Site-to-Site VPNs (IPsec)
Last updated
Last updated
A 'site-to-site' VPN is a VPN between two devices and is used to connect two sites together over the Internet.
A VPN 'tunnel' is created between the two devices by encapsulating the original IP packet with a VPN header and a new IP header.
When using a IPsec, the original packet is encrypted before being encapsulated with the new header.
Let's summarize that process:
The sending device combines the original packet and session key (encryption key) and runs them through an encryption formula.
The sending device encapsulated the encrypted packet with a VPN header and a new IP header.
The sending device sends the new packet to the device on the other side of the tunnel.
The receiving device decrypts the data to get the original packet, and then forwards the original packet to its destination.
In a 'site-to-site' VPN, a tunnel is formed only between two tunnelo endpoints (for example, the two routers connected to the Internet).
All other devices in each site don't need to create a VPN for themselves. They can send unencrypted data to their site's router, which will encrypt it and forward it in the tunnel as described above.
There are some limitations to standard IPsec:
IPsec doesn't support broadcast and multicast traffic, only unicast. This means that routing protocols such as OSPF can't be used over the tunnels, because they rely on multicast traffic.
This can be solved with 'GRE over IPsec'
Configuring a full mesh of tunnels between many sites is a labor-intensive task.
This can be solved with Cisco's DMVPN.
GRE (Generic Routing Encapsulation) creates tunnels like IPsec, however it does not encrypt the original packet, sot it not secure.
However, it has the advantage of being able to encapsulate a wide variety of Layer 3 protocols as well as broadcast and multicast messages.
To get the flexibility of GRE with the security of IPsec, 'GRE over IPsec' can be used.
The original packet will be encapsulated by a GRE header and a new IP header, and then the GRE packet will be encrypted and encapsulated within an IPsec VPN header and new IP header.
DMVPN (Dynamic Multipoint VPN) is a Cisco-developed solution that allows routers to dynamically create a full mesh of IPsec tunnels without having to manually configure every single tunnel.
Configure IPsec tunnels to a hub site.
The hub router gives each router information about how to form an IPsec tunneld with the other routers.
DMVPN provides the configuration simplicity of hub-and-spoke (each spoke router only needs one tunnel configured) and the efficiency of direct spoke-to-spoke communication (spoke routers can communicate directly without passing through the hub).
