IPsec Gateway Devices and Management Servers

Items that are typically part of VPN policy for gateway devices and management servers include the following:

-Roles and responsibilities related to IPsec gateway operations

-Definition for where VPNs tunnels should terminate (e.g., between the border router and firewall, on the firewall)

-Security controls that are required to monitor the unencrypted network traffic, such as network based intrusion detection systems or antivirus software, and their acceptable placement in the network architecture relative to the IPsec gateways

-Authentication requirements for IPsec gateway administrators (e.g., two-factor authentication). This could also include requirements to change all default manufacturer passwords on the gateways and management servers, to have a separate account for each administrator, to change administrator passwords on a regular basis, and to disable or delete an administrator account as soon as it is no longer needed.

-Authentication requirements for IPsec tunnel users, if any.  This should include a requirement for how often user accounts are audited.

-Authentication requirements for the IPsec gateway devices

-Security requirements for the IPsec gateway devices and IPsec management servers.  For example, an organization might require a firewall to be deployed between an IPsec gateway device and its users, and configured to block all traffic not explicitly approved for use with the IPsec implementation.  An organization might also require certain security controls on the IPsec gateway devices and management servers, such as host-based firewalls and antivirus software.

-What information should be kept in audit logs, how long it should be maintained, and how often it should be reviewed

-Requirements for remediating vulnerabilities in the IPsec gateway devices and management servers

-Which types of traffic should be protected by IPsec tunnels, and what types of protection should be applied to each type of traffic

-What types of protection should be applied to communications between an IPsec gateway and an IPsec management server.

IPSec based MVPN

The IPSec protocol suite (RFC 2401) specifies a set of IP extensions that provide security services at the network layer. IPSec technology is based on standard cryptographic technologies that enable very strong data integrity and privacy guarantees. As IPSec secures the network layer connectivity, the IPSec protocol suite guarantees security for any application using it. Security services offered include connectionless integrity, data origin authentication, confidentiality (encryption), and traffic flow confidentiality. These services are accomplished via two traffic security protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP). Each protocol supports two modes: transport mode and tunnel mode. In transport mode, the protocols provide protection primarily for upper layer protocols. In tunnel mode, the protocols are applied to tunneled IP packets. IPSec normally is associated with end-to-end voluntary tunneling approaches, but also can be used in a network-to-network, compulsory tunneling context and for security at the transport layer when combined with an L2TP based solution. This solution requires that the GGSN directly associate the mobile device’s IP address with the IPSec tunnel so that packets to/from the mobile traverse only that tunnel. Corporations may use private IP addresses that conflict with public Internet address assignments, as described in RFC1918.

Figure 7 depicts the session flow of a PDP context establishment in which users are authenticated for private network access via highly-trusted, third-party Private Key Exchange (PKI) service providers. This scenario may be viable for corporations seeking to lower the cost of internal security systems, while avoiding full trust in their wireless carrier. Wireless carriers could, themselves, offer to provide the PKI as part of a value-added service, which might also include wireless e-commerce transaction services for horizontal services/markets. In such cases, each VPN would be defined by filtering rules in a managed firewall, with trusted GPRS HLR look-ups used to authenticate mobile subscribers to “VPN groups” for access behind the corporate firewall. When implementing and using IPSec,the security and system requirements of users, applications, and sites must be carefully considered. Service providers also need to be aware that IPSec, if deployed incorrectly, can adversely affect users, hosts, and other Internet components. For this reason, corporations using IPSec for wireless remote access and Mobile VPN connectivity might require professional services to provide the necessary expertise for deployment. IPSec based VPN is the most likely scenario for the wireless operators whose GGSNs cannot support PPP mode of operation in a required scale. Non-transparent IP based mode do not allow for access challenges to be generated by RADIUS servers. Instead, challenges are generated locally by the Mobile Termination (MT) component of the mobile phone. Because it is possible for impostors to tweak mobile phones to generate replayed challenge/response pairs, AAA mechanisms are weaker (in terms of anti-replay protection) than PPP-based systems, such as the ones obtained using PPP PDP types. This limits the ability of corporations and ISPs to administer users through AAA and IP address assignment. Instead, corporations, ISPs and their customers must trust wireless carriers to perform all these functions. In today’s security-conscious environment, offering services to ISPs and corporations experienced in handling PPP based communications without supporting PPP-based PDP contexts (or only small numbers of them), severely limits service provider ability to offer business-quality IP services.

R1Integrated Services

Integrated services running on the same routers as the IPsec VPN must be considered in the overall scalability, because depending on the platform, additional services can impact router performance.


Integrated security services can include firewall, IPS, DoS prevention, Network Admission Control (NAC), and others. Security services tend to be computationally intensive while performing packet inspections and analysis. Integrated security services might not have a direct impact on router performance, depending on the function and what level of acceleration is provided in hardware on the specific platform. If the security services are performed in the main router CPU, enabling the service will most likely affect performance. Integrated security services are most commonly deployed in branch office routers, but increasingly are being deployed in headed aggregation routers as well, especially in scenarios where an un trusted transport service, such as the Internet, is being used for WAN or VPN transport.


Integrated voice services include voice station cards that terminate handsets, VoIP conferencing and transcoding services such as Digital Signal Processors (DSPs), a Public-Switched Telephone Network (PSTN) gateway, Survivable Remote Site Telephony (SRST), and others. Integrated voice services are common in branch office routers, especially with the Integrated Services Router (ISR) series, which is specifically designed with integrated services in mind. Integrated voice services are generally not deployed in headend aggregation routers.

Other Integrated Service Types

Other types of integrated services that can impact router performance include the following:

• NAT or PAT

• DHCP server

• Content caching

See the individual IPsec design guides for IPsec Direct Encapsulation, p2p GRE over IPsec, DMVPN, and VTI for more information on the specific impacts of these services.

Implementing Mobile VPNs

IP tunneling is central to implementing MVPN. In addition to traditional wireline VPN features, MVPN includes a set of mechanisms that use dynamic IP tunneling to support user mobility. IP tunnels are paths that IP packets follow while encapsulated within the payload portion of another packet. These encapsulated packets are sent to destination endpoints from originating endpoints via public (non-secure) channels. Tunnels also can exist on a link layer providing encapsulation for non-routable protocols, such as Layer 2 Tunneling Protocol (L2TP) for Point-to-Point Protocol (PPP). There are two basic tunneling methods for implementing IP VPNs — end-to-end or “voluntary;” and network-based or “compulsory”. MVPNs based on voluntary tunneling are implemented by providing users with public Internet access, and subsequently with access behind corporate firewalls via available tunneling techniques that allow secure data transmission. The end-to-end tunnel used in this case must exist for the duration of the session only. While voluntary tunneling provides a simple, secure end-to-end solution for access to private networks, it also leads to extra encapsulation overhead over last-hop wireless links. Also, this is a less efficient, more costly use of radio resources. In volume-based charging scenarios for instance, such overhead could significantly increase corporate costs for remote connectivity. Voluntary tunneling carries a number of other drawbacks as well. For example, it requires that mobile nodes be given public addresses allowing end-to-end transparent IP connectivity. In addition, it requires complex encryption and decryption algorithms, which can increase the complexity and cost of mobile devices, which typically have low processing power and are often battery power consumption limited.

With voluntary tunneling, applications that need to inspect or modify encapsulated packets will be unable to get access to user traffic. This means that QoS solutions, traffic-shaping mechanisms, monitoring equipment and firewalls will fail to perform their functions, and encapsulated (secured) packets cannot be modified by the Network Address Translation (NAT) protocol. Network-based “compulsory tunneling,” on the other hand, provides a more optimal foundation for MVPN solutions. This tunneling approach assumes that not mobile devices, but the wireless operator’s network infrastructure itself features the intelligence and functionality necessary for the deployment of MVPNs. This approach assumes that the air interface owned by the wireless carriers is secure. With “compulsory tunneling,” network components such as access servers, gateways, etc. (not the mobiles) initiate tunnels, which typically terminate at the private network.

Compulsory tunnels can be used by multiple subscribers and can remain active even if no subscriber transactions are in progress (thus placing less burden on the computing and routing infrastructure). The compulsory approach to tunneling also assumes the existence of proper agreements between corporations or ISPs and wireless operators. Service Level Agreements (SLAs) address the business relationships between service providers and corporations, while the Security Associations (SAs) or shared secrets used to generate IP Security (IPSec) session keys address the technical relationships. IPSec is a group of RFCs (RFC 2401 and companion documents) dealing with the secure encapsulation of IP traffic.

Internet Access Strategy

How Internet-destined traffic from branch offices is routed can also affect the IPsec VPN design and scalability. This consideration is primarily applicable when the Internet is being used as the transport connectivity to branch offices. Two common alternatives are described in the next two sections, along with the implications to the design scalability.


Enterprise customers commonly choose to backhaul all traffic to the headend site, regardless of whether the traffic is destined for the enterprise corporate network or for the Internet. It might seem inefficient to encrypt and transport Internet traffic over the Internet via an IPsec tunnel, only to be decrypted and then routed out the corporate Internet gateway; possibly through the same gateway those packets had just arrived. There are some legitimate reasons for doing so, including the following:

• Keeping the branch routing simplistic for security reasons, instead of a more complex configuration to send some traffic over the corporate tunnel and other traffic straight to the Internet.

• Internet traffic monitoring, such as URL filtering, Websense, e-mail scanning, and anti-virus scanning, can be centralized at the corporate headquarters location(s), instead of trying to manage distributed monitoring functions. If all traffic, including Internet-destined, is backhauled over the IPsec VPN connection, this traffic must be factored into the overall traffic bandwidth and IPsec throughput requirements for the design.

Split Tunneling

Split tunneling is the process by which packets being transmitted from a branch office can either be protected by IPsec and sent to or received from the headend aggregation router, or unprotected by IPsec and sent to or received from the Internet. Split tunneling is commonly configured on the connecting client to receive pushed secure route’s or set statically. In this situation, only specific traffic matching a “secure” destination address is forwarded out the virtual tunnel interface. All other traffic is routed normally and un-secured through the configured default gateway. These specific routes are configured on the VPN server and can normally be seen injected into the client’s route table while connected to the VPN.

If split tunneling is implemented, the following extra factors must be considered in the design:

• The bandwidth and IPsec throughput saved by routing Internet traffic directly instead of over the VPN to headquarters.

• Most likely NAT or PAT will need to be running as a service on the branch office router, which can have performance and scalability implications.

• Security services, such as firewall and IPS, might need to be running as services on the branch office router, which will have performance and scalability implications. Whether or not these mandatory security services are running on the branch router or as standalone devices must be considered.

The advantages of split-tunneling is that it allows the connected client connectivity to both secure networks AND normal un-secured traffic while connected. The disadvantage is that the client is putting the remote connected network at risk because they are bypassing secure gateways that might normally be found on the remote network’s infrastructure, making it accessible through the non-secured public network.

GPRS and UMTS Networks

GPRS and UMTS wireless packet data technologies provide the higher speed data rates and the support for standard mobile protocols necessary for secure MVPN service offerings for private corporate customers. By enabling secure mobile data access, these technologies allow wireless carriers to meet the expectations of corporations and ISPs wishing to enable traveling professional with constant on-demand data access.

GPRS enables a variety of new and unique services to the mobile wireless subscriber. These mobile services have unique characteristics that provide enhanced value to customers. These characteristics include the following:

  • Mobility—The ability to maintain constant voice and      data communications while on the move
  • Immediacy—Allows subscribers to obtain connectivity      when needed, regardless of location and without a lengthy login session
  • Localization—Allows subscribers to obtain information      relevant to their current location

The GPRS provides the following benefits: Overlays on the existing GSM network to provide high-speed data service; Always on, reducing the time spent setting up and taking down connections and Designed to support bursty applications such as e-mail, traffic telematics, telemetry, broadcast services, and web browsing that do not require detected connection.

One of the main requirements in the GPRS network is the routing of data packets to and from a mobile user. The requirement can be divided into two areas: data packet routing and mobility management.

The Universal Mobile Telecommunication System (UMTS) is a third generation (3G) mobile communications system that provides a range of broadband services to the world of wireless and mobile communications. The UMTS delivers low-cost, mobile communications at data rates of up to 2 Mbps. It preserves the global roaming capability of second generation GSM/GPRS networks and provides new enhanced capabilities. The UMTS is designed to deliver pictures, graphics, video communications, and other multimedia information, as well as voice and data, to mobile wireless subscribers.

The UMTS supports the following service categories and applications:

  • Internet access—Messaging, video/music download,      voice/video over IP, mobile commerce (e.g., banking, trading), travel and      information services
  • Intranet/extranet access—Enterprise application such as      e-mail/messaging, travel assistance, mobile sales, technical services,      corporate database access, fleet/warehouse management, conferencing and      video telephony
  • Customized information/entertainment—Information      (photo/video/music download), travel assistance, distance education,      mobile messaging, gaming, voice portal services
  • Multimedia messaging—SMS extensions for images, video,      and music; unified messaging; document transfer
  • Location-based services—Yellow pages, mobile commerce,      navigational service, trading…

The major difference between GSM/GPRS networks and UMTS networks is in the air interface transmission. Time division multiple access (TDMA) and freqency division multiple access (FDMA) are used in GSM/GPRS networks. The air interface access method for UMTS networks is wide-band code division multiple access (WCDMA), which has two basic modes of operation: frequency division duplex (FDD) and time division duplex (TDD). This new air interface access method requires a new radio access network (RAN) called the UTMS terrestrial RAN (UTRAN). The core network requires minor modifications to accommodate the UTRAN.

Computer Network Speed

Bandwidth in computer networking refers to the data rate supported by a network connection or interface. Network bandwidth is not the only factor that contributes to the perceived speed of a network. A lesser known but other key element of network performance – latency – also plays an important role.

Bandwidth is the primary measure of computer network speed. Virtually everyone knows the bandwidth rating of their modem or their Internet service that is prominently advertised on network products sold today. In networking, bandwidth represents the overall capacity of the connection.

The greater the capacity, the more likely that better performance will result. Bandwidth is the amount of data that passes through a network connection over time as measured in bps. Bandwidth can refer to both actual and theoretical throughput, and it is important to distinguish between the two.

For example, a standard dialup modem supports 56 Kbps of peak bandwidth, but due to physical limitations of telephone lines and other factors, a dialup connection cannot support more than 53 Kbps of bandwidth (about 10% less than maximum) in practice. Likewise a traditional Ethernet network theoretically supports 100 Mbps of bandwidth, but this maximum amount cannot reasonably be achieved due to overhead in the computer hardware and operating systems.

The term high bandwidth is sometimes used to distinguish faster broadband Internet connections from traditional dialup or cellular network speeds. Definitions vary, but high bandwidth connections generally support data rates of minimum 64 Kbps (and usually 300 Kbps or higher). Broadband is just one type of high bandwidth network communication method.

Bandwidth is measured in Hertz (Hz) or Megahertz (MHz) because Hertz are counted in millions. It is simply a measure of how many bits are transmitted in one second. Even with these tools at your disposal, bandwidth utilization is difficult to measure precisely as it varies over time depending on the configuration of hardware and characteristics of software applications including how they are being used

Networking with a router

A network router is a small electronic device that allows you build a home network simply. The home router serves as the core or “centerpiece” of the network to which computers, printers and other devices can be connected. Networking with a router helps you to (for example):

  • share files      between computers
  • share an      Internet connection between computers
  • share a printer
  • connect your      game console or other home entertainment equipment to the Internet

Routers are not necessarily required to build a network. For example, you can connect two computers directly to each other with just a cable (or without wires in some cases). Home routers offer convenience and easier maintenance as your network grows.

You can choose from among several different types of home network router products. The two most common types in popular usage are the 802.11b and 802.11g WiFi models. 802.11g is the newer technology, but 802.11b routers often can do the job for an even lower cost.

  • More – Choosing      a Wireless Router
  • Gear – Top 802.11g      Wireless Routers
  • Gear – Top      802.11b Wireless Routers

Network routers receive their power from an ordinary home electrical socket. When powered on, lights (LEDs) signify the unit is operating.

Network routers must be carefully configured when they are first installed. Like computers and other devices on the home network, routers must be set up with IP addresses. Routers also offer optional (but strongly recommended) security features. Routers contain built-in software to enable setup. You access this software through your Web browser on any computer connected to the router.

Connecting Computers to a Router

The most basic use of a network router involves file sharing (copying files) between multiple computers. You do not technically need a router to set up file sharing (or a home network), but using a router greatly simplifies the task, especially when three or more computers are involved. Home routers provide connection points (called “ports” or “jacks”) for you to connect computers with Ethernet cables. Plug one end of the cable into the router and the other into the computer’s Ethernet network adapter. Wireless routers alternatively allow computers to connect via WiFi technology, if the computer possesses a WiFi network adapter.

  • More – Wireless      Router Network Diagram
  • More – Wired /      Ethernet Router Network Diagram

Connecting an Internet Modem to the Router

The ability of a network router to share your Internet connection throughout the residence is a key selling point of these boxes. Internet connection sharing can be set up without a router using alternative methods, but once again, having a router greatly simplifies the task. To use your router for Internet sharing, connect your Internet modem to the appropriate router jack designed for this purpose. Many network routers allow broadband modems to be connected with either a USB cable or an Ethernet cable. A few network routers even allow traditional dialup modems to be connected via serial cables to a built-in serial port.

Connecting a Printer to the Router

Sharing one printer between multiple home computers is often desired but surprisingly difficult to achieve. Without a router, people connect their printer to one computer designated as the printer host. This host computer must be specially configured, and it must also be operating whenever anyone needs to use the printer. Moving this responsibility from a host computer to a router makes both network setup and using the printer easier.

Normally you can connect your printer to the router using a USB cable or a USB-to-Ethernet cable. Alternatively, wireless print server hardware also exists. A print server connects to your printer’s USB jack and in turn makes a WiFi connection to a wireless router. A few routers contain built-in print server capability, providing a built-in parallel port for cabling a printer directly.

Connecting Home Entertainment Equipment to the Router

You can connect games consoles such as Xbox, set-top devices like TiVo, and other home entertainment equipment to network routers. Networking home entertaining equipment with a router allows these devices to reach the Internet when you have Internet sharing in place there. Wireless game adapters (also known as wireless bridges) make WiFi connections and USB-to-Ethernet cables make cabled connections to the router for this type of equipment.

Other Uses of a Network Router

A few other types of devices can be added to a network router for special-purpose applications. Video surveillance cameras, for example, can be connected to a router to allow real-time viewing of video feeds from any computer on the home network (or even remotely over the Internet). VoIP analog terminal adapters (ATAs) will often be connected to routers for enabling Internet VoIP call services. In WiFi networks, routers can be joined with other devices (called range extenders or signal boosters) that increase the overall reach (range) of the wireless signal. Some people do this to share their home network with a neighbor. Wireless routers can sometimes be connected to each other for a similar purpose, but care must be taken to avoid conflicts or interference between the two devices.

VPN and satellite Internet networking

VPN and satellite Internet technologies were not designed to work together. These two technical limitations of satellite Internet greatly affect the performance of a VPN:

  • Virtual private networks      require a high-bandwidth, low-latency network to function efficiently. Satellite      Internet services; on the other hand; normally suffer very high latencies      due to the long distance satellite signals must travel.
  • Satellite Internet also tends      to support low, upstream bandwidth.       Specifically, satellite bandwidth for uploads is comparable to that      of dial-up Internet services. VPNs demand high bandwidth for both uploads      and downloads.

Despite these limitations, it is technically possible to use most VPN solutions with most satellite Internet services. The following caveats apply: 1) Overall performance of a VPN connection over satellite will be poor. VPN over satellite often performs at the speed of a dial-up Internet connection;
2) Satellite providers generally do not offer technical support or service guarantees to VPN users.
3) Satellite providers commonly deploy a performance boosting technique called “IP spoofing” as part of their service. This IP spoofing interferes with the ability to establish VPN connections. For VPNs to work with satellite Internet, the provider must have some provision to bypass IP spoofing for VPN connections.
4) The same compatibility issues between VPNs and personal firewalls and VPNs and Internet connection sharing software, apply for satellite as with other types of Internet service.

To determine if a given VPN client or protocol will work with a given satellite service, consult the satellite provider. While they may not offer technical support, providers usually list general compatibility information about VPNs on their Web sites. Note that limitations can vary depending on the package subscribed to. “Business” or “telecommuter” services, for example, tend to offer more VPN support than “residential” services.

Satellite broadband Internet access is still the most expensive means of accessing the Internet but for it does provide a solution for those with no other means available or dial-up access is too slow. With some satellite access connections you will be provided with a high-speed downlink connection and dial-up or other land based system is using for the uplink connection. There are satellite broadband Internet access systems which use a two-way system where both the uplink and downlink connection are high speed and provided by satellite. Satellite broadband Internet access can also be affected by the weather and other location specific interferences.

Satellite Internet service covers areas where DSL and cable access is unavailable. Satellite offers less network bandwidth compared to DSL or cable, however. In addition, the long delays required to transmit data between the satellite and the ground stations tend to create high network latency, causing a sluggish performance experience in some cases. Network applications like VPN and online gaming may not function properly over satellite Internet connections due to these latency issues.

Older residential satellite Internet services supported only “one-way” downloads over the satellite link, requiring a telephone modem for uploading. All newer satellite services support full “two-way” satellite links.

Configuring IP Addresses for VPNs

IP addresses are the fundamental method for computers to identify themselves on most computer networks. Each computer or other network device connected to the Internet has an IP address. IP addresses are written in a notation using numbers separated by dots. This is called “dotted-decimal” notation. Examples of IP addresses in dotted-decimal notation are and although many millions of different IP addresses exist. IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network. Once that connection is made, the second set connects client and server through the VPN tunnel.

Everyone who needs to use a computer network should understand how to look up their own IP addresses. The exact procedure to follow depends on the kind of computer you use. Additionally, in some situations you may need to find the IP address of someone else’s computer. When connecting to the Internet, your home computer or network router is assigned a public IP address. As you visit Web sites or other Internet servers, that public IP address is transmitted and recorded in log files kept on those servers. Access logs leave behind a trail of your Internet activity. If it were possible to somehow hide your public IP address, your Internet activity would become much more difficult to trace.

When a computer network is functioning properly, IP addresses stay in the background and don’t require any specific attention. However, some common problems you may encounter when setting up or joining a computer network include:

  • A computer has      no IP address
  • Two computers      have the same IP address
  • A computer has a      “bad” IP address that won’t allow it to “talk” on the      network

To solve these problems, several techniques can be applied including IP address release / renew, setting static IP addresses, and updating the subnet configuration.


Your public IP addresses are shared with others over the Internet, and this raises privacy concerns in the minds of some people. IP addresses allow your Internet usage to be tracked and give some rough information about your geographic location.

In security appliance address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of VPN management. Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme that let the client function as a tunnel endpoint.