Light at the End of the VPN Tunnel
VPNs, or Virtual Private Networks, allow users to securely access a private network and share data remotely through public networks. Much like a firewall protects your data on your computer, VPNs protect it online. And while a VPN is technically a WAN (Wide Area Network), the front end retains the same functionality, security, and appearance as it would on the private network.For this reason, VPNs are hugely popular with corporations as a means of securing sensitive data when connecting remote data centers
If you have worked on VPNs by now you know that the two most important aspects are, the protocol used for creation of tunnel and the termination of tunnel. There are a number of protocols that can be used to configure the VPN on your edge routers e.g., DMVPN, IPSEC VPN, L2TP etc. One thing that is common among all VPN types is the complexity.
For starters, you have to enter what seems like a zillion CLI commands, remember the IP summarization list and associate them with routing. Just to make your life even better there is a tedious security piece, which deals with CA (certificate authority) and SCEP (Security Certificate Enrollment Protocol.) O’ya, and the complexity blows up exponentially if you want to establish multiple site, and we don’t want to go down the path of even thinking about any type of mesh architecture!
Oh snap! How can we ignore those late night Priority 1 case alerts of TUNNEL FLAPS? VPN tunnels are super sensitive to any kind of route changes and security key exchange.
Thankfully there is hope! There is light at the end of the tunnel!
Riverbed SteelConnect has a super fast and easy way to not only create single point to point VPNs, but also just as easily and securely can create full mesh VPN networks that are resilient between all your sites by using its ‘AutoVPN’ feature.
But not everybody has SteelConnect Gateway to connect to, and you still might need access to 3rd party networks, which can be achieved by creating a manual VPN tunnel using the standard IPsec IKEv1 protocol.
For this use-case, we added a new feature called ‘ClassicVPN’, which makes it easy yet flexible to connect to 3rd party IPsec gateways. We have done some automation magic (aka: automagically) to easily solve issues with overlapping IPv4 networks.
To connect, you only need the IP/hostname of the remote IPsec gateway you want to connect to, as well as the IPv4 addressing there. After that, you have to decide to which of your sites you want the IPSec tunnel to connect to and which of your network zones should have access to the remote network.
You can add multiple network zones from your site if needed (also from different sites, which will send traffic first through an AutoVPN tunnel and than through the ClassicVPN tunnel to the 3rd party). All the transit routing gets configured fully automatically! Once you create the tunnel, you get all the information needed to configure the remote site.On top of that, we want to make it very easy to configure the remote gateway, that’s why we added configuration helpers that give you cut-n-paste ready config snippets for cisco gateways.
Common challenge—IP address conflicts:
One very common issue when connecting networks via VPN is that there might be the same IP addresses used on both sides, making it impossible to just create a simple IPSec tunnel, as routing through the tunnel would not work.
It is often unpractical (or even impossible) to change the IP addresses on either side. To overcome this, we added an integrated Network Address Translation (NAT) Layer, in which you can map an overlapping network one-to-one into a virtual network.
This means you can communicate with the remote location using the virtual NAT network, yet prior entering to the tunnel, we will transparently replace IPV4 addresses with the matching one from the remote side, allowing both networks to remain unchanged!
Connection to SteelConnect organizations:
In SteelConnect there is a feature called RouteVPN which automatically creates IPSec tunnels over Internet links, ain’t it cool! You can explicitly add RouteVPN to MPLS connections as well.
SteelConnect gateway has a rich set of features for your SD-WAN solution, and AutoVPN just happens to be one of them.