coachnax.blogg.se - What should i set mtu for vpn at

Site-to-site IPsec VPNs are typically deployed when two or more autonomous systems wish to communicate with each other over an untrusted media when confidential exchange of data is required.

Site-to-Site VPN Architectural Overview for a Dedicated Circuit In this section, we will explore design concepts related to both topologies and the corresponding configuration and verification processes required. As such, IPsec deployed over a routed domain will also provide further scalability, flexibility, and availability over and beyond the simple dedicated-circuit model. Indeed, because IPsec is a Layer 3 VPN technology, it was designed to function across multiple Layer 3 hops in order to circumvent many of the scalability and manageability issues in previous VPN alternatives. This scenario, while simple to deploy and manage, can be cost prohibitive and does not yield many of the benefits of IPsec VPN connectivity over a routed domain (multiple Layer 3 hops between endpoints).

The most basic form of IPsec VPN is represented with two VPN endpoints communicating over a directly connected shared media, or dedicated circuit, which closely resembles bulk encryption alternatives at Layer 1 and 2 of the OSI stack (see Table 1-1 for VPN technologies and the OSI stack).

Identify requirement for PFS and reference PFS group in crypto map if necessary.

Define traffic sets to be encrypted (Crypto ACL Definition and Crypto Map Reference).

IPsec HA design and examples are discussed in greater detail in Chapters 5–9. In this chapter, topologies will include only limited discussions of IPsec High-Availability (HA) design concepts.

Identify and assign IPsec peer and any High-Availability requirements.

If IKE is required, decide on ISAKMP policy parameters (create Internet Security Association and Key Management Protocol policy), addressing the following tasks in your configuration:Īuthentication method (select one of the following):Ĭreate and share RSA public keys if RSA-encr.Īuthenticate and enroll with CA if RSA-sig.

Decide how the session keys must be derived and if IKE is necessary (create ISAKMP Policy or Session Keys within Crypto Map).

Decide how strong the IPsec transform must be and what mode the tunnel must use (define IPsec Transform Set).

As such, all of the topologies discussed share common configuration tasks to establish the IPsec tunnel: Figure 3-1 High-Level Configuration Process for IPsec VPNĮach of the following deployments requires the configuration of IPsec in a point-to-point fashion in one way or another.