Zivaro Blog

Thinking Hybrid WAN? Think Cisco iWAN (Part Two)

In my first post of this series, I explained how the Hybrid Wide Area Network (WAN) solution from Cisco Intelligent WAN (iWAN) provides transport independence, allowing for a flexible, consistent and secure network overlay regardless of service provider or transport type. In part two below, I will cover another touted benefit of iWAN – secure […]

In my first post of this series, I explained how the Hybrid Wide Area Network (WAN) solution from Cisco Intelligent WAN (iWAN) provides transport independence, allowing for a flexible, consistent and secure network overlay regardless of service provider or transport type.

In part two below, I will cover another touted benefit of iWAN – secure connectivity. This means that any traffic in transit is encrypted and unreadable to an outside observer.

Traditionally encryption has primarily been used when traffic is being sent over an untrusted network such as the Internet, while “trusted” services such as Multiprotocol Label Switching (MPLS) are considered to be safe. Unfortunately, any service that is not directly controlled by you should be considered untrusted.

As such, any traffic traversing MPLS or other WAN service should be encrypted. Fortunately, Cisco’s Dynamic Multipoint Virtual Private Network (DMPVN) services, described in part one of this series, allow for native encryption using IPsec services. An example of IPSEC configuration on a DMVPN tunnel is outlined below.

!————————————————————
! KEYRING
! Use pre-share key here
!————————————————————
!
crypto ikev2 keyring DMVPN-KEYRING-MPLS
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key c1sco123
!
!
!
!————————————————————
! IKEv2 PROPOSAL
!
! Removed IKEv2 proposal, will use smart default
!————————————————————
!
!
!————————————————————
! IKEv2 PROFILE
!————————————————————
!
crypto ikev2 profile DMVPN-IKE-PROFILE-MPLS
match fvrf MPLS01
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-MPLS
!
!
!————————————————————
! IPSEC
!————————————————————
!
! It is recommended that you use the maximum window size to eliminate future anti-replay problems.
! On the Cisco ASR 1000 router platform, the maximum replay window size is 512
! If you do not increase the window size, the router may drop packets
! and you may see the following error message on the router CLI:
! %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
!
crypto ipsec security-association replay window-size 512
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-IPSEC-PROFILE-MPLS
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile DMVPN-IKE-PROFILE-MPLS
!
!
interface Tunnel100
….
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE-MPLS.

Source: http://docwiki.cisco.com/wiki/PfR3:Solutions:IWAN

As you can see, with a relatively straight forward configuration, strong encryption can be enabled over a Hybrid WAN network using iWAN. This example outlines pre-shared key encryption, but certificates can also be used for encryption. Further information on this approach is outside the scope of this post, but more detail can be found on Cisco’s site.

So far I’ve covered two benefits of Cisco iWAN – transport independence and secure connectivity. In the next post I’ll cover intelligent path control, and why it matters to today’s network engineers.

Michael Edwards is a principal architect in professional services at GTRI.