Virtual tunnel interfaces, IPsec, DMVPN, FlexVPN, Cisco Secure Client, high availability considerations

1.4 Compare site-to-site and remote access VPN deployment types and components

📘CCNP security (350-701)

Introduction: Site-to-Site vs Remote Access VPNs

Site-to-Site VPN

  • Connects entire networks together.
  • Example: Head office router ↔ Branch office router.
  • Devices inside the network communicate through the routers; end-users do not run any VPN software.

Remote Access VPN

  • Connects individual users to the organization network.
  • Example: A remote employee using Cisco Secure Client on a laptop to connect to the corporate firewall/VPN gateway.

—————————————–

1. Virtual Tunnel Interfaces (VTIs)

A Virtual Tunnel Interface is a logical interface (similar to a loopback or VLAN interface) used to build IPsec VPNs. Instead of using crypto maps (older method), VTIs allow easier configuration and routing integration.

Why VTIs are useful

  • IPsec becomes “interface-based” and more scalable.
  • You can apply routing protocols (OSPF, EIGRP, BGP) over the tunnel.
  • Easier troubleshooting (because each tunnel has an IP).
  • Perfect for dynamic environments like DMVPN and FlexVPN.

Types of VTIs

  1. Static VTIs (SVTI)
    • Fixed point-to-point tunnel.
    • Both ends are manually configured.
    • Used in site-to-site VPNs.
  2. Dynamic VTIs (DVTI)
    • Tunnel created dynamically when a remote user connects.
    • Often used for remote access IPsec VPNs.

Exam Tip

Know that VTIs replace outdated “crypto maps” and support routing protocols over IPsec tunnels.

—————————————–

2. IPsec (Internet Protocol Security)

IPsec is the main security protocol suite used in both site-to-site and remote access VPNs.

What IPsec Provides

  1. Confidentiality → by encrypting data (ESP)
  2. Integrity → ensures data is not modified
  3. Authentication → verifies source identity
  4. Anti-replay protection → prevents duplicate/forged packets

IPsec Key Components

  • IKE Phase 1: Builds the secure control channel
    • Main mode or aggressive mode
    • Authentication: preshared keys or certificates
  • IKE Phase 2: Builds the actual data tunnel
    • Uses ESP (Encryption + Integrity) or AH (rare, integrity-only)

Common Encryption Algorithms

  • AES-128 / 256
  • SHA-1 / SHA-256 for integrity
  • DH Groups for key exchange

When IPsec is used

  • Site-to-site VPN between routers/firewalls
  • Remote access VPN over IPsec (Cisco Secure Client)
  • DMVPN and FlexVPN technologies

—————————————–

3. DMVPN (Dynamic Multipoint VPN)

What is DMVPN?

DMVPN allows multiple branch sites to communicate directly without traffic flowing through the hub after the first connection. It uses:

  • mGRE (multipoint GRE tunnel)
  • NHRP (Next Hop Resolution Protocol)
  • IPsec for encryption

How DMVPN Works

  • A hub router maintains a database of branch public IPs.
  • Branches (spokes) create tunnels to the hub.
  • When two spokes need to communicate, the hub tells them each other’s IP.
  • The spokes form a dynamic tunnel, improving performance.

Use Case (IT Example)

Branches need to:

  • Replicate servers between sites
  • Backup data to each other
  • Communicate in real time

Instead of traffic always going through the central data center, DMVPN allows spoke ↔ spoke direct communication.

DMVPN Phases (Important for Exam)

PhaseBehavior
Phase 1Spoke ↔ Hub only
Phase 2Dynamic spoke ↔ spoke tunnels; routing allowed
Phase 3Improved routing efficiency; supports summarization

—————————————–

4. FlexVPN

FlexVPN is Cisco’s modern, unified VPN framework using:

  • IKEv2
  • VTIs (SVTI, DVTI)
  • Template-based, very flexible configuration
  • Replaces older technologies (crypto maps, EzVPN, DMVPN in many cases)

Why FlexVPN Matters

  • Supports both site-to-site and remote access VPNs.
  • Supports IPv4/IPv6, certificates, AAA, RADIUS.
  • Better security (uses IKEv2 with stronger authentication).

Where FlexVPN is Used

  • Connecting branch routers to headquarters
  • Connecting remote employees using IKEv2/IPsec
  • Cloud VPN connections (router-to-cloud)

Key Components

  • IKEv2 profiles
  • IPsec profiles
  • VTI interface templates
  • AAA integration

FlexVPN is on the CCNP blueprint because Cisco is replacing older VPN methods with this unified model.

—————————————–

5. Cisco Secure Client

(Remote Access VPN Client)

Cisco Secure Client (formerly AnyConnect) is the software remote users install to connect securely.

What it offers

  • TLS VPN (SSL VPN)
  • IPsec/IKEv2 VPN
  • Always-on VPN
  • Posture assessment (host scanning, antivirus checking)
  • Network visibility and telemetry

Where it is used

  • Employees connecting from home to the corporate firewall
  • IT administrators accessing internal servers remotely
  • Contractors accessing restricted network zones

How it works

  1. User launches the client.
  2. Connects to the VPN gateway (Cisco ASA, FTD, IOS router).
  3. Gateway authenticates the user (usually via RADIUS/LDAP).
  4. A secure tunnel is created (TLS or IPsec).
  5. The user gains access to internal services like servers, databases, or applications.

—————————————–

6. High Availability (HA) Considerations for VPNs

High availability ensures VPN connections stay up even if a device or link fails.

Site-to-Site HA

You can configure:

  • Multiple headend routers
  • Multiple ISPs
  • IPsec redundancy using HSRP/VRRP
  • IPsec Stateful Failover on firewalls

Example:
Two Cisco ASAs running in failover mode. If one ASA fails, the second ASA takes over and existing IPsec tunnels re-establish automatically.

Remote Access HA

Requires:

  • Multiple VPN gateways
  • Load balancing using:
    • Cisco ASA VPN Load Balancing
    • FTD clustering
    • Anycast IP on IOS routers (BGP-based)

Control-Plane Redundancy

  • Multiple IKE peers
  • Redundant AAA servers
  • Certificate authority redundancy

Data-Plane Redundancy

  • Multiple tunnel interfaces
  • ECMP routing over IPsec
  • Multiple WAN providers

Why HA matters

When VPNs serve:

  • critical applications
  • global users
  • cloud connectivity

…downtime must be avoided at all costs.

—————————————–

7. Exam-Ready Summary

You MUST remember:

  • VTIs → interface-based IPsec; integrates with routing easily.
  • IPsec → used for encryption, authentication, integrity; operates using IKEv1/IKEv2.
  • DMVPN → uses mGRE + NHRP + IPsec; allows dynamic spoke-to-spoke tunnels.
  • FlexVPN → Cisco’s unified IKEv2-based VPN framework; supports site-to-site and remote access.
  • Cisco Secure Client → remote access VPN software for TLS and IPsec.
  • High Availability → redundant gateways, failover mechanisms, clustering, multiple ISPs.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by