Virtual Private Networks (VPNs) are used to ensure the security of data across the Internet. A VPN is used to create a private tunnel over a public network. Data can be secured by using encryption in this tunnel through the Internet and by using authentication to protect data from unauthorized access.
1. VPNs
The first VPNs were strictly IP tunnels that did not include authentication or encryption of the data. Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels. This creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork.
The benefits of a VPN include the following:
- Cost savings - VPNs enable organizations to use cost-effective, third-party Internet transport to connect remote offices and remote users to the main site; therefore, eliminating expensive, dedicated WAN links and modem banks. Furthermore, with the advent of cost-effective, high-bandwidth technologies, such as DSL, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.
- Scalability - VPNs enable organizations to use the Internet infrastructure within ISPs and devices, which makes it easy to add new users. Therefore, organizations are able to add large amounts of capacity without adding significant infrastructure.
- Compatibility with broadband technology - VPNs allow mobile workers and telecommuters to take advantage of high-speed, broadband connectivity, such as DSL and cable, to access to their organizations’ networks. Broadband connectivity provides flexibility and efficiency. High-speed, broadband connections also provide a cost-effective solution for connecting remote offices.
- Security - VPNs can include security mechanisms that provide the highest level of security by using advanced encryption and authentication protocols that protect data from unauthorized access.
There are two types of VPN networks:
- site-to-site
- remote-access
Site-to-Site VPN
A site-to-site VPN is created when devices on both sides of the VPN connection are aware of the VPN configuration in advance. The VPN remains static, and internal hosts have no knowledge that a VPN exists. In a site-to-site VPN, end hosts send and receive normal TCP/IP traffic through a VPN “gateway”. The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all traffic from a particular site. The VPN gateway then sends it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.
A site-to-site VPN is an extension of a classic WAN network. Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network. In the past, a leased line or Frame Relay connection was required to connect sites, but because most corporations now have Internet access, these connections can be replaced with site-to-site VPNs.
Remote-access VPNs
Where a site-to-site VPN is used to connect entire networks, a remote-access VPN supports the needs of telecommuters, mobile users, and extranet, consumer-to-business traffic. A remote-access VPN is created when VPN information is not statically set up, but instead allows for dynamically changing information, and can be enabled and disabled. Remote-access VPNs support a client/server architecture, where the VPN client (remote host) gains secure access to the enterprise network via a VPN server device at the network edge.
Remote-access VPNs are used to connect individual hosts that must access their company network securely over the Internet. Internet connectivity used by telecommuters is typically a broadband, DSL, wireless, or cable connection.
VPN client software may need to be installed on the mobile user’s end device; for example, each host may have Cisco AnyConnect Secure Mobility Client software installed. When the host tries to send any traffic, the Cisco AnyConnect VPN Client software encapsulates and encrypts this traffic. The encrypted data is then sent over the Internet to the VPN gateway at the edge of the target network. Upon receipt, the VPN gateway behaves as it does for site-to-site VPNs.
2. Site-to-Site GRE Tunnels
GRE has these characteristics:
- GRE is defined as an IETF standard (RFC 2784).
- In the outer IP header, 47 is used in the protocol field to indicate that a GRE header will follow.
- GRE encapsulation uses a protocol type field in the GRE header to support the encapsulation of any OSI Layer 3 protocol. Protocol Types are defined in RFC 1700 a "EtherTypes".
- GRE itself is stateless; by default it does not include any flow-control mechanisms.
- GRE does not include any strong security mechanisms to protect its payload.
- The GRE header, together with the tunneling IP header indicated in the figure, creates at least 24 bytes of additional overhead for tunneled packets.
GRE Configurtions:
step 1: 配置接口
R1 loopback 0 : 1.1.1.1/24
R1 s1/0 1.1.12.1/24
R2 s1/0 1.1.12.2/24
R2 s1/1 1.1.23.2/24
R3 s1/1 1.1.23.3/24
R3 loopback 0: 3.3.3.3/24
Step 2: 配置路由
R1(config)#ip route 0.0.0.0 0.0.0.0 s1/0
R3(config)#ip route 0.0.0.0 0.0.0.0 s1/1
Step 3: 配置 tunnel 接口
R1(config)#interface tunnel 0
R1(config-if)#tunnel mode gre ip
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#tunnel source 1.1.12.1
R1(config-if)#tunnel destination 1.1.23.3
R3(config)#interface tunnel 0
R3(config-if)#tunnel mode gre ip
R3(config-if)#ip address 192.168.2.2 255.255.255.0
R3(config-if)#tunnel source 1.1.23.3
R3(config-if)#tunnel destination 1.1.12.1
Step 4: 配置loopback 路由
R1(config)#router ospf 1
R1(config-router)#network 1.1.1.0 0.0.0.255 area 0
R3(config)#router ospf 1
R3(config-router)#network 3.3.3.0 0.0.0.255 area 0
测试:
R1#ping 3.3.3.3 sou lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/32 ms