LAN-to-LAN (site-to-site) VPNs are a quickly expanding
alternative or augmentation to leased line or frame relay WAN infrastructures.
VPNs are used to create secure tunnels between two networks via an insecure
public network, such as the Internet. The Cisco Concentrator supports three
types of tunnels: Layer 2 Tunneling Protocol (L2TP), Point- to-Point Tunneling
Protocol (PPTP), and IPSec.
Two types of LAN-to-LAN VPN implementations exist.
Intranet VPNs provide secure
connections between branch offices to the enterprise network resources.
Extranet VPNs provide secure
connections for special third parties, such as business partners, vendors, and
customers to the specified enterprise resources.
While this chapter and the certification exam focus mainly on the
Cisco VPN 3000 Concentrators for LAN-to-LAN implementations, note that the VPN
peer device at the other end of this type of link can be any of the following
Figure 16-1 shows common intranet and extranet VPNs,
as well as the different types of Cisco endpoint devices that might be used.
Figure 16-1: Common
LAN-to-LAN VPN implementations
In a LAN-to-LAN implementation, IPSec creates a secure tunnel
between the public interfaces of the two VPN Concentrators or endpoint devices.
The endpoint devices forward the secure data received over the VPN to the hosts
on their private LANs as unencrypted data. No VPN user authentication or
configuration exists in a LAN-to-LAN connection. Hosts configured on the private
networks can access hosts on the other side of the connection. Any access is
subject to any network authentication, group or user permissions, and router
To configure a LAN-to-LAN connection fully, you must configure
identical basic IKE and IPSec parameters on both endpoint devices.
Remember, the IPSec VPN related ports on all network devices
between the endpoints must be open. The ports are IKE/ISAKMP UDP port 500, ESP
IP protocol number 50, and AH IP protocol number 51.
The scenario used in the following discussion is quite
simple, in case someone wants to follow along with appropriate devices. The
configuration is based on Figure 16-2, showing a branch location connecting
through a VPN Concentrator to another VPN Concentrator at the main office. The
scenario assumes the main office has reserved the 128 class C networks
192.168.0.0 to 192.168.127.0 for its internal use. The other private class C
addresses have been assigned as needed to the company’s branch locations. The
figure shows a branch location assigned the 192.168.144.0 network.
Figure 16-2: VPN 3002
While the diagram assumes a Concentrator at both ends, the
central site configuration process won’t change much, regardless of the device
at the branch. You might need to modify the IKE and IPSec choices based on what
the peer device can support.