Tải bản đầy đủ - 0 (trang)
Chapter 10. Further Architectural Options for IPsec

Chapter 10. Further Architectural Options for IPsec

Tải bản đầy đủ - 0trang

IPsecVPNTerminationOn-a-Stick

Whenreferringtotechnologies"on-a-stick,"wearetypically

describingascenarioinwhichthedeviceperformingthat

technicalfunctionisattachedtothenetworkusingasingle

interface.Commonexamplesthatcanreside"on-a-stick"

includerouter-on-a-stick,NAT-on-a-stick,andIPsecVPN

termination-on-a-stick.Inthissection,wewilldiscussthelatest

ofthethree,focusingonIPsecVirtualPrivateNetwork(VPN)

deploymentscenariosinwhichoneorbothIPsecVPNtunnel

terminationpointsareattachedout-of-pathusingasingle

physicalinterfacefornetworkconnectivity.



IPsecwithRouter-on-a-StickDesignOverview

Althoughtheydoexistinmanynetworkdeployments,casesin

whichadministratorswouldoptforIPsecVPNtunnel

termination"on-a-stick"arerare.Furthermore,ofthose

existingcases,thisdesignoptionismostcommonlyusedasan

alternativetoaccommodateotherareasofthenetwork

architecture,ratherthanasanoptionthatanadministrator

wouldchooseoverin-pathIPsecVPNdesignoptionsdiscussed

previously.

IPsecterminationon-a-stickreferstoadeploymentscenarioin

whichtheIPsectunnelterminationpointisattachedtothe

networkusingasinglenetworkinterface.Assuch,thisdesign

optionplacescryptoandIPsecfunctionalityoutsideofthedata

path,asillustratedinFigure10-1.



Figure10-1.IPsecVPNTunnelTermination"Ona-Stick"



[Viewfullsizeimage]



Figure10-1depictsararescenarioinwhichIPsecusingrouteron-a-stickisrequired.Let'snowdiscusssomeofthe

circumstancesthatforcethisscenariotoexist.



Single,FlatlyAddressedL3Domain

Thekeydesigndriverhereisthatthecablemodemand

integratedbridgeprovidesonlyoneflatLayer2domainfor

devicestoattachto.AlthoughitisraretoseeaVPN

concentratorwithoneinterface(mostdeviceswillshipwith



multipleinterfacestoresidein-path),thebridgedlayoutofthis

networkdesignontheLANsidepresentsonlyoneinterface

fromaL3perspective.Inotherwords,asecondinterfaceon

theVPNconcentratororrouterwouldyieldnobenefit,asone

wouldbeunabletoassignitanIPaddress(itwouldconflict

withtheotherinterfaceconnectedtothebridgeddomain).



LackofIn-PathDesignOptions

TheflatL3networkforcestheIPsecVPNtunneloutsideofthe

datapath.DuetothefactthatonlyoneL3interfacecanbe

attachedtothisbridgedLAN,theencryptorisunabletoreside

insidetheunencrypteddatapath.



Note

In-PathandOut-of-Pathrefertothepathoftheunencrypted

dataflows.TheencrypteddatamustflowthroughtheIPsec

VPNtunnelendpoint,evenin"on-a-stick"implementations.InPathversusOut-of-Pathcomparisonsarediscussedlaterinthis

chapter.



Inthissituation,IPsecVPNtunneltermination"on-a-stick"can

beusedtoprovideencryptionforresourcesonthebridgedLAN

inFigure10-1.Thisdesignoptioninvolvesseveralcomponents,

someofwhichareuniquetothisdesign.



SingleInterfacetotheBridgedLAN

Thisinterfaceresidesoutsideoftheunencrypteddatapath.

ThisrequiresthatnetworkresourcestraversingtheVPNtunnel



usetheIPaddressoftheIPsecVPNtunnelterminationpoint

thatconnectstothebridgedLANastheirdefaultgateways.



Crypto-EnabledLoopbackInterface

Thisinterfaceessentiallyservesasthecryptointerfaceusedto

terminatetheIPsecVPNtunnel.InChapter6,"Solutionsfor

LocalSite-to-SiteHighAvailability,"wediscussedtheuseofa

loopbackinterfacetoterminatetheIPsecVPNtunnelforlocal

HighAvailability(HA).Inthissituation,wewillactuallyapply

thecryptomaptotheloopbackinterfaceitselfandloop

encryptedtrafficbackontothebridgedLAN.Figure10-2

displaysthisoperation.



Figure10-2.IPsecVPNTunnelTerminationOn-aStickUsingLoopbackInterfacesforCrypto



[Viewfullsizeimage]



TheprocessinFigure10-2isasfollows:



1. TheIPsecVPNgateway(router-on-a-stick)inFigure10-2

receivestrafficfromthebridgedLAN.Thistrafficisin

cleartextformat.

2. Therouterforwardsthetraffictoitsloopbackinterface.The

routerinspectsthetraffic,matchingittoacryptoACL

referencedinthecryptomapthatisappliedtothecrypto

interface.Thecryptoengineappliestheappropriate

transformtothedatamatchingthecryptoACL.

3. Therouterforwardsthetrafficfromstep2ontothebridged

LAN.Thetrafficisnowincipheredformat,destinedforthe

otherendoftheIPsecVPNtunnel.



Note

Thesestepsdescribedvaryslightlyfromtheonesoutlinedin

theensuingcasestudy,asthecasestudyincludesIPsecVPN

tunnelterminationon-a-stickandNetworkAddressTranslation

(NAT)on-a-stick,whiletheexamplewehavejustdiscussed

includesonlyIPsecVPNtunnelterminationon-a-stickwithout

NAT.



Let'snowtakealookatacasestudythatwillillustratethe

operationofIPsecVPNtunneltermination"on-a-stick,"

includingareal-worldscenarioinwhichthisrarechoiceofIPsec

designisusedandworkingconfigurations.



CaseStudy:SmallBranchIPsecVPNTunnel

TerminationwithNATOn-a-Stick



Inthissection,wewilldiscussascenarioinwhichalarge

companyinretailwantstodeploysecure,low-costIP

communicationsateachofitsstoresglobally.Ateachbranch

location,thereareserverapplicationsthatcollectandstore

customerinformationandfinancialdata.Thatdatamustbe

reliablyrelayedtocentralizeddatastoragefacilitiesinthe

company'sdatacenter,whichiscentrallylocatedatthe

corporation'sheadquarters.Forthisreason,thecustomeris

interestedinasimple,low-costsolutionforrelayingthis

informationfromtheirmanyretaillocationsovertheWANto

thedatacenteratthecorporateHQ.ThecorporateITstaffis

interestedinusinganInternetmanagedservicetoprovidethe

WANconnectivitytoHQtomeetseveralcriticalbusiness

objectives,including:

Supportformanybranchesmakesalow-costmanaged

solutionabusinessrequirement,asscalingthesolutionto

themanybrancheswilldrivecostsupregardlessoftheperunitcost.

Dataconfidentialityisabusinessrequirement,as

confidentialcustomerinformation(accountnumbers,

marketingdata)isrequiredtobetransmittedacrossa

publicdomain(theInternet).

Multiplepoint-of-salemachinesandsmall-scaleserversat

theremoteretaillocationrequirealow-costLANsolution

(multipleEthernetportsattheretailbranch).

Thecorporation'sITstaffhasbeenincontactwithseveral

serviceproviderswhowilloffermanagedservicesthatmay

meettheretailer'sbusinessrequirement.Themanagedservice

offersbasicIPconnectivityusingacablemodemattheremote

retaillocation.Theservicealsoincludesaworkgroupswitchfor

connectingdevicestogetherontheretailer'sLAN,butthe

functionalityoftheswitchisverybasicandthereforedoesnot



includesupportVLANsor802.1qtrunking.Giventheretailer's

businessobjectives,thesecircumstancespresentdesign

challengesattheretailer'sremotelocations,includingthe

following:

LimitedpubliclyroutableIPaddressingspaceattheremote

retaillocations

NoNATfunctionalityintegratedintothemanagedservice

offering

Lackofcapabilitiesforprovidingdataconfidentiality(such

asusingIPsecorcrypto)betweentheremoteretaillocation

andthecorporateHQ

LackofVLANawarenessonthemanagedserviceswitchat

theremoteretaillocationsupportsonlyoneL3broadcast

domainattheremoteretailLAN

TheretaileragreestoasmallpilotoftheInternetservice

provider's(ISP's)managedservice.Asdepictedinremoteretail

storeLANpilottopologyinFigure10-1,thecorporateITstaff

electstouseasmallIPsec-enabledrouter,suchastheCisco

1845ISR,toenabletwokeyservicesattheremoteretail

locationDataConfidentiality(IPsec)andNAT.Letustakeaquick

step-by-steplookatthelifeofapacketonegressfromthe

remoteretailLANenroutetocentralizedcorporateresources

beforedivingintosomeconfigurationexamplesforenabling

dataconfidentialityandNATin"on-a-stick"environments:

1. HostsandserversontheremoteretailbranchLANinitiate

communicationswithcentralizedcorporateresourcesusinga

defaultgatewayof192.168.1.2onthe1845ISR.

2. The1845receivesthetrafficfromstep1andmatchesitto

anACLreferencedinaroute-mapthatisusedforpolicy



routing.Thepolicyroutesetstheoutputinterfacefortraffic

matchingtheACLtorouter'sloopback201address.

3. Beforemakingtheforwardingdecisiondescribedinstep2,

the1845ISRappliestheNATrulesdefinedontherouter,as

thetrafficmatchestheACLreferencedintheNAT

configurationontherouterandwasreceivedontheinside

NATinterface(FastEthernet0/0).

4. Thetrafficisforwardedtotheloopback201interfacebased

ontherulesdefinedinthepolicyroutingconfigurationon

the1845ISR.TheprivatelyaddressedsourceIPistranslated

intotheloopback201IP(theoutsideNATinterface),which

ispubliclyroutable.

5. ThetraffictranslatedusingNATinstep4matchesacrypto

ACLreferencedbyacryptomapappliedtotheloopback201

interface.Beforeforwardingthetraffic,the1845ISR

processesthetrafficwiththeappropriatetransform.

6. The1845ISRforwardsthecrypto-processedtransformto

theoppositeendoftheIPsecVPNtunnel.Thepacketisnow

encapsulatedwithEncapsulatingSecurityPayload(ESP),

andtheouterIPheaderispopulatedwithpubliclyroutable

IPaddresses(theIPaddressesoftheIPsecpeersagreed

uponinPhase2SAnegotiation).



DataconfidentialityisrequiredacrosstheWANusingIPsecVPN

tunneltermination.TheIPsecVPNgatewayattheremote

branchresidesout-of-path,andisthereforeconsideredtobe

deployed"on-a-stick."Thisout-of-pathdesignoptionwas

selectedfortheretailer'spilotprogramduetothefactthatthe

branchLANswitchisincapableofprovidingmultipleL3

domains.Assuch,onlyoneL3domainispresentedtotheIPsec

VPN-enabledrouteron-a-stick,supportingonlyasingleL2



connectionbetweentherouterandtheswitch.

Example10-1providesaconfigurationfortheretailbranch

LAN'sIPsecVPNgateway.TheIPsecVPNgatewayisconfigured

tousetheESP-3DESwithMD5HMACauthenticationondata

senttoandreceivedfromtheremoteIPsecVPNgatewayat

24.10.100.1,asillustratedinconfigurationlines10and20,

respectively.Notethat,inline20,thecryptomapisappliedto

theloopbackinterfaceratherthanaphysicalinterface.Itis

importanttonotethatthecryptomapmatchesACL102

specifyingtheinsideglobalIPaddressspaceasthesource.This

isbecauseencryptionoccursafterNATwhenthetwoare

configuredconcurrently.AsillustratedinExample10-2,all

traffictobetranslatedon-a-stickispolicyroutedtoloopback

201.Thisenablestrafficfromthe10.0.0.0/8addressspaceon

theretailer'sLANtobeNAT'dbetweeninside(e0/0)andoutside

(lo201)beforebeingencryptedusingthecryptomapon

loopback201.Providedinline26isthecryptoACLusedbythe

retailbranchLANVPNgateway.NotethatthesourceIPaddress

spaceistheinsideglobaladdressspace.Thisconfigurationis

requiredforIPsectoproperlyagreeuponconsistentprotected

addressspacewhennegotiatingaPhase2SA,asencryption

occursafterNAT.Ifnotproperlyconfiguredwiththecorrect

addresses,acryptoACLscopeinconsistencycancausePhase2

negotiationtofail.



Example10-1.IPsecVPNTunnelTermination

"On-a-Stick"UsingLogical(Loopback)Interfaces



C1845-VPN10-A#showrunning-config

Buildingconfiguration...

!

#<--OutputSuppressedà

!

cryptoisakmppolicy10

authenticationpre-share

cryptoisakmpkeyciscoaddress24.10.100.1

!



cryptoIPsectransform-setc10-on-a-stickesp-3desesp-md5-hmac

!

cryptomapon-a-stick10IPsec-isakmp

setpeer24.10.100.1

settransform-setc10-on-a-stick

matchaddress102

!

#<--OutputSuppressedà

!

interfaceLoopback201

ipaddress201.1.1.1255.255.255.0

ipnatoutside

cryptomapon-a-stick

!

#<--OutputSuppressedà

!

access-list102permitip200.1.1.00.0.0.311.0.0.00.255.255.255

!

#<--OutputSuppressedà



NATon-a-sticksupportsIPcommunicationswithprivately

addresseddevicesacrossapubliclyaddressedinfrastructure.In

thiscase,theretailerhasnotbeengivenenoughpublicly

routableaddressspaceforalloftheIP-enabledresourcesto

communicateacrosstheInternet.ThereforeNATmustbeused

totranslatetheprivatelyaddressedIPaddressesintopublic

onessothattheycanberoutedacrosstheInternettothe

retailer'sdatacenteratitsHQ.Becausethereisonlyone

connectionbetweentheIPsecVPN-enabledrouterandthe

remoteretailsite'sLANswitch,likeIPsecVPNtunnel

termination,thisservicemustalsoexist"on-a-stick."Example

10-2providesasampleNATon-a-stickconfigurationthatthe

retailbranchLANIPsecVPNgatewayusesinconjunctionwith

itsIPsecVPNtunnelterminationconfigurationon-a-stickin

Example10-1.



Example10-2.NetworkAddressTranslation"Ona-Stick"UsingLogical(Loopback)Interfaces



C1845-VPN10-A#shrun



Buildingconfiguration...

!

#<--OutputSuppressedà

!

interfaceLoopback10

ipaddress10.1.2.1255.255.255.252

ipnatoutside

!

interfaceEthernet0/0

ipaddress192.168.1.2255.255.255.248secondary

ipaddress10.1.1.1255.255.255.0

ipnatinside

ippolicyroute-mapon-a-stick

half-duplex

!

#<--OutputSuppressedà

!

ipnatpoolpublic200.1.1.1200.1.1.4prefix-length29

ipnatinsidesourcelist1poolpublicoverload

!

#<--OutputSuppressedà

!

iproute0.0.0.00.0.0.0192.168.1.1

!

!

access-list1permit10.0.0.00.255.255.255

access-list101permitipany200.1.1.00.0.0.7

access-list101permitip10.0.0.00.255.255.255any

!

route-mapon-a-stickpermit10

matchipaddress101

setinterfaceLoopback10

!

#<--OutputSuppressedà



Oncetheappropriateconfigurationshavebeenputinplace,the

retailertakesseveralmeasurestoensurethattheoperationof

theIPsecVPNrouteron-a-stickisworkingcorrectlywithNAT:

Verifythatprivateaddressesarebeingtranslatedinto

routableaddressspaceasinExample10-3.



Example10-3.VerifyingNAT"On-a-Stick"

Operations



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 10. Further Architectural Options for IPsec

Tải bản đầy đủ ngay(0 tr)

×