Designing site-to-site IPSec VPNs

Boštjan Šuštar, one of our security gurus, started a formidable journey: he will document all Cisco IOS IPSec design architecture options in a series of IP Corner articles. In the first article, he's describing the venerable technology available "forever" in Cisco IOS – the static and dynamic crypto-maps. I particularly like the introductory paragraph explaining the need for IP encryption:

Once upon a time, in the land of IP, there was a wide area network (WAN) providing connectivity between clients and servers, and all was well. Then, suddenly, bad things started to happen, and paranoia spread throughout the land. Firewalls grew around hamlets to protect them from the unknown beyond the realm of calm, but then packets were forced to travel thorough the dark forests of the WAN. There was a need to provide them with protection.

4 comments:

  1. Ivan,

    link in the article is pointing to The OSPF Default Mysteries story.

    ReplyDelete
  2. This is what happens when you use cut-and-paste :( Thanks, I've fixed it.

    ReplyDelete
  3. Ivan:

    I recently finished a year-long project on evaluating and testing GETVPN, and in your article on page 2, the term Dynamic Group VPN (DGVPN) was actually the name Cisco used internally before GETVPN was officially launched in Dec. 2006. Therefore, GETVPN is actualy DGVPN. Unless this is something totally new just popped up from Cisco, I think Mr. Sustar can consider making a reference the term DGVPN is now formally known as GETVPN to avoid confusion.

    - William

    ReplyDelete
  4. William,
    you are correct in stating the status with official feature naming. I mistakenly used the acronym DGVPN to represent multipoint GRE tunnels (like DMVPN) using GETVPN underneath. This solution actually does not have an official name; a configuration guide on the CCO uses a rather long but descriptive (though not entirely correct) name "Implementing Group Domain of Interpretation in a Dynamic Multipoint VPN". I will correct the article accordingly.

    Thanks, Bostjan

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.