In this chapter, we have discussed several prevalent IPsec VPN topologies, including the following:
- Site-to-site IPsec VPNs
- Site-to-site IPsec+GRE VPNs
- Hub-and-spoke IPsec VPN topologies
- Remote access VPN topologies
At this point, you should be familiar with the basic layout of the preceding topologies, because they will serve as the basis for the explanation of more advanced concepts, such as local and geographic site-to-site IPsec HA and Remote Access VPN HA. Each of the preceding topologies is loosely grouped into a given design category, but you should be familiar with the design variants of each. For example, two important variations on a simple site-to-site IPsec topology are site-to-site IPsec VPN over a dedicated circuit and site-to-site IPsec VPN over a routed domain. The introduction of a routing protocol between the two crypto endpoints provides a material alteration to the VPN topology.
As with site-to-site IPsec VPN design variations, we have also covered several variations of huband-spoke IPsec VPN deployments, including the following:
- Standard hub-and spoke design (no hub redundancy)
- Clustered hub-and-spoke design to redundant hubs
- Clustered hub-and-spoke design to redundant hubs with redundant spokes
Our discussion in this chapter of the basic advantages to each of the preceding hub-and-spoke variations will provide useful context when discussing resilient IPsec VPN design strategies in future chapters.
Finally, we have introduced several common DMZ designs with various IPsec VPN concentrator placement alternatives. These design alternatives included the following:
- Standalone VPN concentrator DMZ design
- Parallel VPN concentrator and firewall DMZ design
- Dual DMZ VPN concentrator design
- Serial VPN concentrator placement on inside firewall interface
At this point, you should have a basic familiarity with VPN concentrator placement in a firewalled DMZ design, as well as a basic understanding of the dangers of placing IPsec VPN concentrators serially inside a firewalled domain. We raised the advantages and disadvantages of each design in preparation for discussing remote access VPN HA concepts in Chapter 9," Solutions for Remote Access VPN High Availability."