If you are building a 15-site VPN network and most of the traffic flows from spoke to hub, but some traffic must flow from spoke to spoke, choosing from mesh, partial mesh, and hub and spoke, which topology should you choose?

Hub and spoke is the most appropriate here because, with 15 sites, you will need 105 bidirectional IPsec tunnels to build a full mesh. If key spokes must communicate, you can consider a partial mesh to allow these sites to talk directly to one another. By using a simple hub-and-spoke design, spokes can still communicate with one another through the head end.

In which situations is routing unnecessary in an IPsec VPN?

There are a few reasons you might not need routing:

• You have less than five sites with a small number of networks at each site.
• You have requirements to support IPsec hardware that have no provisions for routing. (In this case, management will be difficult in larger networks.)
• You are running only a remote user VPN and no site-to-site.

In its simplest form, how many security associations (SAs) are required to establish bidirectional communication between two IPsec peers?

Three. One bidirectional SA for IKE and two unidirectional IPsec SAs, one for each direction of traffic flow.

When might it be appropriate to use an application layer VPN instead of IPsec?

If the applications you are running are limited to a small set (23 or less), you could potentially rely on application layer security. For example, small retail stores could elect to send point-of-sale information back to HQ over an SSL/TLS tunnel instead of going through the complexity of setting up a full IPsec implementation. In most networks, though, there are a sufficient number of applications to warrant using IPsec.

If you have an IPsec VPN deployed for remote users and remote sites, is there any reason you might also deploy SSL/TLS application security?

Besides the obvious e-commerce situation, you might also use SSL/TLS when communicating with business partners if you are sharing only a single application. Likewise, you might wish to provide your employees with remote e-mail access over HTTPS when they are not at their normal workstations. It is also appropriate to use SSL/TLS tunnels for traffic within IPsec as an added layer of security. This is particularly true because current IPsec deployments often aren't from host to host; rather thye're from host to gateway or gateway to gateway and don't protect all the way to the host.

Why are you able to run transport mode IPsec when you deploy GRE + IPsec?

Because GRE encapsulates all traffic, it appears to the IPsec process as two hosts communicating with one another. This one-to-one communication makes transport mode possible.