Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)"— Presentation transcript:

1 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)

2 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 2 Module 3 – Lesson 6 Configuring High- Availability VPNs

3 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 3 Module Introduction  Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet  Cisco offers a wide range of VPN products, including VPN- optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation  This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods

4 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 4 Objectives  At the completion of this sixth lesson, you will be able to: Describe various methods to provide high availability for IPsec VPNs Explain the methods used to determine when VPN has failed Configure systems to provide enhanced availability

5 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 5 High Availability for IOS IPsec VPNs  IPsec-based VPNs provide connectivity between distant sites using an untrusted transport network  Network connectivity consists of links, devices, or paths across networks with unknown topologies. Any of these components can fail, making the VPN inoperable  IPsec VPNs that need high availability (HA) require redundancy in their design and implementation to survive failures  In this lesson, some of the techniques to provide HA will be investigated

6 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 6 Failures IPsec VPNs can experience any one of a number of different types of failures:  Access link failure  Remote peer failure  Intermediate device failure  Path failure VPNs should be designed and implemented with redundancy and high-availability mechanisms to mitigate possible failures

7 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 7 Redundancy  The next slide illustrates an implementation of IPsec in which maximum failover is configured. The duplication techniques must also be combined with high-availability mechanisms  Every component has been duplicated so that the solution will survive any possible single failure: Two access links are used on both ends of the tunnel to mitigate a failure of any access link The remote site is configured with two remote peers in case any one of the routers fails Both sites use two VPN gateways to mitigate local device failures Multiple independent paths are used between remote sites to mitigate an unknown failure anywhere in any of the paths

8 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 8 Redundancy  Common solutions use one or more of these options: Two access links to mitigate access-link failures Multiple peers to mitigate peer failure Two local VPN devices to mitigate device failures Multiple independent paths to mitigate all path failures

9 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 9 Failure Detection  The next slide illustrates the use of high-availability mechanisms to detect failures and reroute to secondary paths.  Failures in the IPsec path are typically detected using one of these two mechanisms: Dead peer detection (DPD), which is a native IKE mechanism similar to the old proprietary IKE keepalives Any routing protocol running across the IPsec tunnel will detect failures using the hello mechanism of the routing protocol  Detecting failures of local devices can be achieved by using the Cisco-proprietary Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP) or Gateway Load Balancing Protocol (GLBP) In each case, the failure of one routing device results in a second active routing device taking over with little interruption of traffic

10 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 10 Failure Detection  Native IPsec uses DPD to detect failures in the path and remote peer failure.  Any form of GRE over IPsec typically uses a routing protocol to detect failures (hello mechanism).  HSRP is typically used to detect failures of local devices. VRRP and GLBP have similar failure-detection functionality.

11 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 11 How DPD and Cisco IOS Keepalive Features Work  DPD and Cisco IOS keepalives function based on a timer (often configured for 10 seconds).  Cisco IOS keepalives are always transmitted while periodic DPD will only send keepalives when there is no traffic flowing.  The benefit of Cisco IOS keepalives and periodic DPD is earlier detection of dead peers.  However, Cisco IOS keepalives and periodic DPD rely on periodic messages that have to be sent frequently. The result is communicating peers must encrypt and decrypt more packets, and more traffic flows between peers.

12 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 12 How DPD and Cisco IOS Keepalive Features Work  Rather than use periodic messaging, DPD defaults to an on-demand approach.  With on-demand DPD, messages are sent based on traffic patterns. For example, if a router has to send outbound traffic and the liveliness of the peer is in question, the router sends a DPD message to query the status of the peer If a router has no traffic to send, the router never sends a DPD message. If a peer is dead and the router never has any traffic to send to the peer, the router will not find out until the IKE or IPsec security association (SA) has to be renegotiated (the liveliness of the peer is unimportant if the router is not trying to communicate with the peer). However, if the router has traffic to send to the peer, and the peer does not respond, the router initiates a DPD message to determine the state of the peer.

13 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 13 IPsec Backup Peer  DPD and IOS keepalive features can be used in conjunction with multiple peers in the crypto map to allow for stateless failover.  DPD allows the router to detect a dead IKE peer. When the router detects the dead state, the router deletes the IPsec and IKE SAs to the peer.  If multiple peers are configured, the router switches over to the next listed peer for a stateless failover.

14 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 14 IPsec Backup Peer  One HA design option is to use native IPsec and its HA mechanisms: DPD to detect failures Backup peers to take over new tunnels when primary peer becomes unavailable

15 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 15 DPD Configuration Example Router will first try primary peer. If primary peer is not available or becomes unavailable (DPD failure detection), the router tries backup peers in order as listed in the crypto map.

16 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 16 ‘crypto isakmp keepalive’ Command crypto isakmp keepalive seconds [retries] [periodic | on- demand] router(config)# Seconds  Number of seconds between DPD messages; the range is from 10 to 3600 seconds. If you do not specify a time interval, you will receive an error message. Retries  (Optional) Number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds. If unspecified, the default is 2 seconds. Periodic  (Optional) If periodic is included, DPD messages are sent at regular intervals. On-demand  (Optional) The default behavior and the alternative to periodic messaging. DPD retries are sent only on demand. Note that because this option is the default, the on-demand keyword does not appear in configuration output.

17 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 17 Hot Standby Routing Protocol (HSRP)  Hosts that do not support dynamic router discovery are typically configured with a default gateway (router)  Running a dynamic router discovery mechanism on every host may not be feasible for a number of reasons, including administrative overhead, processing overhead, security issues, or lack of a protocol implementation for some platforms  HSRP provides failover services to these hosts  HSRP is not part of the IPsec or VPN suite of protocols.  HSRP simply provides the basis for more resilient and reliable VPN design.

18 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 18 Hot Standby Routing Protocol (HSRP)  With HSRP, a set of routers work together to present the illusion of a single virtual router to the hosts on the LAN  This set of routers is called an HSRP group or a standby group  HSRP selects a single router from the group that is responsible for forwarding the packets that hosts send to the virtual router This router is known as the active router Another router is designated as the standby router  In the event that the active router fails, the standby router assumes the packet-forwarding duties of the active router. Although an arbitrary number of routers may run HSRP, only the active router forwards the packets that are sent to the virtual router

19 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 19 HSRP HSRP can be used at: Head-end: Two head-end IPsec devices appear as one device to remote peers. Remote site: Two IPsec gateways appear as one gateway to local devices. Active HSRP device uses a virtual IP and MAC address. Standby HSRP device takes over virtual IP and MAC address when active HSRP device goes down.

20 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 20 HSRP for Default Gateway at Remote Site All remote devices use virtual IP as the default gateway. The backup router is only used when the primary router is down.

21 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 21 HSRP for Head-End IPsec Routers Remote sites peer with virtual IP address (HSRP) of the head-end. RRI or HSRP can be used on the inside interface to ensure a proper return path.

22 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 22 IPsec Stateful Failover  IPsec VPNs using DPD, HSRP, or IGPs to mitigate failures only provide stateless failover  IPsec stateful failover requires: Identical hardware and software configurations of IPsec on the active and standby device Exchange of IPsec state between the active and standby device (that is, complete SA information)

23 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 23 IPsec Stateful Failover  Deploying stateful failover for IPsec has restrictions 1.Identical Cisco IOS images are needed. 2.Only selected VPN accelerators can be used. 3.Intrachassis failover is not supported. 4.Inside and outside interfaces must be connected on a LAN. 5.Load balancing is not supported. 6.L2TP is not supported. 7.IKE keepalives are not supported. 8.IPsec idle timers are not supported. 9.A stateful failover crypto map applied to a VRF interface is not supported. 10.Not compatible or interoperable with the SSP

24 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 24 IPsec Stateful Failover and SSO  IPsec stateful failover works in combination with HSRP and stateful switchover (SSO)  SSO is responsible for synchronising ISAKMP and the IPsec SA database between the HSRP active and standby routers  Reverse Route Injection (RRI) is optionally used to inject the routes into the internal network

25 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 25 IPsec Stateful Failover Example Configure IPsec to exchange state information between head-end devices. Enable stateful redundancy.

26 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 26 Using an IPsec VPN to Back Up a WAN Connection IPsec VPNs can be used as cost-effective and fast backups for an existing WAN. Switchover options: Using an IGP (for example, GRE over IPsec or VTI): Use IGP metrics to influence primary path selection. Optionally, use HSRP to track PVC status on remote site. Using floating static routes for VPN destinations

27 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 27 Using an IPsec VPN to Back Up a WAN Connection IGP used to detect PVC failures Reroute to GRE over IPsec tunnel Example Using GRE over IPsec

28 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 28

Download ppt "© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.

Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
Implementing Layer 3 High Availability

Implementing Layer 3 High Availability
Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.

Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
Routing and Routing Protocols

Routing and Routing Protocols
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.

Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Communicating over the Network Network Fundamentals – Chapter 2.

Similar presentations

Ads by Google