Select Page

IPsec VPN With Dynamic Crypto Maps And TED

by | 4-May-2021 | Cisco, Security, VPN

(1) Dynamic Crypto Maps Overview

Dynamic Crypto Maps overview (Figure 1)

Enable the VPN endpoint to negotiate ISAKMP with “unknown” remote peers

  • Specific IP address of remote peers are not known in advance
  • Instead, only the an array/range of IP addresses need to be known
  • Only the HUB Router need to be configured with Dynamic Crypto Map

Key components

  • Dynamic acceptance and configuration of the remote peer’s IP address and Crypto ACL
  • In RAVPN using IKE mode config, facilitate additional dynamic functionality, such as
    • Dynamic assignment of VPN client IP address, DNS/WINS servers, IP domain names

 

Dynamic Crypto Maps process and caveats

Once a router that uses dynamic crypto maps receives a request to initiate IPsec negotiation

  • Search matching ISAKMP policy
  • Create and install a temporary crypto map entry

Dynamic crypto maps do not enable a VPN endpoint to proactively discover remote peers

  • HUB Router is unable to initiate the IPsec negotiation first
  • Without IPsec SA created, traffic that is in the crypto-protected path will be dropped by HUB Router

TED in conjunction with dynamic crypto maps

  • HUB Router will proactively discover remote peers
  • HUB Router is able to initiate IPsec negotiation first

(2) TED: Tunnel Endpoint Discovery

TED overview

  • A logical extension to the dynamic crypto maps that allows endpoint to
    • Proactively discover a previously unknown peer
    • Dynamically discover a previously unknown peer

 

How TED works

  • Sending TED probes out of the local VPN endpoint’s crypto enabled interfaces
  • Remote peers that receive TED probes can successfully negotiate a dynamically initiated tunnel
    • The remote peers don’t need to have TED configured

 

TED illustration (Figure 2)

  • PC5 (10.1.1.5) sends packets to the destination PC6 (10.2.2.6)
  • R1 receives the packet
    • Checks the source and destination IP (s=10.1.1.5, d=10.2.2.6) against its crypto ACL
  • If R1 finds a match against its configured crypto ACLs
    • Sends a TED probe with IP (s=10.1.1.5, d=10.2.2.6, Data=1.1.1.1) towards Gi1 interface
  • R2 receives the TED probe
    • Checks the source and destination IP (s=10.1.1.5, d=10.2.2.6) against its crypto ACL
  • If R2 finds a match against its configured crypto ACLs
    • Sends a TED reply with IP (s=10.2.2.6, d=10.1.1.5, Data=2.2.2.2) towards Gi1 interface
  • R1 receives the TED reply
    • Initiate IKE negotiation (s=1.1.1.1, d=2.2.2.2, “Normal ISAKMP/IKE negotiation”)

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *