Introduction. Technology background



Similar documents
User Guide Managed VPN Router. Wireless Maingate AB. Wireless Maingate AB

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

WAN Failover Scenarios Using Digi Wireless WAN Routers

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuring IPsec VPN with a FortiGate and a Cisco ASA

VPN. VPN For BIPAC 741/743GE

WAN Traffic Management with PowerLink Pro100

Table of Contents. Introduction

Network Services Internet VPN

Configuring a VPN between a Sidewinder G2 and a NetScreen

Configure ISDN Backup and VPN Connection

L2F Case Study Overview

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Cisco Which VPN Solution is Right for You?

Case Study for Layer 3 Authentication and Encryption

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

NetScreen-5GT Announcement Frequently Asked Questions (FAQ)

Route Based Virtual Private Network

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

WAN Routing Configuration Examples for the Secure Services Gateway Family

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Configuration Example

Pre-lab and In-class Laboratory Exercise 10 (L10)

ICTTEN6172A Design and configure an IP- MPLS network with virtual private network tunnelling

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Interconnecting Cisco Networking Devices Part 2

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Appendix C Network Planning for Dual WAN Ports

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

November Defining the Value of MPLS VPNs

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

HOWTO: How to configure IPSEC gateway (office) to gateway

Technical papers Virtual private networks

Optimal Network Connectivity Reliable Network Access Flexible Network Management

EXINDA NETWORKS. Deployment Topologies

Security Technology: Firewalls and VPNs

LinkProof And VPN Load Balancing

Chapter 10 Troubleshooting

Barracuda Link Balancer

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

Understanding the Cisco VPN Client

Virtual Private Network and Remote Access Setup

MikroTik RouterOS Introduction to MPLS. Prague MUM Czech Republic 2009

Chapter 5. Data Communication And Internet Technology

REMOTE ASSISTANCE SOLUTIONS Private Server

Course Contents CCNP (CISco certified network professional)

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0

Configuring IP Load Sharing in AOS Quick Configuration Guide

: Interconnecting Cisco Networking Devices Part 2 v1.1

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Configuring a BANDIT Product for Virtual Private Networks

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Secure Network Design: Designing a DMZ & VPN

TechNote. Configuring SonicOS for Amazon VPC

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Colt IP VPN Services Colt Technology Services Group Limited. All rights reserved.

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

How do I configure multi-wan in Routing Table mode?

The BANDIT Device in the Network

Evaluating Bandwidth Optimization Technologies: Bonded Internet

A Link Load Balancing Solution for Multi-Homed Networks

MPLS in Private Networks Is It a Good Idea?

Magnum Network Software DX

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Clustering. Configuration Guide IPSO 6.2

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Remote Access via VPN Configuration (May 2011)

Building Trusted VPNs with Multi-VRF

WAN Data Link Protocols

Deploying IP-based Virtual Private Network Across the Global Corporation

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Chapter 3 Security and Firewall Protection

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Internet Access Setup

WATCHGUARD FIREBOX SOHO 6TC AND SOHO 6

Internet Router. Enhance your Internet surfing experience with various connection types

White Paper. Complementing or Migrating MPLS Networks

Juniper / Cisco Interoperability Tests. August 2014

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Chapter 7 Troubleshooting

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Copyright 2008 Link Technologies,Inc. A Proud Vendor Member of the

How To Set Up A Pploe On A Pc Orca On A Ipad Orca (Networking) On A Macbook Orca 2.5 (Netware) On An Ipad 2.2 (Netrocessor

Introduction to MPLS-based VPNs

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Transcription:

White paper: Redundant IP-VPN networks Introduction IP VPN solutions based on the IPsec protocol are already available since a number of years. The main driver for these kinds of solutions is of course to save costs! If we can use the Internet to build secure tunnels between different locations it is definitely more affordable than to use a dedicated network such as a leased-line or a frame relay connection. Internet connections also have typically a fixed monthly cost, more and more Internet broadband connections are available for a relatively low cost such as basic ADSL or cable modem connections. The goal of this white paper is to describe the different options in order to make these IP VPN networks a viable alternative for existing networks. We will describe some migration scenarios as well as some redundant configurations. Technology background The VPNs that we will discuss in this white paper are VPNs based on the IPsec suite of protocols. Traffic is tunneled, encrypted and authenticated before it is send over a public IP network which is in most cases the Internet. All traffic will be encrypted via either a DES, 3DES or AES algorithm which makes it quite impossible to decode because the effective encryption keys will be renewed every hour via the IKE protocol. Authentication is performed via an authenticated hash which is added to every packet in order to be 100% sure that traffic is send from the party that you expect and that it is not altered in transit. IPsec has one big drawback, due to the tunneling mechanism it adds at least 36 byte to every IP packet that is send to the remote site. As IP packets can vary in length, typically between 64 and 1500 byte, the overhead caused by IPsec can be quite significant, especially when a lot of small packets are used such as in terminal emulation applications. White paper: Redundant IP-VPN Networks 1/7

On the other hand IPsec is a very flexible technology which has been adopted by most vendors in this industry. It works over Internet connections with dynamic IP address assignment and you can use IPsec for both LAN-to-LAN connections as well as for mobile users. Requirements for building business class VPNs When, especially Internet based VPNs, are compared to more traditional solutions such as leased-lines, frame relay, IN, etc., there are two important issues which need to be taken into account: reliability and performance. Before you can start comparing costs you need to be sure that the parameters regarding reliability and performance are comparable. The Internet connection itself can never be treated as a reliable connection, however depending on the actual Internet connection points we will have more chance that the connection will be available or not. As we look at the Internet itself, it consists of several networks of different providers which are coupled together mainly via so-called Internet Exchanges. In most cases there are no bottlenecks in the provider network itself. Bottlenecks and as a result packet loss is in most cases only seen in the interconnections between different providers. This means that when you have 2 locations that are connected to the same ISP the chance is rather small that you do not have the full bandwidth available. This can be verified when you ask for a topological drawing of the ISP network. White paper: Redundant IP-VPN Networks 2/7

Internet ISP 1 Internet ISP 2 Concerning reliability, the solution that we propose is to use two independent connections, either one VPN connection and an IN connection as backup or two VPN connections via different Internet providers. In the upcoming chapters we will clearly define how we can configure this via dynamic routing protocols on the NetScreen firewall/vpn appliances. NetScreen firewall and VPN appliances NetScreen is a supplier of hardware based firewall/vpn appliances which have a number of very interesting features which allows us to build highly redundant and scalable VPN networks. In this white paper we will only highlight some features of these devices. For a more general overview of these products we refer to their website http://www.netscreen.com The NetScreen device that is typically used in remote offices is the NetScreen 5GT or 5XT, both have 5 10/100 ports and a modem port. These devices support a so-called dual untrust mode which means that two Internet connections can be connected. What is also supported is a dial-backup configuration whereby the NetScreen can initiate a PPP connection via for example an IN terminal adapter. All NetScreen appliances support IPsec VPN tunnels. NetScreen has introduced a concept of tunnel interfaces and route based VPNs. What NetScreen has achieved is that the VPN tunnels are seen as separate connections with separate interfaces. All forwarding decisions for sending traffic through tunnels is taken via the routing table. White paper: Redundant IP-VPN Networks 3/7

As the tunnel interfaces have a status up or down as the tunnel is up or down we can use the routing table to create redundancy by defining different routes to the same destination. As dynamic routing protocols (RIP, OSPF, BGP) are supported in these devices we can dynamically re-route the traffic via other paths to the destination, whether the destination can be reached via another VPN tunnel or via another router with for example an IN connection. In the next chapter we will describe some scenario s which will show you the flexibility of these devices. People with frame relay knowledge will automatically see the equivalent between frame relay connections and IP VPN tunnels. Almost exactly the same behavior applies now to IP VPN tunnels as with frame relay connections. In a NetScreen you can also define unnumbered tunnels as well as numbered tunnels whereby you configure IP addresses on the tunnel interfaces. The IP VPN tunnels are seen as separate connections such as frame relay connections or dedicated connections via for example a leased-line. Redundant VPN scenarios Scenario 1: Migration from an existing IN dial network In this first scenario we will see how a customer can implement an IP-VPN network over the Internet in combination with his existing IN dial network. We will describe how we can configure the new VPN network as the primary network and how we can use the existing network as a backup. The goal is to change the existing IN network as minimal as possible so that the current situation is always available. Current situation: - at the central location: IN router with an IN primary rate connection - at the remote sites: IN routers with an IN basic rate connection As the communication is used more and more and as such the monthly IN bill, the customer wants to implement a new network with a fixed cost per month regardless of the amount of communication. However, the customer needs the same availability as with the existing, stable IN connection. Our proposal: - at the central location: NetScreen 204 appliance, leased line to the Internet White paper: Redundant IP-VPN Networks 4/7

CISCO S YSTEMS Cisco 3600 SERIES CIS CO S YSTEMS PWR OK AC T/CH1 ACT/CH1 ETH ACT COL Cisco 1700 SE RIES ROU TER CISCO S YSTEMS PWR OK AC T/CH 1 AC T/CH0 ACT/CH1 ETH ACT COL Cisco 1700 SE RIES ROUTER - at the remote sites: NS5XT connected to the Internet via ADSL There will be VPNs configured between the NetScreen 5XT and the central NetScreen 204. OSPF will be used as a dynamic routing protocol in order to establish the VPN tunnels and to exchange the routing information. When a VPN tunnel is down, the corresponding tunnel interface will also be down. In the NetScreen 5XT we will configure a static route with a higher cost to the existing IN router, so that packets are send to the IN router instead of via the VPN tunnel. The IN router will then make an IN call to the central location. IN Ethernet Ethernet Internal database Central site NetScreen 204 Internet IPsec VPN tunnel ADSL modem NetScreen 5XT Remote site Via this mechanism it is not necessary to make any changes on the existing IN router, the only thing that we need to change on the remote site is the default gateway of all the systems that need connectivity with the central site. On the central NetScreen 204 we will configure inbound network address translation in order to avoid that we need to change the default gateway of the central systems. Via the mechanism that we have described we can build up the new network site per site without affecting the other sites whether they are working via IN or via the VPN tunnel. The ADSL connections on the remote site can be very basic Internet connections with dynamic IP address assignment. The NetScreen devices can handle dynamic IP addresses on the remote site without any problem. In this case the VPN will always be established from the remote site to the central site. As soon as the VPN is established it will be possible to initiate sessions from the central site to the remote location. White paper: Redundant IP-VPN Networks 5/7

CIS CO S YSTEMS CIS CO S YSTEMS PWR OK PWR OK AC T/CH1 AC T/CH1 ACT/CH1 ACT/CH1 ETH ACT COL ETH ACT COL Cisco 1700 SE RIES ROU TER Cisco 1700 SE RIES ROU TER Scenario 2: Building a new redundant VPN network In this second scenario we assume a customer that needs to build a highly redundant network between one central site and multiple remote sites. The proposal that we would make in this case is to build a redundant IP VPN network based on VPN connections via two different and independent Internet providers. What we will propose: - at the central location: two NetScreen 204 appliances, two leased-lines or SL connections - at the remote sites: NS5XT connected to the Internet via ADSL and cable modem The key issue in this network topology is the fact that we create two tunnels from every remote site to the central site via two completely independent providers. At the central site we foresee two leased-line connections to the two different providers, each connected to a separate NetScreen 204. At the remote site we will connect both the ADSL as well as the cable connection to the NetScreen 5XT. The NetScreen 5XT will establish two tunnels to the two NetScreen 204 appliances at the central site. IPsec VPN tunnels NetScreen 204 Internal mail server Ethernet Internet Modem NetScreen 5XT Ethernet Internal database Central site NetScreen 204 Remote site When the primary tunnel is down, all traffic will be re-routed via the other VPN tunnel. This can happen when there is a problem with the provider, the access line or when there is a problem on the central site with either the router, leased-line or NetScreen. If the NetScreen 5XT is connected to both the ADSL network as well as the cable network the redundancy is even added on a physical level. As the ADSL network is using the telephone copper pair and the cable network is using the coax cable of the television distribution this is a much higher redundancy White paper: Redundant IP-VPN Networks 6/7

than using for example IN as a backup because IN is typically using exactly the same copper pair as your ADSL connection. If there is a physical problem with the cable neither of these will work! An extension to the above described network is to use two different NetScreen 5XT devices in every remote office. This adds a device level redundancy for the NetScreen 5XT. Although these boxes are very reliable you can install both of these boxes in order to make the network even more redundant. The routing over the VPN tunnels will also be done via a dynamic routing protocol such as OSPF as described above. Conclusion As you have read in this white paper we can create highly redundant IP-VPN networks with the NetScreen appliances. Due to the implementation of tunnel interfaces and route based VPNs in combination with dynamic routing protocols very intelligent networks can be configured to overcome the limits of IP-VPNs over the public Internet. Several scenarios can be implemented to migrate existing networks towards these topologies. The migration scenarios are very important because these give you the opportunity to test the new network before you actually touch or change the existing network. This way even the most skeptic people towards this technology can be convinced of its value especially if they compare the monthly costs with expensive private networks! As our proposal is completely provider independent it offers a way to constantly looking for new opportunities. If for example a new wireless Internet provider is available at some locations you could do some testing with this provider. If costs and performance are better than the existing one you can quite easily change without adapting the configuration of the network. From an end-to-end point of view the network does not change, the only thing that changes is the configuration of the NetScreen devices which can be done remotely. About the author Frank Staut is a senior consultant and co-founder of the company SecureLink. Frank has more than 10 years of experience in the networking and security market space. He holds a number of industry certifications, such as a Nortel Networks support expert certification, White paper: Redundant IP-VPN Networks 7/7

he is a certified NetScreen security professional as well as a NetScreen trainer. White paper: Redundant IP-VPN Networks 8/7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information