Virtual Private Networks

A virtual private network (VPN) enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.

VPN is very loosely defined as a network in which a customer or end user connects to one or more sites through a public infrastructure, such as the Internet or World Wide Web.

We have already discussed dialup VPNs or Virtual Private Dialup Network (VPDN) in Chapter 5, "Security Protocols."

VPNs are typically set up permanently between two or more sites. Figure 7-6 displays a typical VPN design.

Figure 7-6 VPN Model

Beta

- VPN Tunnels Public Address SPace 131.108.1.0/30

Private Address

Remote Site

Private Address

- VPN Tunnels Public Address SPace 131.108.1.0/30

Internet or Current Service Provider Infrastructure

Remote Site

Remote Site

Figure 7-6 displays a typical hub (central site) to spoke (remote site) model, where all existing public infrastructure transports data. IP generic routing encapsulation (GRE) tunnels can be set up between the hub and spoke routers, and any protocol can run over the IP tunnel.

Consider an example where the router, Alpha, needs to communicate with the remote site, Router Beta.

At no time should the private address space be advertised to any public domain. Assuming that IP routing is enabled and configured, we can configure an IP GRE tunnel between Alpha and Beta.

Assume that you have a client who wants to create a VPN across your network. The client's main network is attached via Alpha over the Internet IP cloud. The client has a group of employees in their own IP space on the Ethernet interface. The client has a classless interdomain routing (CIDR) block of 192.1.64.0/20 for the network attached to the Alpha router, and the CIDR block 141.108.32.0/20 to the network attached to the Beta router. The network 131.108.1.0/30 is assigned between the routers and is pingable.

Example 7-9 configures Alpha with a GRE tunnel pointing to the remote IP address 131.108.1.2/30 (Beta's Serial IP address) and uses 131.108.1.5 for the loopback interface.

Example 7-9 Alpha GRE Tunnel hostname Alpha !

interface Loopback0 ip address 131.108.1.1 255.255.255.255 ! IP GRE tunnel configuration follows interface Tunnel0 ip address 192.1.64.1 255.255.255.0 tunnel source Loopback0 tunnel destination 131.108.1.2

interface Ethernet0/0 ip address 192.1.65.1 255.255.248.0

interface Serial0

Description Link to Beta via Internet Cloud ip address 131.108.1.1 255.255.255.252

router ospf 1

network 192.1.64.0.0 0.0.240.255 area 0 End

Example 7-10 configures Beta with a GRE tunnel pointing to the remote IP address 131.108.1.1/30 and 131.108.1.6/32 for loopback use.

Example 7-10 Beta GRE Tunnel hostname Beta !

interface Loopback0 ip address 131.108.1.2 255.255.255.255 ! IP GRE tunnel configuration follows interface Tunnel0 ip address 192.1.64.2 255.255.255.0 tunnel source Loopback0 tunnel destination 131.108.1.1

interface Ethernet0/0

Example 7-10 Beta GRE Tunnel (Continued)

ip address 141.108.32.1 255.255.240.0

router ospf 1

network 141.108.0.0 0.0.255.255 area 0 interface Serial0

Description Link to Alapha via Internet Cloud ip address 131.108.1.2 255.255.255.252 !

The IP GRE tunnel is now configured between the routers Alpha and Beta. While using public address space for the source and destination of the VPN tunnel, the reserved CIDR block 192.1.64.0/20 will not be advertised or routable over the public domain. The private traffic can now flow between both hub site and remote site securely. You can also transport other non-IP protocols over the VPN tunnel, such as Internetwork Packet Exchange (IPX) or AppleTalk. IP GRE tunnels support only IPX or AppleTalk.

0 0

Post a comment