05/02/2018
VPN Design
Remote Access VPN design
- For a VPN you need a termination device (vpn concentrator / Firewall), a client and the connecting technology for tunneling.
- Cisco Easy VPN.
- Client options
- IPSEC VPN client
- SSLVPN Clientless Access
- SSLVPN Thin client
- SSLVPN Thick client
Placement of the VPN Termination Device:
- Parallel Placement
- Easy implementation.
- Less security because it goes around the firewall.
- Inline Placement
- RECOMMENDED
- Termination device is routed through the firewall.
- Filtering rules in place to keep VPN users out from resources.
- VPN Termination device is exposed to the outside world.
- DMZ placement
- Traffic goes through the firewall, and trough the firewall again after.
- Hardest to implement, best security.
Routing the traffic back
- Internal network needs to reach the VPN clients.
- Small orgs typically use a static route to VPN Termination device.
- Larger orgs use reverse route injection ( RRI ) – OSPF / RIPV host routes.
- Clients can get addresses via DHCP ( common ) or Static ( via Radius / LDAP ).
Site-to-Site VPN: Wan replacement or backup
- Cost effective.
- (Typically) Faster.
- More available.
- Secure (HIPAA).
- Health Insurance Portability and Accountability Act
Core Principles for succes with Site-to-Site VPNs
- IPSec VPN acts as an ‘overlay network ( Tunnel ).
- Larger organizations will want dynamic routing.
- IPSEC is for TCP or UDP traffic only.
- To handle multicast / Broadcast use GRE Tunnels ( Inside IPSEC ).
- Scale your VPN devices:
- Head-end device 50% CPU.
- Branch devices 65% CPU.
VPN Variations
- Easy VPN
- Centralizes VPN Configuration.
- Eases remote site setup.
- Gre + IPSec
- Adds another layer of encapsulation to VPN.
- Allows non UDP / TCP Application to function.
- Allows Routing protocol function.
- DMVPN
- Typical Hub-and-Spoke VPN has issues:
- Traffic passing through Hub.
- Spoke configuration becomes complicated.
- Use DMVPN:
- Single connection to Hub.
- Address registrered with NHRP.
- Automatic GRE Based VPN’s ( time limited ) between sites.
- Locked down with NHRP network ID / password.
- Typical Hub-and-Spoke VPN has issues:
- Virtual Tunnel Interface ( VTI )
- Use over GRE if router supports it.
- Alternative to GRE tunnels. Supports non-TCP/UDP Traffic
- Saves on the GRE overhead
- Simplifies configuration; static or dynamic VTI options
- GET VPN
- The VPN for the Private WAN ( MPLS like).
- IP header not tunneled.
- Dynamic, Full Mesh.
- Complicated configuration.
VPN Scalability
- Packets per second matter much more than throughput for VPNs
- The marketing:
- 1400 byte packets
- 100% CPU
- The reality
- Mix of packet sizes ( VoIP, Video)
- 80% CPU
- Testing with a realisting simulator instead of packets blasting iperf
- Iperf is better than nothing, and it’s free
Firewall are specced in best case scenario with 1400 byte packets. This is almost never the case and depending on the traffic the byte size varries:
| Protocol | Size |
|---|---|
| FTP Downloads | 1052 Bytes |
| VoIP | 60 Bytes |
| HTTP | 377 Bytes |
| DNS | 124 Bytes |
| POP3 | 462 Bytes |
Routing procol over VPN Suggestions
- Use EIGRP
- Can summerize everywhere
- Doesn’t flood the database
- Using stub options limit queries
- Watch your default EIGRP bandwidth
- 9Kbps on a tunnel interface
- EIGRP updates throttle to 50% interface bandwidth
About The Author
