Content Overview Virtual private
networks (VPNs) use advanced encryption techniques and
tunneling to permit organizations to establish secure,
end-to-end, private network connections over third-party
networks such as the Internet or extranets. Cisco offers a wide
range of VPN products, including VPN-optimized routers, PIX
security and Adaptive Security Appliances (ASA), and dedicated
VPN concentrators. These infrastructure devices are used to
create VPN solutions that meet the security requirements of any
organization. This module explains fundamental terms associated
with VPNs, including the IP Security (IPsec) protocol, and
Internet Key Exchange (IKE). It details how to configure
site-to-site IPsec VPNs, GRE tunnels over IPsec, implement high
availability (HA) VPNs, and how to configure telecommuter
access using the Cisco Easy VPN feature. To help simplify these
configurations, the Cisco Security Device Manager (SDM) is also
introduced. Resources Current RFCs that concern IPsec
include the following:
RFC 1829: The ESP DES-CBC
Transform
RFC 1851: The ESP Triple DES Transform
RFC
2085: HMAC-MD5 IP Authentication with Replay Prevention
RFC
2207: RSVP Extensions for IPsec Data Flows
RFC 2401:
Security Architecture for the Internet Protocol
RFC 2402:
IP Authentication Header
RFC 2403: The Use of HMAC-MD5-96
within ESP and AH
RFC 2404: The Use of HMAC-SHA-1-96 within
ESP and AH
RFC 2405: The ESP DES-CBC Cipher Algorithm With
Explicit IV
RFC 2406: IP Encapsulating Security Payload
(ESP)
RFC 2407: The Internet IP Security Domain of
Interpretation for ISAKMP
RFC 2408: Internet Security
Association and Key Management Protocol (ISAKMP)
RFC 2409:
The Internet Key Exchange (IKE)
RFC 2410: The NULL
Encryption Algorithm and Its Use With IPsec
RFC 2451: The
ESP CBC-Mode Cipher Algorithms
RFC 2539: Storage of
Diffie-Hellman Keys in the Domain Name System (DNS)
RFC
2631: Diffie-Hellman Key Agreement Method
RFC 2857: The Use
of HMAC-RIPEMD-160-96 within ESP and AH
RFC 2875:
Diffie-Hellman Proof-of-Possession Algorithms
RFC 3070:
Layer Two Tunneling Protocol (L2TP) over Frame Relay
RFC
3104: RSIP Support for End-to-End IPsec
RFC 3145: L2TP
Disconnect Cause Information
RFC 3193: Securing L2TP Using
IPsec
RFC 3301: Layer Two Tunneling Protocol (L2TP): ATM
access network extensions RFCs relating to GRE
Tunneling:
RFC 1701 and RFC 2784: describing a
general-purpose GRE that can also be used by non-IP protocols
in the transport network
RFC 1702: describing how GRE can
be used to transport arbitrary Layer 3 payloads over IP
networks
RFC 3147: describing GRE over Connectionless
Network Service (CLNS) networks
RFC 4023: describing
Multiprotocol Label Switching (MPLS) encapsulation inside
GRE
Web Links How Virtual Private Networks
Work
http://www.cisco.com/en/US/tech/tk583/tk372/
technologies_tech_note09186a0080094865.shtml Generic Routing
Encapsulation (GRE)
http://www.cisco.com/en/US/tech/tk827/tk369/
tk287/tsd_technology_support_sub-protocol_
home.html
Cisco Confidential Communication Solutions
http://www.cisco.com/en/US/netsol/ns461/
networking_solutions_package.html Remote Access VPN Business
Scenarios
http://cisco.com/en/US/products/hw/routers/
ps341/products_configuration_guide_chapter
09186a0080518a17.html Site-to-Site and Extranet VPN Business
Scenarios
http://cisco.com/en/US/products/hw/routers/
ps341/products_configuration_guide_chapter
09186a0080518a50.html Cisco Public Key
Infrastructure
http://www.cisco.com/en/US/products/ps6664/
products_ios_protocol_option_home.html Cisco Security
Device Manager
http://cisco.com/en/US/products/sw/secursw/
ps5318/index.html Cisco Security Device Manager
Multimedia Demo
http://cisco.com/en/US/products/sw/secursw/
ps5318/prod_presentation0900aecd800ab1a8.html Configure
Your Router to Support SDM
http://cisco.com/en/US/products/sw/secursw/
ps5318/prod_installation_guide09186a00803e
4727.html#wp70999
Content 3.1
Introducing VPN Technology 3.1.1 What Is Needed
to Build a VPN? The Internet is a worldwide, publicly
accessible IP network. Due to its vast global proliferation, it
has become a viable method of interconnecting remote sites.
However, the fact that it is a public infrastructure has
deterred most enterprises from adopting it as a viable remote