Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 8: VPN and IPsec Concepts, 8.3 IPsec - Coggle Diagram
Module 8: VPN and IPsec Concepts
8.1 VPN Technology
8.1.1 Virtual Private Networks.
Use virtual private networks (VPNs) to create end-to-end private network connections.
:check:
8.1.2 VPN Benefits.
Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
:check:
8.1.3 Site-to-Site and Remote-Access VPNs.
SITE-TO-SITE VPN
:check:
REMOTE-ACCESS VPN.
:check:
8.1.4 Enterprise and Service Provider VPNs.
*Enterprise VPNs - Enterprise-managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are created and managed by the enterprise using both IPsec and SSL VPNs.
*Service Provider VPNs - Service provider-managed VPNs are created and managed over the provider network. The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprise’s sites.
:check:
8.2 Types of VPNs.
8.2.1 Remote-Access VPNs
:check:
Clientless VPN connection - The connection is secured using a web browser SSL connection. SSL is mostly used to protect HTTP traffic (HTTPS) and email protocols such as IMAP and POP3. For example, HTTPS is actually HTTP using an SSL tunnel. The SSL connection is first established, and then HTTP data is exchanged over the connection.
Client-based VPN connection - VPN client software such as Cisco AnyConnect Secure Mobility Client must be installed on the remote user’s end device. Users must initiate the VPN connection using the VPN client and then authenticate to the destination VPN gateway. When remote users are authenticated, they have access to corporate files and applications. The VPN client software encrypts the traffic using IPsec or SSL and forwards it over the internet to the destination VPN gateway.
8.2.2 SSL VPNs
:check:
8.2.3 Site-to-Site IPsec VPNs
:check:
8.2.4 GRE over IPsec
:check:
Passenger protocol - This is the original packet that is to be encapsulated by GRE. It could be an IPv4 or IPv6 packet, a routing update, and more.
Carrier protocol - GRE is the carrier protocol that encapsulates the original passenger packet.
Transport protocol - This is the protocol that will actually be used to forward the packet. This could be IPv4 or IPv6.
:check:
:check:
8.2.5 Dynamic Multipoint VPNs.
DMVPN Hub-to-Spoke Tunnels
:check:
DMVPN Hub-to-Spoke and Spoke-to-Spoke Tunnels
:check:
8.2.6 IPsec Virtual Tunnel Interface
:check:
8.2.7 Service Provider MPLS VPNs
:check:
Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a peering between the customer’s routers and the provider’s routers. Then customer routes that are received by the provider’s router are then redistributed through the MPLS network to the customer’s remote locations.
Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead, the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. No routing is involved. The customer’s routers effectively belong to the same multiaccess network.
8.3 IPsec
8.3.6 Authentication
PSK Authentication
RSA Authentication
8.3.2 IPsec Technologies
IPsec Security Association Examples
8.3.4 Confidentiality
The encryption algorithms highlighted in the figure are all symmetric key cryptosystems.
8.3.5 Integrity
8.3.3 IPsec Protocol Encapsulation
8.3.7 Secure Key Exchange with Diffie-Hellman
