Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
There are two VPN topologies to consider:
- Remote Access VPN : Remote access VPNs provide remote users access to an intranet or extranet over a shared infrastructure.
- Site-to-site VPNs: link two sites (headquarters, remote offices, branch offices, customers, partners, …) to an internal network over a shared infrastructure using dedicated connections.
In this article, I will explain a brief introduction of five VPN IPsec solutions that extend the capabilities of basic VPNs:
- Cisco Easy VPN (EzVPN)
- GRE over IPsec
- Dynamic Multipoint VPN (DMVPN)
- Virtual Tunnel Interfaces (VTIs)
- Group Encrypted Transport VPN (GET VPN)
Cisco Easy VPN (EzVPN)
Cisco Router and Security Device Manager (SDM) is an easy-to-use Internet browser-based device management tool that can configure this feature.
The Cisco Easy VPN solution helps integrate VPN remote devices within a single deployment and with a consistent policy and key management method, which simplifies remote site administration.
Cisco Easy VPN consists of two components:
- The Easy VPN Remote: to act as a remote client
- The Easy VPN Server: to act as a VPN headend device
GRE over IPSec
Although IPsec provides a secure method for tunneling data across an IP network, it has limitations. IPsec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
Generic Route Encapsulation (GRE) is a protocol that can be used to “carry” other passenger protocols, such as IP broadcast or IP multicast, as well as non-IP protocols.
Using GRE tunnels in conjunction with IPsec provides the ability to run a routing protocol, IP multicast (IPmc), or multiprotocol traffic across the network between the headend(s) and branch offices.
With the p2p GRE over IPsec solution, all traffic between sites is encapsulated in a p2p GRE packet before the encryption process, simplifying the access control list used in the crypto map statements. The crypto map statements need only one line permitting GRE (IP Protocol 47).
Dynamic Multipoint VPN (DMVPN)
Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software solution for building scalable IPsec Virtual Private Networks (VPNs).
It allows branch locations to communicate directly with each other over the public WAN or Internet, such as when using voice over IP (VOIP) between two branch offices, but doesn’t require a permanent VPN connection between sites. It enables zero-touch deployment of IPsec VPNs and improves network performance by reducing latency and jitter, while optimizing head office bandwidth utilization.
Virtual Tunnel Interfaces (VTIs)
VTIs provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.
DVTIs function like any other real interface so that you can apply quality of service (QoS), firewall, and other security services as soon as the tunnel is active.
Group Encrypted Transport VPN (GET VPN)
The Cisco IOS GETVPN is a tunnel-less VPN technology that provides end-to-end security for network traffic in a native mode and maintaining the fully meshed topology. It uses the core network’s ability to route and replicate the packets between various sites within the enterprise.
Cisco IOS GETVPN preserves the original source and destination IP addresses information in the header of the encrypted packet for optimal routing. Hence, it is largely suited for an enterprise running over a private Multiprotocol Label Switching (MPLS)/IP-based core network. It is also better suited to encrypt multicast traffic.
References: