LAN-to-LAN (site-to-site) VPNs are a quickly expanding alternative or augmentation to leased line or frame relay WAN infrastructures. VPNs are used to create secure tunnels between two networks via an insecure public network, such as the Internet. The Cisco Concentrator supports three types of tunnels: Layer 2 Tunneling Protocol (L2TP), Point- to-Point Tunneling Protocol (PPTP), and IPSec.
Two types of LAN-to-LAN VPN implementations exist.
Intranet VPNs provide secure connections between branch offices to the enterprise network resources.
Extranet VPNs provide secure connections for special third parties, such as business partners, vendors, and customers to the specified enterprise resources.
While this chapter and the certification exam focus mainly on the Cisco VPN 3000 Concentrators for LAN-to-LAN implementations, note that the VPN peer device at the other end of this type of link can be any of the following common technologies:
Another Cisco VPN Concentrator
A Cisco VPN 3002 Hardware Client
A Cisco IOS router
A Cisco PIX Firewall
A third-party VPN device
Figure 16-1 shows common intranet and extranet VPNs, as well as the different types of Cisco endpoint devices that might be used.
In a LAN-to-LAN implementation, IPSec creates a secure tunnel between the public interfaces of the two VPN Concentrators or endpoint devices. The endpoint devices forward the secure data received over the VPN to the hosts on their private LANs as unencrypted data. No VPN user authentication or configuration exists in a LAN-to-LAN connection. Hosts configured on the private networks can access hosts on the other side of the connection. Any access is subject to any network authentication, group or user permissions, and router access lists.
To configure a LAN-to-LAN connection fully, you must configure identical basic IKE and IPSec parameters on both endpoint devices.
Remember, the IPSec VPN related ports on all network devices between the endpoints must be open. The ports are IKE/ISAKMP UDP port 500, ESP IP protocol number 50, and AH IP protocol number 51.
The scenario used in the following discussion is quite simple, in case someone wants to follow along with appropriate devices. The configuration is based on Figure 16-2, showing a branch location connecting through a VPN Concentrator to another VPN Concentrator at the main office. The scenario assumes the main office has reserved the 128 class C networks 192.168.0.0 to 192.168.127.0 for its internal use. The other private class C addresses have been assigned as needed to the company’s branch locations. The figure shows a branch location assigned the 192.168.144.0 network.
While the diagram assumes a Concentrator at both ends, the central site configuration process won’t change much, regardless of the device at the branch. You might need to modify the IKE and IPSec choices based on what the peer device can support.