Cybersecurity for Beginners: CRYPTOGRAPHY FUNDAMENTALS & NETWORK SECURITY by HOFFMAN HUGO & HOFFMAN HUGO

Author:HOFFMAN, HUGO & HOFFMAN, HUGO [HOFFMAN, HUGO]
Language: eng
Format: azw3, epub
Published: 2020-06-18T16:00:00+00:00

Chapter 37 DMVPN & Site-to-site VPN

When it comes to site-to-site VPN type of a connection, we're talking about IPSec in which case our routers are going to form a tunnel between sites. We're going to generally have either a routing protocol direct traffic over the tunnel, or we're going to have what's called a crypto ACL.

That crypto ACL will define the local and the foreign networks in which traffic will be encrypted. We're going to use the routing functionality in the device to determine how we get from one side to the other. At this point, we have the ability to take all packets from an inside host, move them across the tunnel, and deliver them to a foreign destination, or a host on another network that's within our organization.

That's simple, but let's back up for just a second. That is just what we call a site-to-site VPN. Another type of VPN that's fairly common in Cisco world is what's called a dynamic multi-point VPN. in a dynamic multi-point VPN, we are going to have one device that will be known as the hub, and the other devices that are going to be known as a Spoke and each of those Spokes are able to establish a tunnel into the hub and pass traffic to the hub.

But they'll use a protocol called NHRP or Next Hop Resolution Protocol to be able to resolve the address of a Spoke device so that they can do Spoke to Spoke tunnels dynamically. Now you can see we have a full mesh type of network where I can go from point A through the tunnel to point B, or I can go to point A through another tunnel to another Spoke to destination C on the other end.

That Spoke to Spoke tunnel is dynamic, so when I don't have traffic between there, it can tear that tunnel down, which makes it an excellent way to establish my VPN connectivity. It's an excellent way to handle things. This is called DMVPN. DMVPN, dynamic multipoint VPN. It's a popular concept in the Cisco world, something that you'll run into as time goes by.

This should give you an overview of regular site-to-site VPN as well as the DMVPN capability that we have in our Cisco routers and that's another point that we should mention here. DMVPN does not work on Cisco ASAs. Part of the protocol specification or part of the DMVPN functionality requires that we use something called GRE, Generic Routing Encapsulation. Cisco ASA Firewalls do not support GRE, nor do they support NHRP. While they do IPSec site-to-site tunnels, a Cisco ASA will not support DMVPN because it doesn't do NHRP, and it doesn't go GRE.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.