3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

201

202

203

204

205

206

207

208

209

210

Introduction to DVPN 209

Traditional VPN versus

DVPN

Drawbacks of traditional VPN

Current network solutions commonly use generic routing encapsulation (GRE) or

multi-protocol label switching/border gateway protocol (MPLS/BGP) to form Layer

3 VPNs. Both of these two kinds of VPNs suffer from the following drawbacks:

■ Complicated in networking and configuration. Layer 3 VPNs communicate

through point-to-point Tunnels. So, to form a fully connected VPN with

number of access points of N, the number of point-to-point VPN Tunnels to be

manually configured is N * (N-1) / 2.

■ Inconvenient in maintenance and expansion. For an established VPN, you must

reconfigure all other nodes if you add a node to the VPN or reconfigure an

existing node in the VPN, which results in high maintaining cost.

■ Unable to traverse NAT gateways. For VPN Tunnels that are established using

GRE and with NAPT (network address port translation) gateways deployed at

the egresses, you must map each private IP address to a unique public IP

address to transmit packets along the VPN Tunnel. So large amount of public IP

addresses are needed for this kind of VPNs. So GRE is not applicable in NAT

gateways. (VPNs that are established using early versions of IPsec cannot

traverse NAT gateways either. This problem is resolved by encapsulating IPsec

packets as UDP packets.)

■ Not applicable for dynamic IP addresses. VPN Tunnels that are established using

GRE are based on fixed IP addresses. So you cannot establish VPNs for dial-up

subscribers using GRE.

■ Not secure. L2TP (Layer 2 Tunnel protocol) and GRE do not encrypt packets.

Whereas IPsec provides satisfactory security for packets forwarded across IPsec

VPNs.

■ IPsec does not support dynamical routes. VPN Tunnels that are established

using GRE and L2TP are interface-based, whereas those that are established

using IPsec are data stream-oriented, so route learning is not applicable

between these two kinds of private networks interconnected with IPsec VPN

Tunnels, which is contradictory to network dynamically planning.

Advantages of DVPN

DVPN has all advantages that traditional VPN benefits from. It also overcomes lot

of problems that traditional VPN faces. It provides an easy way to configure and

plan networks and is more powerful. It is more suitable for modern and future

networks. It features the following:

■ Ease of configuration. Instead of configuring logic interfaces as the Tunnel ends

for each Tunnel, only one logic Tunnel interface is needed for a DVPN access

device to establish sessions with multiple other DVPN access devices, which

simplifies DVPN configuration remarkably and improves maintainability and

extensibility. To add a private network to an existing DVPN domain, you need

only to configure information about the DVPN server of the DVPN domain on

the DVPN access device of the private network.

■ Capable of NAT traversal. UDP-encapsulated DVPN packets are capable of

traversing NAT gateways. This enables VPN connections to be established

between internal network DVPN access devices and public network DVPN

access devices and enables VPNs that contain both internal private networks

and external private networks to be established.