Site to Site IPSEC VPNs provide a secure means of transmitting data over shared, unsecured networks like the internet. They encrypt data at the Layer 3 IP packet level, providing data authentication, anti-replay protection, confidentiality, and integrity. IPSEC VPNs can operate in either tunnel or transport mode. Site to Site IPSEC VPNs are generally established between gateways in tunnel mode, with the gateway acting as a proxy. They can be configured using either policy-based or route-based approaches.
2. What is VPN?
A VPN is a mean to securely and privately transmit data over an unsecured and shared network infrastructure. VPN’s secure the data tha is
transmitted across common infrastructure such as internet by the following:
• Encapsulate the data,
• Encrypt the data,
• Or by both.
VPN solutions can be implemented along L2, L3 or L4 layers of TCP/IP model,
• Layer 2 VPN technologies – L2TP, PPTP
• Layer 3 VPN technologies – MPLS, IPSEC, GRE
• Layer 4 VPN technologies – SSL VPN
Among the above mentioned VPN technologies, we concentrate on IPSEC VPN solutions as it offers cost effective site to site connectivity over
shared infra – internet and standout from MPLS and GRE by encrypting data (transport mode) or encapsulate & encrypt data (tunnel mode).
Characteristics of effective VPN’s
Confidential VPN implementation must meet:
• Data Confidentiality
• Protect the message contents from being interpreted by unauthenticated or unauthorized sources.
• Data integrity
• Guarantees that the message contents have not been tampered with or altered in transit from source to destination.
• Sender non-reputation
• A means to prevent a sender from falsely denying that they had sent a message to the receiver.
• Message Authentication
• Ensures that a message was sent from an authentic source and that messages are being sent to authentic destinations.
3. What is an IPSEC VPN?
Internet Protocol Security (IPsec) is a network protocol suite that authenticates and encrypts the packets of data sent over a
network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of
cryptographic keys to use during the session. An IPSEC VPNs encrypt data at the Layer 3 IP packet layer offering a comprehensively secure VPN
solution through providing data authentication, anti-replay protection, data confidentiality and data integrity protection.
IPSec handles encryption right at the IP datagram level using a new protocol, the Encapsulating Security Protocol (ESP). Generally,
ESP can be used inside another IP packet, so that ESP can be transported across regular IP communications channels. Instead of the normal TCP
or UDP packet designation, the header information would declare the packet's payload to be ESP instead. Where ESP secures the data by
encryption, the Authentication Header (AH) protocol of IPSec handles only the authentication, without confidentiality.
Operating modes of IPSEC VPN
IPSec can be configured to operate in two different modes, Tunnel and Transport mode. Use of each mode depends on the
requirements and implementation of IPSec.
Tunel Mode IPSEC VPN
IPSec tunnel mode is the default mode. With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec
wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel (IPSec peer).
Transport Mode IPSEC VPN
Transport mode provides the protection of data, also known as IP Payload, and consists of TCP/UDP header + Data, through an AH
or ESP header. The payload is encapsulated by the IPSec headers and trailers. The original IP headers remain intact, except that the IP protocol
field is changed to ESP (50) or AH (51), and the original protocol value is saved in the IPsec trailer to be restored when the packet is decrypted.
4. Site to Site IPSEC VPNGenerally, site to site VPN established between gateway to gateway in tunnel mode, the gateway acting as a proxy for the hosts
behind it. In tunnel mode, an IPSec header (AH or ESP header) is inserted between the IP header and the upper layer protocol. Between AH and
ESP, ESP is most commonly used in IPSec VPN Tunnel configuration.
IP Header ESP Auth TrailerTCP/UDP DATA ESP TrailerNew IP Header ESP Headers
IP Header TCP/UDP DATANew IP Header Authentication Headers
IPSec Tunnel mode with ESP header
IPSec Tunnel mode with AH header
Site to site IPSEC VPN can be deployed as follows:
1. Policy based IPSec VPN (traditional)
2. Route based IPSec VPN
Policy-based VPN’s encrypt and encapsulate a subset of traffic flowing through an interface according to a defined security policies.
The policy may dictate that only some or all of the traffic being evaluated is placed into the VPN. This type of VPN is often referred to as LAN-to-
LAN.
A route-based VPN employs routed tunnel interfaces as the endpoints of the virtual network. All traffic passing through a tunnel
interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and/or dynamic IP routes
are formed to direct the desired traffic through the VPN tunnel interface.
Policy based IPSec VPN
Route based IPSec VPN
5. Policy based vs Route based IPSec VPN
Policy-Based IPSec VPN Route-Based IPSec VPN
Support IP unicast traffic, does not support IP multicast or non-ip
protocols
Supports IP unicast, Multicast and non-ip protocols
No support for dynamic routing protocols Supports dynamic routing protocols such as OSPF, EIGRP & BGP
Traffic will be encrypted and placed in tunnel based on security
policies or ACL
Traffic that are routed via tunnel interface will be encrypted
Complex configuration and maintenance overhead Simple configuration
Limited QoS QoS is fully supported