CCNP Chapter 8: Virtual Private Networks (VPNs)

VPN Fundamentals

A Virtual Private Network (VPN) creates a secure, encrypted connection between remote users and a central network over a public medium such as the internet. It ensures data confidentiality, integrity, and authentication.

VPNs are essential for secure remote access and are widely used in enterprise networks to extend resources to remote workers, branch offices, and mobile users.

IPsec VPNs

IPsec (Internet Protocol Security) is a framework of open standards for securing IP communications. It supports encryption, authentication, and key exchange through protocols such as IKE, ESP, and AH. It can operate in transport or tunnel mode.

Typical configuration includes ISAKMP policy, transform set, crypto map, and applying it to an interface:

Router(config)# crypto isakmp policy 10
Router(config-isakmp)# encryption aes
Router(config-isakmp)# hash sha
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 2
Router(config)# crypto ipsec transform-set TS esp-aes esp-sha-hmac
Router(config)# crypto map VPN-MAP 10 ipsec-isakmp
Router(config-crypto-map)# set peer 198.51.100.1
Router(config-crypto-map)# set transform-set TS
Router(config)# interface g0/0
Router(config-if)# crypto map VPN-MAP

SSL VPNs

SSL VPNs provide remote access to network resources using a web browser and SSL/TLS encryption. Unlike IPsec VPNs, they do not require a client and are easier to deploy for mobile users.

There are two types of SSL VPNs: clientless (web portal) and full tunnel (using software like Cisco AnyConnect).

DMVPN (Dynamic Multipoint VPN)

DMVPN allows dynamic creation of VPN tunnels between remote sites without predefining every connection. It uses multipoint GRE tunnels and NHRP for scalability, making it ideal for branch-to-branch communication.

Router(config)# interface tunnel0
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# tunnel source g0/0
Router(config-if)# tunnel mode gre multipoint
Router(config-if)# ip nhrp network-id 1
Router(config-if)# ip nhrp map multicast dynamic
Router(config-if)# ip nhrp authentication dmvpnpass

GETVPN (Group Encrypted Transport VPN)

GETVPN provides encryption between routers in a full mesh without requiring tunnels. It is used in environments with MPLS networks where maintaining IP headers is critical for QoS and routing.

GETVPN uses a Group Key Server (GKS) to distribute keys to Group Members (GMs). It is highly scalable and suitable for enterprises.

SD-WAN VPN

SD-WAN (Software-Defined WAN) enables dynamic, policy-driven VPN tunnels over multiple transport networks such as MPLS, broadband, and LTE. It provides secure, efficient, and centralized management of WAN traffic.

Cisco vManage orchestrates the SD-WAN fabric and applies security, application-aware routing, and path selection.