STANDARD IPSEC VPN

• Most fundamental IPSEC VPN design model.

• Static or dynamic crypto maps

• Cannot transport dynamic routing protocols or IP multicast traffic

ADVANTAGES:

• Configuration is relatively straight forward.

• Support on all Cisco IOS/IOS XE platforms and ASA

• Interoperability with non-cisco platforms

• Site to site as well as Remote access

• Stateful failover

DISADVANTAGES:

• No support for dynamic routing protocols

• No support for multicast traffic

• Configuration expansion with increase in peers

• No support per IPSec tunnel QOS

GRE OVER IPSEC

• GRE (Generic Routing Encapsulation) allows to transport other protocols

• Encapsulates in GRE tunnel and then encrypts (IPSec)

• GRE over IPSec is used when requirements are there for dynamic routing and/or IP multicast exist

ADVANTAGES:

• Support for IP multicast/ dynamic routing protocols

• Support on all Cisco IOS/IOS XE platforms

• Interoperability with non-cisco platforms

• Only VPN design that supports non-IP protocols

• QOS per point-to-point GRE over IPSec tunnel

• Backup tunnel pre-established

DISADVANTAGES:

• Configuration expansion with increase in peers

• Provisioning new sites requires change on head-end

• Routing peers limit scalability

VIRTUAL TUNNEL INTERFACE (VTI)

• IPSec in tunnel mode between VPN peers

• Simplifies VPN configuration

• Two types :

  • Static VTI (SVTI)

  • Dynamic VTI (DVTI)

• Supports QOS, multicast and other routing functions

• Limited VPN interoperability support with non-cisco platforms

STATIC VTI (SVTI)

• Statically configured tunnel via “tunnel mode ipsec ipv4/ipv6” and tunnel protection.

• Always up

• Interface state tied to underlying crypto socket state (IPSec SA)

• Can initiate and accept only one IPSec SA per VTI

• Routing determines traffic to be protected

• IPSec SA re-keyed even in the absence of any traffic

When do you use it?

• Used with site-to-site VPNs to provide always-on traffic protection

• Need for routing protocols and/or multicast traffic to be protected by IPSec tunnel

• Eliminates the need of GRE

• Need for QOS, firewall, or other security services on a per tunnel basis

ADVANTAGES:

• Support for IGP dynamic routing protocol over the VPN

• Support for multicast

• Application of features such as NAT, ACLs and QOS and apply them to clear-text or encrypted text.

• Simpler configuration

• IPSec sessions not tied to any interface

DISADVANTAGES:

• No support for non-IP protocols

• Limited support for multi-vendor

• IPSec stateful failover not available

• Similar scaling properties of IPSec and GRE over IPSec

• Only tunnel mode