Summary of Cisco router VPN

Virtual Private Network (VPNVirtual Private Network) is defined as a temporary and secure connection established through a public Network (usually the internet). It is a secure and stable tunnel through a chaotic public Network.

VPN relies on ISPInternet service providers) and other NSP network service providers) to establish dedicated data communication networks in public networks. In a virtual private network, the connection between any two nodes is not an end-to-end physical link required by the traditional private network, but dynamically composed of resources of a public network.

VPN is an extension of the enterprise intranet, providing high-performance, low-price secure Internet access.

VPN working principle: the VPN Client establishes a connection with the VPN gateway, called Tunnel), encapsulates user data packets into IP packets, and then transmits them to the VPN gateway through the Tunnel, the VPN gateway can read meaningful packets after receiving and unblocking the packets. The same is true for reverse processing. Messages can be encrypted on both sides of the tunnel, making it safe and reliable for other users on the Internet to read messages. The tunnel can be implemented through the tunnel protocol. The tunnel protocol is divided into the Layer 2 tunnel protocol and the layer 3 tunnel protocol based on the Layer 2 or Layer 3 tunnel of the OSI model.
 

Layer 2 tunnel protocol: the Layer 2 tunnel protocol encapsulates the entire PPP frame in the internal tunnel. The existing Layer 2 tunnel protocols include:
PPTPPoint-to-Point Tunneling Protocol): Point-to-Point Tunneling Protocol. This Protocol supports Point-to-Point PPP Tunneling over the IP network. PPTP is used as a call control and management Protocol, uses an enhanced GREGeneric Routing Encapsulation, Generic Routing Encapsulation) technology to encapsulate traffic control and congestion control for transmitted PPP packets.

L2TPLayer 2 Tunneling Protocol): L2 tunnel Protocol, drafted by IETF, participated by Microsoft and other companies, and has become a standard RFC. L2TP can be used to implement the dialing VPN service or the leased line VPN service.

Layer 3 tunnel protocol: user data is encapsulated at Layer 3rd of the network protocol stack. The following tunnel protocols are available:
IPSecIP Security) Protocol: the IPSec protocol is not a separate protocol. It provides a complete set of architecture for data Security on the IP network, including AHAuthentication Header), ESPEncapsulating Security Payload) IKEInternet Key Exchange. To ensure the integrity, authenticity, anti-replay and private nature of data packets during network upload and transmission.


GREGeneric Routing Encapsulation Protocol: This is a General Routing Encapsulation Protocol used to encapsulate any network layer protocol on another network layer protocol.

There are also mpls vpn and ssl vpn.

Take the layer-3 tunnel protocol as an example to summarize their specific configurations.

1. IPSEC Configuration:
Interpretation of IPSEC in two phases:
IPSEC Phase 1-Phase 1 IKE security negotiation: verify whether the remote gateway has a matching Pre-Shared key to authenticate Two VPN gateways or VPN clients.
IPSEC Phase 2-Phase 2 IPSEC Security negotiation generates a session key to protect the VPN data stream through Ipsec connection parameters. In Phase 2, we extract new key information from Diffie-Hellman Key Exchange in phase 1 and use it as the session key to protect the VPN data stream. Once phase 2 negotiation is completed, a VPN connection will be established for future use.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/02214K035-0.jpg "/>

Ii. GRE Configuration:
GRE is an encapsulation protocol for the Tunnel interface. Therefore, to perform GRE encapsulation, you must first establish a Tunnel. Once the tunnel is established, the GRE can be added, encapsulated, and unencapsulated.
Step 1: Add Encapsulation
After receiving the package, tunnel sends the package to the GRE module for encapsulation. After the GRE module completes encapsulation, it submits the package to the IP module for processing. After the IP module completes the corresponding processing, it submits the package to the corresponding network interface for Processing Based on the destination address and route table.
Step 2: unencapsulate
The process of decoding and encapsulation is the opposite of the process of adding and encapsulating. The packets received from the tunnel interface are sent to the IP module. The IP Module checks the destination address of the package and finds that the corresponding processing is the same as the normal IP datagram) remove the IP address header and hand it over to the GRE module. The GRE module performs corresponding processing, such as checking the key.) Remove the GRE header and then hand it over to the IPX module, the IPX module processes this package according to the common IPX datagram.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/02214M023-1.jpg "width =" 645 "height =" 292 "/>

 

Iii. mpls vpn configuration:
MPLSMultiprotocol Label Switching (MPLSMultiprotocol Label Switching) is short for Multi-Protocol Label Switching. MPLS introduces the Label mechanism and uses short and fixed-length labels to separate routing and forwarding. The label defines the path of a group through the network, and data transmission is completed through the label exchange path.

The mpls vpn model consists of three components: CE, PE, and P:
CECustomer Edge): It is a user's network Edge device. interfaces are directly connected to service providers, such as routers or switches. CE "perceives" that the VPN does not exist.
PEProvider Edge) vro: the operator's Edge router. It is the Edge device of the operator's network and is directly connected to the user's CE. In the MPLS network, all VPN processing occurs on the PE router.
PProvider) router: the backbone router in the carrier's network, which is not directly connected to CE. The P router must support the MPLS capability.

Simple mpls vpn configuration example:
Plan the bgp mpls vpn Network:

1. determine the role of the router (P, PE, CE)

2. Determine the PE and CE routing modes (BGP, RIP, OSPF, and Static)

3. Determine the VRF planning (VRF, RD, RT, Interface) of the PE)

Configuration steps:

1. Configure the PE router

2. Configure the P router

3. Verification Test

Configure PE: Configure VRF

Router) # ip cef

Router-if # mpls ip

Router # ip vrf vrf_name

Router-vrf # rd rd_number

Router-vrf # router-target export rt rt_number

Router-vrf # router-target import rt rt_number

Configure the P router:

(Router) # ip cef

(Router-if) # tag-switching ip

Or

(Router) # ip cef

(Router-if) # mpls ip

Enable CEF and enable the tag mechanism on the required interface

Configure PE router-enable VRF

(Router) # interface Serial1/1

(Router-if) # ip vrf forwarding vrf-name

Configure PE router-configure PE and CE routes

Static Routing

Ip route vrf vrfname Dest-IP SubMask Next-hop
 

Configure PE router-configure MP-iBGP

Router bgp 223

Neighbor 10.0.4.1 remote-as 223

Neighbor 10.0.4.1 update-source Loopback0

No auto-summary

Address-family ipv4 vrf C_A

Redistribute static

No auto-summary

No synchronization

Exit-address-family

Address-family vpnv4

Neighbor 10.0.4.1 activate

Neighbor 10.0.4.1 send-community both

No auto-summary

Exit-address-family
 

Through the above summary, we will better learn and use VPN. Welcome to the discussion.

This article is from the "dripping water and stone" blog and will not be reposted!