust, enterprise-class, integrated network security services, including stateful inspection firewall, deep protocol and application inspection, IPsec VPNs, multivector attack protection, and rich multimedia and voice security.

  Note

  In most networks, you will find some devices already in place. In this case, it is important to verify whether interoperability between the different devices is possible. In a customer network, there may be a Cisco ASA 5500 series adaptive security appliance at one site and a Cisco router at another. A VPN tunnel can be established between these two devices as long as the software is at a minimum version. This site-to-site VPN interoperability is possible by choosing, at a minimum, the following software versions—Cisco IOS Release 12.2(8)T and Cisco ASA 5500 series adaptive security appliance Version 8.0. Note that the Cisco PIX does not support SSL VPN.

Cisco VPN-Enabled IOS Routers

With Cisco routers running Cisco IOS Software, organizations can easily deploy and scale site-to-site VPNs of any topology (from hub-and-spoke VPNs to the more complex, fully meshed VPNs). In addition, the Cisco IOS security features combine the VPN feature set with firewall, intrusion prevention, and extensive Cisco IOS capabilities, including quality of service (QoS), multiprotocol, multicast, and advanced routing support.

Cisco provides a suite of VPN-optimized routers. Cisco IOS Software for routers combines rich VPN services with industry-leading routing, delivering a comprehensive solution. The Cisco VPN software adds strong security using encryption and authentication. These Cisco VPN-enabled routers provide high performance for site-to-site, intranet, and extranet VPN solutions.

The Cisco IOS feature sets incorporate many VPN features:

• Voice and Video Enabled VPN (V3PN): Integrates IP telephony, QoS, and IPsec, providing an end-to-end VPN service that helps ensure the timely delivery of latency-sensitive applications such as voice and video.

• IPsec stateful failover: Provides fast and scalable network resiliency for VPN sessions between remote and central sites. With both stateless and stateful failover solutions available, options such as dead peer detection (DPD), Hot Standby Router Protocol (HSRP), Reverse Route Injection (RRI), and Stateful Switchover (SSO) help ensure maximum uptime of mission-critical applications.

• DMVPN: Enables the autoprovisioning of site-to-site IPsec VPNs, combining three Cisco IOS Software features: Next Hop Resolution Protocol (NHRP), multipoint GRE, and IPsec VPN. This combination eases the provisioning challenges for customers and provides secure connectivity between all locations.

• IPsec and Multiprotocol Label Switching (MPLS) integration: Enables ISPs to map IPsec sessions directly into an MPLS VPN. You can deploy this solution on colocated edge routers that are connected to a Cisco IOS Software MPLS provider edge (PE) network. This approach enables the ISP to securely extend its VPN service beyond the boundaries of the MPLS network by using the public IP infrastructure that securely connects enterprise customer remote offices, telecommuters, and mobile users from anywhere to the corporate network.

• Cisco Easy VPN: Simplifies VPN deployment for remote offices and teleworkers. The Cisco Easy VPN solution centralizes VPN management across all the Cisco VPN devices, thus reducing the management complexity of VPN deployments.

Cisco Adaptive Security Appliances

For VPN services, Cisco ASA 5500 series adaptive security appliances offer flexible technologies that deliver tailored solutions to suit remote-access and site-to-site connectivity requirements. Cisco ASA 5500 series adaptive security appliances provide easy-to-manage IPsec and SSL VPN-based remote-access and network-aware site-to-site VPN connectivity, enabling businesses to create secure connections across public networks to mobile users, remote sites, and business partners.

The Cisco ASA 5500 series adaptive security appliances form a high-performance, multifunction security appliance family delivering converged firewall, IPS, network antivirus, and VPN services. As a key component of the Cisco Self-Defending Network, Cisco ASA 5500 series adaptive security appliances provide proactive threat mitigation that stops attacks before they spread through the network, control network activity and application traffic, and deliver flexible VPN connectivity while remaining cost-effective and easy to manage.

Compared to Cisco PIX 500 series security appliances, Cisco ASA 5500 series adaptive security appliances offer additional services, such Cisco SSL VPN, and in some models an expansion slot that can be populated with modules that provide intrusion prevention, or advanced inspection or increased port density. The following are some of the features of Cisco ASA 5500 series adaptive security appliances:

• Flexible platform: Offers both IPsec and SSL VPN on a single platform, eliminating the need to provide parallel solutions. In addition to VPN services, Cisco ASA 5500 series adaptive security appliances offer application inspection firewall and intrusion prevention services.

• Resilient clustering: Allows remote-access deployments to scale cost-effectively by evenly distributing VPN sessions across all the Cisco ASA 5500 series adaptive security appliances and Cisco VPN 3000 series concentrators without requiring any user intervention.

• Cisco Easy VPN: Delivers uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. Cisco ASA 5500 series adaptive security appliances dynamically push the latest VPN security policies to remote VPN devices and clients, making sure that those endpoint policies are current before a connection is established.

• Automatic Cisco VPN Client updates: Provides VPN client software the capability to automatically update, which enables Cisco VPN Client software operating on remote desktops to be automatically upgraded.

• Cisco SSL VPN: Offers Cisco SSL VPN with clientless and thin-client Cisco SSL VPN capabilities.

• VPN infrastructure for contemporary applications: Provides a VPN infrastructure capable of converged voice, video, and data across a secure IPsec network by combining robust site-to-site VPN support with rich inspection capabilities, QoS, routing, and stateful failover features, allowing businesses to take advantage of the many benefits that converged networks deliver.

• Integrated web-based management: Provides management of the Cisco ASA 5500 series adaptive security appliances using the integrated web-based Cisco Adaptive Security Device Manager (ASDM). Cisco ASDM manages all the security and VPN functions of the appliances.

Each Cisco ASA 5500 series adaptive security appliance supports a different number of VPN peers:

• Cisco ASA 5505: 10 IPsec VPN peers and 25 SSL VPN peers with the Base license. The Cisco ASA 5505 can be upgraded to the Security Plus license, which supports up to 25 concurrent remote-access clients (IPsec), and 25 VPN peers (IPsec or SSL).

• Cisco ASA 5510: 250 IPsec VPN peers and 10 SSL VPN peers. Up to 250 SSL VPN peers by installing an SSL VPN upgrade license.

• Cisco ASA 5520: 750 IPsec VPN peers and 10 SSL VPN peers. Up to 750 SSL VPN peers by installing an SSL VPN upgrade license.

• Cisco ASA 5540: 5000 IPsec VPN peers and 10 SSL VPN peers. Up to 2500 SSL VPN peers with the SSL VPN upgrade license.

• Cisco ASA 5550: 5000 IPsec VPN peers and 10 SSL VPN peers. Up to 5000 SSL VPN peers with the SSL VPN upgrade license.

• Cisco ASA 5580: 10,000 IPsec VPN peers and 10 SSL VPN peers. Up to 10,000 SSL VPN peers with the SSL VPN upgrade license.

VPN Clients

Cisco remote-access VPNs are able to use three IPsec clients: the Cisco VPN Software Client, the Cisco VPN 3002 Hardware Client, and the Certicom IPsec client, which is no longer sold but still works.

• The Cisco VPN 3002 Hardware Client (legacy equipment): A network appliance that connects small office, home office (SOHO) LANs to the VPN. The device comes in either a single-port or an eight-port switch version. The VPN 3002 Hardware Client replaces traditional Cisco VPN Client applications on individual SOHO computers.

• The Cisco VPN Software Client: Software that is loaded on the PC or laptop of an individual. The Cisco VPN Client, shown in Figure 5-5, allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. The Cisco Easy VPN feature allows the Cisco VPN Client to receive security policies from the central-site VPN device, the Cisco Easy VPN Server, when a VPN tunnel connection is made, minimizing configuration requirements at the remote location.

  
  Figure 5-5: Cisco VPN Software Client

• The Certicom client: A wireless client that is loaded onto wireless personal digital assistants (PDA) running the Palm or Microsoft Windows Mobile operating systems. Certicom wireless client software enables companies to extend critical enterprise applications, such as email and customer relationship management (CRM) tools, to mobile professionals by enabling handheld devices to connect to corporate VPN gateways for secure wireless access.

Cisco has recently released a new generation of VPN client: the Cisco AnyConnect VPN Client. The Cisco AnyConnect VPN Client provides remote users with secure VPN connections to the Cisco 5500 Series adaptive security appliance running Cisco ASA Software Version 8.0 and later or Cisco ASDM Version 6.0 and later, using SSL VPN, and therefore it does not connect with a Cisco PIX device or with a Cisco VPN 3000 series concentrator. The Cisco AnyConnect VPN Client supports Windows Vista, Windows XP, Windows 2000, Mac OS X (Version 10.4 or later) on either Intel or PowerPC, and Red Hat Linux (Version 9 or later).

Cisco Hardware-Based Encryption

To enhance the performance and offload the encryption task to specialized hardware, the Cisco VPN family of devices offers the following hardware acceleration modules:

• AIM: A broad range of Cisco routers can be equipped with AIM. The AIM modules are installed inside the router chassis and offload encryption tasks from the router CPU.

• Cisco IPsec VPN Shared Port Adapter (Cisco IPsec VPN SPA): The Cisco IPsec VPN SPA, shown in Figure 5-6, delivers scalable and cost-effective VPN performance for Cisco Catalyst 6500 series switches and Cisco 7600 series routers. Using the Cisco 7600 series/Catalyst 6500 Series Services SPA Carrier-400, each slot of the Cisco Catalyst 6500 series switch or Cisco 7600 series router can support up to two Cisco IPsec VPN SPAs.

  
  Figure 5-6: Cisco IPsec VPN SPA

• Enhanced Scalable Encryption Processing (SEP-E): You can upgrade Cisco VPN 3000 series concentrators with SEP-E modules. The modules perform hardware encryption of Data Encryption Standard (DES) 0, Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) traffic.

• Cisco PIX VPN Accelerator Card+ (VAC+): The PIX Firewall VAC+ delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec encryption throughput.