VPN
- Site-to-Site VPN
- Remote Access VPN
- Clientless VPN connection
- Web browser SSSL connection
- Client-based VPN connection
- client software
SSL VPNs
- TLS (Transport Layer Security) is a new version of SSL.
- IPsec and SSL
- When security is an issue, IPsec is a superior choice.
GRE over IPsec
- GRE (Generic Routing Encapsulation) is a non-secure site-to-site VPN tunneling protocol.
- It supports multicast and broadcast traffic
- IPsec only create secure tunnels for unicast traffic
| Protocol | Transport | Carrier | Passenger |
|---|---|---|---|
| IP Sec | GRE | Original Packet |
Dynamic Multipoint VPN
- DMVPN is a Cisco software solution for building multiple VPNs in an easy, dynamic and scalable manner.
- Rely on IPsec
- It uses Hub-and-Spoke configuration to establish the full mesh topology.
- Each site is configured using multipoint generic routing encapsulation (mGRE).
IPsec Virtual Tunnel Interface
- IPsec VTI is capable of sending and receiving both the unicast and multicast encrypted traffic
- Applied to the virtual interfaces instead of physical interfaces
- Can be configured between sites or hub-and-spoke topology
Service Provider MPLS (Multiprotocol Label Switching) VPN
- Layer 3 MPLS VPN
- The service provider participates the costumer’s routing by establishing a peering between provider’s router and customer’s router.
- Layer 2 MPLS VPN
- The service provider is not involved in customer’s routing.
- Deploy Virtual Private LAN Service(VPLS) to emulate an Ethernet multiaccess LAN segment over MPLS network.
IPsec framework
| IPsec Function | Description |
|---|---|
| IPsec Protocols | Authentication Header(AH) Encapsulation Security Protocol(ESP) |
| Confidentiality | Data Encryption Standard(DES) Triple DES, Advanced Encryption Standard(AES) Software-Optimized Encryption Algorithm (SEAL) |
| Integrity | Message Digest 5 (MD5) Secure Hash Algorithm (SHA) |
| Authentication | Internet Key Exchange (IKE) Pre-Shared Key (PSK) or RSA |
| Diffie-Hellman | DH algorithm to provide a public key exchange method for two peers to establish a shared secret key |
- AH is lack of confidentiality