Deploying Site-to-Site IPsec VPNs

IPsec provides security services to IP, and it has become an extremely popular way to provision site-to-site and remote access VPNs. In a site-to-site VPN, IPsec tunnels are built between an organization's sites, and all traffic is authenticated and/or encrypted as it passes over the intervening network.

Depending on connectivity requirements and other considerations, site-to-site IPsec VPNs can be deployed in full-mesh, partial-mesh, or hub-and-spoke architectures, as shown in Figure 6-1.

Figure 6-1. Full-Mesh, Partial-Mesh, and Hub-and-Spoke IPsec VPN Architectures

As illustrated in Figure 6-1, in a hub-and-spoke architecture, spoke (remote) sites are connected to a hub (central) site via IPsec tunnels. Spoke-to-spoke connectivity is provided via the hub site. In a partial-mesh architecture, not all remote sites have direct connectivity to the central site. Finally, in a full-mesh architecture, all sites have direct connectivity to each other.

When designing and deploying IPsec VPNs, it is essential to have a solid grasp of the underlying technology and configuration. This chapter introduces IPsec and discusses site-to-site VPN configuration.