Deploying IPsec on MPLS

The models discussed in the previous section describe where IPsec tunnels are established (for example, PE-PE), but not how the tunnels get established, which is the second design consideration when deploying IPsec networks. The main options for IPsec tunnel establishment are

  • Static IPsec? In this model, every IPsec node is configured statically with all its IPsec peers, the authentication information, and the security policy. This is the oldest way of configuring IPsec. It is hard to configure because each IPsec node requires significant configuration; but because this is the oldest way of configuring IPsec, it is supported on most platforms today. Static IPsec is described in RFC 2401?2412. It can be applied CE-CE and PE-PE.

  • Dynamic IPsec? In hub-and-spoke environments, the hub can be configured without specific information for each spoke; only the spokes know how to reach the hub, and an IPsec tunnel is established only if the spoke can authenticate itself. Remote access IPsec uses a similar idea, but authentication is usually done on an AAA server. Dynamic IPsec is supported today also, and can be used for CE-CE as well as PE-PE.

  • Dynamic Multipoint VPN (DMVPN)? This model works with the principle of the Next Hop Resolution Protocol (NHRP): Every IPsec node holds information about how to reach a next hop server, which returns the address of the target IPsec node to the originating node. This is a very scalable way to dynamically establish IPsec tunnels on demand. DMVPN works CE-CE and PE-PE.

  • Group Domain of Interpretation (GDOI)? All the previous models maintain an IPsec security association per peer, even if the peer is found dynamically. This sets limits to the number of nodes that can be within one IPsec domain because every node must keep state for every active peer. GDOI maintains only a single security association for the whole group of IPsec nodes, such as for all nodes within a VPN. This means that all IPsec nodes in a group must share the same encryption/authentication key. The key is managed by a secure key server. Each node establishes a static IPsec connection to the key server; the rest of the group is dynamic and does not require state. GDOI is described in RFC 3547. GDOI was not yet available at the time of writing this book.

These various IPsec designs can be quite complex, with many suboptions for each model. This book can only give an overview. For more information on IPsec technology, refer to


As explained in Chapter 1, "MPLS VPN Security: An Overview," the overall security of a solution depends on three parts: correct architecture, operation, and implementation. This section discusses the architecture and its features. To make the overall network secure, the IPsec service must also be implemented and operated correctly.