Cisco Which VPN Solution is Right for You?



Similar documents
Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

How Virtual Private Networks Work

VPN. Date: 4/15/2004 By: Heena Patel

Creating a VPN Using Windows 2003 Server and XP Professional

Connecting Remote Users to Your Network with Windows Server 2003

How Virtual Private Networks Work

IP Tunneling and VPNs

VPN. VPN For BIPAC 741/743GE

Case Study for Layer 3 Authentication and Encryption

Virtual Private Networks

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

Virtual Private Network and Remote Access Setup

CS419: Computer Networks. Lecture 9: Mar 30, 2005 VPNs

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Network Access Security. Lesson 10

IBM enetwork VPN Solutions

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Remote Access VPN Business Scenarios

Introduction to Security and PIX Firewall

What Is a Virtual Private Network?

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Virtual Private Networks Solutions for Secure Remote Access. White Paper

Virtual Private Networks

Intranet Security Solution

Virtual Private Networks

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Pre-lab and In-class Laboratory Exercise 10 (L10)

VIRTUAL PRIVATE NETWORKS: SECURE REMOTE ACCESS OVER THE INTERNET

Technical papers Virtual private networks

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Firewalls and Virtual Private Networks

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Virtual Private Network and Remote Access

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Site to Site Virtual Private Networks (VPNs):

L2F Case Study Overview

Overview. Protocols. VPN and Firewalls

Remote Access VPNs Performance Comparison between Windows Server 2003 and Fedora Core 6

CS 393/682 Network Security. Nasir Memon Polytechnic University Module 7 Virtual Private Networks

7.1. Remote Access Connection

Table of Contents. Cisco Cisco VPN Client FAQ

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

co Sample Configurations for Cisco 7200 Broadband Aggreg

GPRS / 3G Services: VPN solutions supported

Chapter 12 Supporting Network Address Translation (NAT)

IOS NAT Load Balancing for Two ISP Connections

Application Note: Onsight Device VPN Configuration V1.1

Configure ISDN Backup and VPN Connection

MP PLS VPN MPLS VPN. Prepared by Eng. Hussein M. Harb

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

How To Configure Apple ipad for Cyberoam L2TP

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Network Services Internet VPN

Understanding the Cisco VPN Client

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

WAN Failover Scenarios Using Digi Wireless WAN Routers

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

MPLS L2VPN (VLL) Technology White Paper

Secure Network Design: Designing a DMZ & VPN

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Windows Server 2003 Remote Access Overview

BUY ONLINE AT:

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. Kapil.Kumar@relianceinfo.com

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

CCNA Security 1.1 Instructional Resource

"Charting the Course...

HOWTO: How to configure IPSEC gateway (office) to gateway

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert

Setting up VPN Access for Remote Diagnostics Support

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

PPTP Server Access Through The

Table of Contents. Cisco Configuring CET Encryption with a GRE Tunnel

VPN Wizard Default Settings and General Information

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Chapter 2 Virtual Private Networking Basics

November Defining the Value of MPLS VPNs

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

Interconnecting Cisco Networking Devices Part 2

Security Technology: Firewalls and VPNs

Cisco AnyConnect Secure Mobility Solution Guide

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

VPN Tracker for Mac OS X

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

LinkProof And VPN Load Balancing

A Review Paper on MPLS VPN Architecture

Network Security Topologies. Chapter 11

Transcription:

Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2 IPSec Encryption...3 PPTP and MPPE...3 VPDN and L2TP...4 VPDN...4 L2TP...5 PPPoE...5 MPLS...5 Related Information...5 i

Which VPN Solution is Right for You? Introduction Before You Begin Conventions Prerequisites Components Used NAT Generic Routing Encapsulation Tunneling IPSec Encryption PPTP and MPPE VPDN and L2TP VPDN L2TP PPPoE MPLS Related Information Introduction Virtual Private Networks (VPNs) are becoming increasingly popular as a lower cost and more flexible way to deploy a network across a wide area. With advances in technology comes an increasing variety of options for implementing VPN solutions. This tech note explains some of these options and describes where they might best be used. Before You Begin Conventions For more information on document conventions, see the Cisco Technical Tips Conventions. Prerequisites There are no specific prerequisites for this document. Components Used The information in this document is based on the software and hardware versions below. Cisco IOS Software Release 12.0.7T. Availability depends on the platform used. Note: Cisco also provides encryption support in non IOS platforms including the Cisco Secure PIX Firewall, the Cisco VPN 3000 Concentrator, and the Cisco VPN 5000 Concentrator. The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

NAT The Internet has experienced explosive growth in a short time, far more than the original designers could have foreseen. The limited number of addresses available in IP version 4.0 is evidence of this growth, and the result is that address space is becoming less available. One solution to this problem is Network Address Translation (NAT). Using NAT a router is configured on inside/outside boundaries such that the outside (usually the Internet) sees one or a few registered addresses while the inside could have any number of hosts using a private addressing scheme. To maintain the integrity of the address translation scheme, NAT must be configured on every boundary router between the inside (private) network and the outside (public) network. One of the advantages of NAT from a security standpoint is that the systems on the private network cannot receive an incoming IP connection from the outside network unless the NAT gateway is specifically configured to allow the connection. NAT's recommended operation involves RFC 1918, which outlines proper private network addressing schemes. The standard for NAT is described in RFC1631. The following figure shows NAT router boundary definition with an internal translation network address pool. Generic Routing Encapsulation Tunneling Generic Routing Encapsulation (GRE) tunnels provide a specific pathway across the shared WAN and encapsulate traffic with new packet headers to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. Tunnels do not provide true confidentiality (encryption does) but can carry encrypted traffic.

GRE tunneling can also be used to encapsulate non IP traffic into IP and send it over the Internet or IP network. The Internet Package Exchange (IPX) and AppleTalk protocols are examples of non IP traffic. IPSec Encryption Encryption of data sent across a shared network is the VPN technology most often associated with Virtual Private Networks. Cisco supports the IP Security (IPSec) data encryption methods. IPSec encryption is an IETF standard that supports 56 bit and 168 bit encryption algorithms in IPSec client software. GRE configuration is optional with IPSec. IPSec also supports certificate authorities and Internet Key Exchange (IKE) negotiation. IPSec encryption can be deployed in standalone environments between clients, routers, and firewalls, or used in conjunction with L2TP tunneling in access VPNs. IPSec is supported in on various operating system platforms. PPTP and MPPE Point to Point Tunneling Protocol (PPTP) was developed by Microsoft; it is described in RFC2637. PPTP is widely deployed in Windows 9x/ME, Windows NT, and Windows 2000, and Windows XP client software to enable voluntary VPNs. Microsoft Point to Point Encryption (MPPE) is an informational IETF draft from Microsoft that uses RC4 based 40 bit or 128 bit encryption. MPPE is part of Microsoft's PPTP client software solution and is useful in voluntary mode access VPN architectures. PPTP/MPPE is supported on most Cisco platforms.

PPTP support was added to Cisco IOS Software Release 12.0.5.XE5 on the Cisco 7100 and 7200 platforms. Support for more platforms was added in Cisco IOS 12.1.5.T. The Cisco Secure PIX Firewall and Cisco VPN 3000 Concentrator also include support for PPTP client connections. VPDN and L2TP VPDN Virtual Private Dialup Network (VPDN) is a Cisco standard that allows a private network dial in service to span across to remote access servers. In the context of VPDN, the access server (for example, an AS5300) that is dialed into is usually referred to as the Network Access Server (NAS). The dialin user's destination is referred to as the Home GateWay (HGW). The basic scenario is that a Point to Point Protocol (PPP) client dials in to a local NAS. The NAS determines that the PPP session should be forwarded to a home gateway router for that client. The HGW then authenticates the user and starts the PPP negotiation. After PPP setup is complete, all frames are sent via the NAS to the client and home gateways. This method integrates several protocols and concepts.

L2TP Layer 2 Tunneling Protocol (L2TP) is an IETF standard that incorporates the best attributes of PPTP and L2F. L2TP tunnels are used primarily in compulsory mode (that is, dialup NAS to HGW) access VPNs for both IP and non IP traffic. Windows 2000 and Windows XP have added native support for this protocol as a means of VPN client connection. Note: In 1996 Cisco created a Layer 2 Forwarding (L2F) protocol to allow VPDN connections to occur. L2F is still supported for other functions, but has been replaced by L2TP. Point to Point Tunneling Protocol (PPTP) was also created in 1996 an an Internet draft by the IETF. PPTP provided a function similar to GRE like tunnel protocol for PPP connections. PPPoE PPP over Ethernet (PPPoE) is an informational RFC that is primarily deployed in DSL environments. PPPoE leverages existing Ethernet infrastructures to allow users to initiate multiple PPP sessions within the same LAN. This technology enables Layer 3 service selection, an emerging application that lets users simultaneously connect to several destinations through a single remote access connection. MPLS Multiprotocol Label Switching (MPLS) is a new IETF standard based on Cisco Tag Switching that enables automated provisioning, rapid rollout, and scalability features that providers need to cost effectively provide access, intranet, and extranet VPN services. Cisco is working closely with service providers to ensure a smooth transition to MPLS enabled VPN services. MPLS works on a label based paradigm, tagging packets as they enter the provider network to expedite forwarding through a connectionless IP core. MPLS uses route distinguishers to identify VPN membership and contain traffic within a VPN community. Related Information IP Security (IPSec) Product Support Pages Technical Support Cisco Systems All contents are Copyright 1992 2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Updated: Dec 23, 2002 Document ID: 14147

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information