IPSec-VPN as a backup for the RMDCN

Similar documents
Introduction. Technology background

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Case Study for Layer 3 Authentication and Encryption

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems

Implementing Core Cisco ASA Security (SASAC)

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Cisco Which VPN Solution is Right for You?

Understanding the Cisco VPN Client

Network Services Internet VPN

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Using Entrust certificates with VPN

VPN. VPN For BIPAC 741/743GE

November Defining the Value of MPLS VPNs

Introduction to Security and PIX Firewall

- Introduction to PIX/ASA Firewalls -

Cisco IP Solution Center MPLS VPN Management 5.0

Monitoring Remote Access VPN Services

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE)

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

BUY ONLINE AT:

Chapter 4 Virtual Private Networking

GPRS / 3G Services: VPN solutions supported

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Microsoft Azure Configuration

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Building Trusted VPNs with Multi-VRF

Cisco Certified Security Professional (CCSP)

Kodak Remote Support System - RSS VPN

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

VNS3 Secure Network Appliance Service Defnition for G-Cloud 7

Google Compute Engine Configuration

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

This is a guide on how to create an IPsec VPN tunnel from a local client running Shrew Soft VPN Client to an Opengear device.

Colt IP VPN Services Colt Technology Services Group Limited. All rights reserved.

TechNote. Configuring SonicOS for Amazon VPC

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

Lab a Configure Remote Access Using Cisco Easy VPN

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

VPN Configuration Guide. Cisco ASA 5500 Series

Table of Contents. Introduction

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

IPv6 Fundamentals, Design, and Deployment

PRASAD ATHUKURI Sreekavitha engineering info technology,kammam

Scenario: Remote-Access VPN Configuration

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

SEC , Cisco Systems, Inc. All rights reserved.

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Cisco Configuring Basic MPLS Using OSPF

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

MPLS/BGP Network Simulation Techniques for Business Enterprise Networks

REMOTE ACCESS VPN NETWORK DIAGRAM

User Guide Managed VPN Router. Wireless Maingate AB. Wireless Maingate AB

Cisco Certified Network Expert (CCNE)

Gigabit SSL VPN Security Router

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Scenario: IPsec Remote-Access VPN Configuration

IWAN Security for Remote Site Direct Internet Access and Guest Wireless

Connecting Remote Offices by Setting Up VPN Tunnels

WAN Failover Scenarios Using Digi Wireless WAN Routers

CenturyLink Cloud Configuration

VPN Quick Configuration Guide. Astaro Security Gateway V8

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Firewall Troubleshooting

Introduction of Quidway SecPath 1000 Security Gateway

REMOTE ASSISTANCE SOLUTIONS Private Server

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Cisco Virtual Office: High Availability Design Guide

Cisco Easy VPN on Cisco IOS Software-Based Routers

How To Extend Security Policies To Public Clouds

How to access peers with different VPN through IPSec. Tunnel

IP VPN Solutions Secure, flexible networking options from a leader in IP solutions

Cisco Router and Security Device Manager Dial-Backup Solution

Multi Protocol Label Switching (MPLS) is a core networking technology that

How to Set Up an IPsec Connection Between Two Ingate Firewalls/SIParators (including SIP)

This section provides a summary of using network location profiles to identify network connection types. Details include:

VPN Tracker for Mac OS X

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

21.4 Network Address Translation (NAT) NAT concept

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

VPN Only Connection Information and Sign up

VPN Configuration Guide. Cisco Small Business (Linksys) RV016 / RV042 / RV082

BorderWare Firewall Server 7.1. Release Notes

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

A Web Broker Architecture for Remote Access A simple and cost-effective way to remotely maintain and service industrial machinery worldwide

Transcription:

WORLD METEOROLOGICAL ORGANIZATION COMMISSION FOR BASIC SYSTEMS OPAG ON INFORMATION SYSTEMS & SERVICES Expert Team on WIS-GTS Communication Techniques and Structure Toulouse, France, 26-30 may 2008 ET-CTS/Doc. 4.4 (16.V.2008) ITEM 4.4 ENGLISH only IPSec-VPN as a backup for the RMDCN (Submitted by ECMWF) Slide 1 1 Summary and purpose of document This document presents the current situation of the IPSEC VPN tests. These tests were agreed during the ROC13. Full results will be presented during ROC14 to be held in the first week of June 2008. Slide 2 2 1

Project Presentation Background 2002: IPSec feasibility study: ECMWF, Germany, Greece, France and the Netherlands - Provides guidelines and recommendations for building secure connections over the Internet Slide 3 3 Project Presentation Background 2005: IPSec-based VPN as a backup for the RMDCN study: ECMWF, Bulgaria, China, France, Germany, Sweden, the Russian Federation and the UK) - Provides a framework for an operational RMDCN backup solution using an Internet-based IPSec VPN - Only static rerouting considered Slide 4 4 2

Project Presentation Background 2007-2008: IPSec VPN Backup for the RMDCN project: ECMWF, Belgium, China, Germany and Turkey - Using and IPSec-based VPN infrastructure to transport operational RMDCN traffic between RMDCN sites as an alternative to the RMDCN network itself - Phase #1: Building the IPSec-based infrastructure - Phase #2: Using the IPSec-based VPN infrastructure as a backup for the RMDCN in an operational context Slide 5 5 Configuration Configuration at ECMWF - Mimic the NAS ISDN backup implementation within the RMDCN: ECMWF acts as an IPSec centralising site, which guarantees the anyto-any connectivity of the RMDCN IPVPN cloud - ECMWF advertises the alternative routes to the RMDCN community through a dynamic routing exchange with the OBS IPVPN CE routers. The preferred routing protocol is EIGRP - OBS advertises the backup routes with a lower priority to the RMDCN IPVPN cloud through Redistribution of the EIGRP routes into BGP Implementation of a BGP-community tagging - OBS advertises the RMDCN IPVPN routes to ECMWF through the Slide 6 redistribution of the BGP routes into EIGRP 6 3

The ISDN backup The CAS failover uses any-to-any connectivity, ECMWF is used as a relay between NAS domain and MPLS cloud. Slide 7 7 RMDCN backup with IPSEC Slide 8 8 4

Configuration Configuration at ECMWF Slide 9 9 Configuration Configuration at an RMDCN site Option #1: using manual rerouting - The IPVPN CE router is not involved in any dynamic protocol exchange with any local network equipment - In case of outage, the local site is responsible for manually rerouting the operational RMDCN traffic though the permanently established IPSec tunnel with ECMWF via the local site IPSec-capable device. This could be done either by using static routes or a dynamic routing protocol Slide 10 10 5

Configuration - ECMWF acts as proxy for the site: It forwards the traffic to the RMDCN-IPVPN cloud It receives any traffic sent towards this site through the activation of the backup route(s) using the EIGRP redistribution into BGP and forwards it through the IPSec tunnel Slide 11 11 Configuration Configuration at an RMDCN site Option #2: using dynamic routing protocol - A dynamic routing protocol exchange is implemented between the IPVPN CE router and a local network device - The local site uses this dynamic routing protocol to route its operational RMDCN traffic towards the IPVPN CE router - In case of outage, the local site network device reroutes all the operational RMDCN traffic towards the IPSec-capable device - The IPSec-capable device forwards this traffic to ECMWF through the permanently established IPSec tunnel with ECMWF Slide 12 12 6

Configuration - ECMWF acts as proxy for the site: It forwards the traffic to the RMDCN-IPVPN cloud It receives any traffic sent towards this site through the activation of the backup route(s) using the EIGRP redistribution into BGP and forwards it through the IPSec tunnel Slide 13 13 Configuration IPSec tunnel specifications - As recommended in the previous IPSec Studies: Device authentication: X509 certificates, it is the most scalable and the most secure authentication method, using the already existing ECMWF Public Key Infrastructure (PKI) IKE session key exchange: Deffie-Hellman group 2 or higher Data integrity: the use of ESP HMAC, either MD5 or SHA Data encryption: either ESP_NULL or ESP_AES - Tests preparations Allow the IPSec traffic towards the remote sites X509 certificate enrollment with the Slide ECMWF 14 CA server Set-up of the IPSec configuration 14 7

Configuration IPSec devices involved Country IPSec device type Hostname OS version IPSec device IP address Test server IP address RMDCN Networks Belgium Openswan (open source) - - - - 193.190.231.160/28 193.190.249.224/28 China Cisco ASA cmavpn 8.0(3) 210.73.54.50 57.206.141.144 57.206.141.128/26 ECMWF Cisco ASA ecvpn 8.0(3) 193.61.196.38 136.156.14.211 136.156.0.0/16 Germany Nortel/Checkpoint dwdfw NGX R61 141.38.1.11 141.38.41.26 141.38.0.0/16 Turkey Nokia/Checkpoint MeteorCluster NGX R65 212.175.180.4 57.206.143.220 57.206.143.192/26 Slide 15 15 Tests Results Phase #1 Building the IPSec-based VPN infrastructure - The use of operational IPSec gateways: apart from China, all the sites were using operational IPSec device which meant that: Each change had to be made very carefully It was not possible to deploy a final IPSec configuration - All sites apart from China (EIGRP) use static routes to re-route the operational traffic through the IPSec tunnel (Option #1) - Checkpoint IPSec interoperability issues: establishing Cisco ASA to Checkpoint IPSec tunnels proved to be quite challenging (Turkey, Germany) - Nortel VPN accelerator card issue: in Germany, this card has to be disabled for the RMDCN traffic to go through the IPSec tunnel Slide 16 established with ECMWF 16 8

Tests Results Phase #1 Building the IPSec-based VPN infrastructure - Results summary Belgium: after considering using PIX, ipsec-tool and Openswan, the tests stalled and no working IPSec configuration could be implemented China (ASA): building the IPSec tunnel was quite straightforward since both sites were using Cisco ASA devices Germany (Checkpoint): establishing IPSec tunnels proved to be difficult, but everything was fine after disabling the Nortel VPN accelerator card and the configuration proved to be stable since Turkey (Checkpoint): establishing IPSec tunnels proved to be Slide 17 difficult, although the configuration proved to be stable afterwards 17 Tests Results Phase #2 Using the IPSec-based VPN infrastructure as a backup for the RMDCN in an operational context - Once OBS has activated the EIGRP redistribution for a site, a live re-routing was performed in 3 steps: 1. Complete the IPSec tunnel configuration (if necessary) 2. Simulate a link failure 3. Revert back the changes (if necessary) Slide 18 18 9

Tests Results Phase #2 Using the IPSec-based VPN infrastructure as a backup for the RMDCN in an operational context - Results summary China: tests to be conducted on the 21 st. No need of steps #1 and #3 as the rerouting will done automatically Germany: test done on the 8 th of May 2008. The static re-routing was successful. The RMDCN traffic towards 5 sites (out of 18) was not re-routed properly, but this is not strictly related to the IPSec infrastructure itself Turkey: test done on the 16 th of April 2008. The static re-routing with the three RMDCN sites that exchange data with Turkey was successful (ECMWF, Germany and Italy) Slide 19 19 Conclusion Recommendations Conclusion Recommendations - The use of shared devices between the RMDCN operational traffic exchange and the IPSec-based backup infrastructure created additional constraints Using dedicated IPSec box should to be considered in an operational environment - The use of IPSec devices from different vendors proved to be challenging Consider using one device type or at least one device brand for an operational deployment - manual re-routing is time-consuming and prone to mistakes The traffic re-routing has to be fast, automatic and reliable. Only Slide 20 dynamic routing processes can ensure this in an operational environment 20 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information