{"id":666,"date":"2018-02-05T12:21:54","date_gmt":"2018-02-05T11:21:54","guid":{"rendered":"http:\/\/www.quisted.net\/?p=666"},"modified":"2018-02-05T12:21:54","modified_gmt":"2018-02-05T11:21:54","slug":"vpn-design","status":"publish","type":"post","link":"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/","title":{"rendered":"VPN Design"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/#Remote_Access_VPN_design\" >Remote Access VPN design<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/#Placement_of_the_VPN_Termination_Device\" >Placement of the VPN Termination Device:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/#Routing_the_traffic_back\" >Routing the traffic back<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/#Site-to-Site_VPN_Wan_replacement_or_backup\" >Site-to-Site VPN: Wan replacement or backup<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/#VPN_Variations\" >VPN Variations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/#VPN_Scalability\" >VPN Scalability<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.quisted.net\/index.php\/2018\/02\/05\/vpn-design\/#Routing_procol_over_VPN_Suggestions\" >Routing procol over VPN Suggestions<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Remote_Access_VPN_design\"><\/span><span style=\"color: #3366ff;\">Remote Access VPN design<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>For a VPN you need a<strong> termination device <\/strong>(vpn concentrator \/ Firewall), a <strong>client<\/strong> and the connecting <strong>technology<\/strong> for tunneling.<\/li>\n<li>Cisco Easy VPN.<\/li>\n<li>Client options\n<ul>\n<li>IPSEC VPN client<\/li>\n<li>SSLVPN Clientless Access<\/li>\n<li>SSLVPN Thin client<\/li>\n<li>SSLVPN Thick client<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Placement_of_the_VPN_Termination_Device\"><\/span><strong>Placement of the VPN Termination Device:<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><a href=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2018\/02\/VPN-placement.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-670 size-full\" src=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2018\/02\/VPN-placement.png\" alt=\"\" width=\"527\" height=\"464\" srcset=\"https:\/\/www.quisted.net\/wp-content\/uploads\/2018\/02\/VPN-placement.png 527w, https:\/\/www.quisted.net\/wp-content\/uploads\/2018\/02\/VPN-placement-300x264.png 300w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><\/a><\/p>\n<p><!--more--><\/p>\n<ul>\n<li><strong>Parallel<\/strong> Placement\n<ul>\n<li>Easy implementation.<\/li>\n<li>Less security because it goes around the firewall.<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"color: #339966;\"><strong>Inline<\/strong> Placement<\/span>\n<ul>\n<li><strong>RECOMMENDED<\/strong><\/li>\n<li>Termination device is routed through the firewall.\n<ul>\n<li>Filtering rules in place to keep VPN users out from resources.<\/li>\n<\/ul>\n<\/li>\n<li>VPN Termination device is exposed to the outside world.<\/li>\n<\/ul>\n<\/li>\n<li><strong>DMZ<\/strong> placement\n<ul>\n<li>Traffic goes through the firewall, and trough the firewall again after.<\/li>\n<li>Hardest to implement, best security.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Routing_the_traffic_back\"><\/span><strong>Routing the traffic back<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Internal network needs to reach the VPN clients.<\/li>\n<li>Small orgs typically use a static route to VPN Termination device.<\/li>\n<li>Larger orgs use <strong>reverse route injection ( RRI )<\/strong> &#8211; OSPF \/ RIPV host routes.<\/li>\n<li>Clients can get addresses via DHCP ( common ) or Static ( via Radius \/ LDAP ).<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Site-to-Site_VPN_Wan_replacement_or_backup\"><\/span><span style=\"color: #3366ff;\">Site-to-Site VPN: Wan replacement or backup<br \/>\n<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Cost effective.<\/li>\n<li>(Typically) Faster.<\/li>\n<li>More available.<\/li>\n<li>Secure (HIPAA).\n<ul>\n<li><em><span class=\"_Tgc _s8w\"> Health Insurance Portability and Accountability Act<\/span><\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Core Principles for succes with Site-to-Site VPNs<\/strong><\/p>\n<ul>\n<li>IPSec VPN acts as an &#8216;overlay network ( Tunnel ).<\/li>\n<li>Larger organizations will want dynamic routing.\n<ul>\n<li>IPSEC is for TCP or UDP traffic only.<\/li>\n<\/ul>\n<\/li>\n<li>To handle multicast \/ Broadcast use <strong>GRE Tunnels<\/strong> ( Inside IPSEC ).<\/li>\n<li>Scale your VPN devices:\n<ul>\n<li>\u00a0Head-end device <strong><span style=\"color: #ff0000;\">50% CPU.<\/span><\/strong><\/li>\n<li>\u00a0Branch devices <strong><span style=\"color: #ff0000;\">65% CPU.<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<blockquote class=\"wp-embedded-content\" data-secret=\"syX53efsRp\"><p><a href=\"http:\/\/www.quisted.net\/route\/ospf-over-gre-with-ipsec\/\">OSPF over GRE (with and without IPsec)<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/www.quisted.net\/route\/ospf-over-gre-with-ipsec\/embed\/#?secret=syX53efsRp\" data-secret=\"syX53efsRp\" width=\"600\" height=\"338\" title=\"&#8220;OSPF over GRE (with and without IPsec)&#8221; &#8212; CC&amp;P | CCDP\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<h3><span class=\"ez-toc-section\" id=\"VPN_Variations\"><\/span><span style=\"color: #3366ff;\">VPN Variations<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>Easy VPN<\/strong>\n<ul>\n<li>Centralizes VPN Configuration.<\/li>\n<li>Eases remote site setup.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Gre + IPSec<\/strong>\n<ul>\n<li>Adds another layer of encapsulation to VPN.<\/li>\n<li>Allows non UDP \/ TCP Application to function.<\/li>\n<li>Allows Routing protocol function.<\/li>\n<\/ul>\n<\/li>\n<li><strong>DMVPN<\/strong>\n<ul>\n<li>Typical Hub-and-Spoke VPN has issues:\n<ul>\n<li>Traffic passing through Hub.<\/li>\n<li>Spoke configuration becomes complicated.<\/li>\n<\/ul>\n<\/li>\n<li>Use DMVPN:\n<ul>\n<li>Single connection to Hub.<\/li>\n<li>Address registrered with NHRP.<\/li>\n<li>Automatic GRE Based VPN&#8217;s ( time limited ) between sites.<\/li>\n<li>Locked down with NHRP network ID \/ password.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Virtual Tunnel Interface ( VTI )<\/strong>\n<ul>\n<li>Use over GRE if router supports it.<\/li>\n<li>Alternative to GRE tunnels. Supports non-TCP\/UDP Traffic<\/li>\n<li>Saves on the GRE overhead<\/li>\n<li>Simplifies configuration; static or dynamic VTI options<\/li>\n<\/ul>\n<\/li>\n<li><strong>GET VPN<\/strong>\n<ul>\n<li>The VPN for the Private WAN ( MPLS like).<\/li>\n<li>IP header not tunneled.<\/li>\n<li>Dynamic, Full Mesh.<\/li>\n<li>Complicated configuration.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"VPN_Scalability\"><\/span><span style=\"color: #3366ff;\">VPN Scalability<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong><span style=\"color: #ff0000;\">Packets per second<\/span><\/strong> matter much more than throughput for VPNs<\/li>\n<li><strong>The marketing:<\/strong>\n<ul>\n<li><span style=\"color: #993366;\">1400 byte packets<\/span><\/li>\n<li><span style=\"color: #993366;\">100% CPU<\/span><\/li>\n<\/ul>\n<\/li>\n<li><strong>The reality<\/strong>\n<ul>\n<li><span style=\"color: #993366;\">Mix of packet sizes ( VoIP, Video)<\/span><\/li>\n<li><span style=\"color: #993366;\">80% CPU<\/span><\/li>\n<\/ul>\n<\/li>\n<li>Testing with a realisting simulator instead of packets blasting iperf\n<ul>\n<li>Iperf is better than nothing, and it&#8217;s free<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Firewall are specced in best case scenario with 1400 byte packets. This is almost never the case and depending on the traffic the byte size varries:<\/p>\n\n<table id=\"tablepress-7\" class=\"tablepress tablepress-id-7\">\n<thead>\n<tr class=\"row-1\">\n\t<th class=\"column-1\">Protocol<\/th><th class=\"column-2\">Size<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n\t<td class=\"column-1\">FTP Downloads<\/td><td class=\"column-2\">1052 Bytes<\/td>\n<\/tr>\n<tr class=\"row-3\">\n\t<td class=\"column-1\">VoIP<\/td><td class=\"column-2\">60 Bytes<\/td>\n<\/tr>\n<tr class=\"row-4\">\n\t<td class=\"column-1\">HTTP<\/td><td class=\"column-2\">377 Bytes<\/td>\n<\/tr>\n<tr class=\"row-5\">\n\t<td class=\"column-1\">DNS<\/td><td class=\"column-2\">124 Bytes<\/td>\n<\/tr>\n<tr class=\"row-6\">\n\t<td class=\"column-1\">POP3<\/td><td class=\"column-2\">462 Bytes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<!-- #tablepress-7 from cache -->\n<h3><span class=\"ez-toc-section\" id=\"Routing_procol_over_VPN_Suggestions\"><\/span>Routing procol over VPN Suggestions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><span style=\"color: #ff0000;\"><strong>Use EIGRP<\/strong><\/span>\n<ul>\n<li>Can summerize everywhere<\/li>\n<li>Doesn&#8217;t flood the database<\/li>\n<li>Using stub options limit queries<\/li>\n<\/ul>\n<\/li>\n<li>Watch your default EIGRP bandwidth\n<ul>\n<li><strong>9Kbps<\/strong> on a tunnel interface<\/li>\n<li>EIGRP updates throttle to <strong>50%<\/strong> interface bandwidth<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Remote Access VPN design For a VPN you need a termination device (vpn concentrator \/ Firewall), a client and the connecting technology for tunneling. Cisco Easy VPN. Client options IPSEC VPN client SSLVPN Clientless Access SSLVPN Thin client SSLVPN Thick client Placement of the VPN Termination Device:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[2,5],"tags":[48,49,83,99,103],"class_list":["post-666","post","type-post","status-publish","format-standard","hentry","category-arc","category-designprinciples","tag-getvpn","tag-hipaa","tag-rri","tag-vpn","tag-vti"],"_links":{"self":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/posts\/666","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/comments?post=666"}],"version-history":[{"count":0,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/posts\/666\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/media?parent=666"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/categories?post=666"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/tags?post=666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}