IPsec-VPN Issues

If you are planning the deployment of IPsec-ESP VPN appliances,
here are some tips to avoid protocol gotcha's. If you have
additional comments and additions, please feel free to post them.

For example, you have two local networks A and B, with services
to be combined.

First, the IP address range of network A and network B must be
in different IP networks or subnetworks. The IPsec tunnel acts
as a router at the tunnel endpoints. The tunnel endpoint
appliance has an effective local address (effective router
address) by which the local tunnel can be reached.


Network A Network B
+-----+ +-----+
endpoint A | vpn |tunnel-A | vpn | endpoint B
--o o===================o o--
/ | | tunnel-B| | \
Host A o-- +-----+ +-----+ --o Host B


To construct the IPsec tunnel, the addresses "tunnel-A" and
"tunnel-B" must be reachable by the "vpn" appliances.

Then the access control lists at each end of the tunnel
must allow traffic for "Host A" and "Host B".

The tunnel endpoints are known by addresses "endpoint-A" and
"endpoint-B".

Routing table in Host-A must have an entry for Host-B or
Network-B, with the local router address being "endpoint-A".

Routing table in Host-B must have an entry for Host-A or
network-A, with the local router address being "endpoint-B".

The vpn tunnel is encrypted across "=====" between the
addresses of "tunnel-A" and "tunnel-B".

Traffic on the local networks (from endpoint to host) is
not encrypted.

----------------------------------------------------------
I hope this helps keep you out of trouble with network
planning.

Sincerely,

Steven J. Hathaway