Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
401402403404405406407408409410
394
Configuring DVPN
The term "router" in this document refers to both routers and Layer 3 firewalls.
Feature and hardware compatibility
Feature F1000-A-EI/S-EI
F1000-E
F5000 Firewall module
DVPN No Yes Yes Yes
DVPN overview
Nowadays, more and more enterprises are demanding for virtual private networks (VPNs) to connect
their branches across the public network. However, branches of an enterprise usually use dynamically
assigned IP addresses to access the public network and each of them has no way to know the public IP
addresses of the other branches in advance. This makes it difficult for establishing VPNs. Dynamic virtual
private network (DVPN) is intended to address this issue.
DVPN collects, maintains, and distributes dynamic public addresses through the VPN Address
Management (VAM) protocol, making VPN establishment available between enterprise branches that
use dynamic addresses to access the public network.
In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of
DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual
channels between subnets of an intranet constitute the network layer. Branch devices dynamically access
the public network. DVPN can get the public IP addresses of the peers through VAM to set up secure
internal tunnels conveniently.
When a DVPN device forwards a packet from a user subnet to another, it performs these operations:
1. Obtaining the next hop on the private network through a routing protocol.
2. Inquiring the public network address of the next hop through the VAM protocol.
3. Encapsulating the packet, using the public address as the destination address of the tunnel.
4. Sending the packet along the tunnel to the destination.
Basic concepts of DVPN
The following key roles are involved in DVPN.
DVPN node
A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device or a host. A DVPN
node takes part in tunnel setup and must implement VAM client.
VAM server
A VAM server receives registration information from DVPN nodes and manages and maintains
information about DVPN clients. A VAM server is usually a high performance routing device with VAM
server enabled.