Title: Interop Labs VPN Interoperability Demo
1Interop LabsVPN Interoperability Demo
- Las Vegas, Nevada
- May, 1999
2VPN InteroperabilityWhat are you seeing?
- Worlds Largest Public VPN Interoperability
Demonstration - All IPSEC (IP Security) compliant
- All using IKE/ISAKMP (Internet Key Exchange)
3VPN InteroperabilityWhat are you not seeing?
- Not every product supports the same set of SA
establishment profiles - 3DES versus DES
- Subnet versus Host-based SAs
- ISAKMP versus IPSEC profile sets
- Not all SW versions seen here are
shipping/released - SA re-establishment not well defined
4VPN InteroperabilityWhat are the pieces?
- 12 vendors
- 65 site-to-site tunnels
- IP traffic with TCP and UDP
- ESP Tunneling Encryption
- Authentication within ESP
- IKE/ISAKMP key management with preshared secrets
5VPN InteroperabilityWhy is this interesting?
- Vendor independent VPN
- You need not be locked into a single vendor
solution for VPNs any more! - You can talk to other enterprises who have
already chosen a VPN vendor - Product flexibility
- Not every vendor has every answer
- Mix and match to fit your needs
- Standards Assurance
- Vendors who successfully interoperate will not
lead you down a proprietary path
6VPN InteroperabilityHow did we do it?
- Step1 Start with a public LAN
Router
7VPN InteroperabilityHow we did it Step 2
LAN A
LAN B
Router
VPN A device
VPN B device
VPN C device
VPN D device
VPN E device
LAN C
LAN D
LAN E
Mgmt station
Mgmt station
Mgmt station
8VPN InteroperabilityHow we did it Step 3
Conn. Tester
LAN A
LAN B
Router
VPN A device
VPN B device
Conn. Tester
VPN C device
VPN D device
VPN E device
LAN C
LAN D
LAN E
Mgmt station
Mgmt station
Mgmt station
Conn. Tester
Conn. Tester
Conn. Tester
9VPN InteroperabilityHow we did it Step 4
Conn. Tester
LAN A
LAN B
Router
VPN A device
VPN B device
Conn. Tester
VPN C device
VPN D device
VPN E device
LAN C
LAN D
LAN E
Mgmt station
Mgmt station
Mgmt station
Conn. Tester
Conn. Tester
Conn. Tester
10VPN InteroperabilityHow did we do it?
Conn. Tester
1. Connectivity Tester on VPN B sends a packet to
Connectivity Tester on VPN E
5. B Tester receives response and updates web page
LAN B
VPN B device
2. VPN B device tunnels packet in IPSEC and sends
to VPN E device
VPN E device
3. VPN E device de-tunnels packet and sends to
Connectivity Tester on VPN E
LAN E
4. Connectivity Tester on VPN E receives packet
and sends response to Connectivity Tester on VPN B
Mgmt station
Conn. Tester
11VPN Interoperability See 12 VPNs in Operation
Nortel
Timestep
Cisco
RadGuard
VPNet
Internet Dynamics
Microsoft
FreeS/WAN
Checkpoint
Data Fellows
Intel
RedCreek
12Each VPN has a VPN device and Connectivity Tester
Some also have management stations in the iLabs
Connectivity Tester
Management Station
VPN Device
13VPN InteroperabilityVPN Device connections
- VPN Devices have two connections
- One to its private network (unencrypted
clients/servers) - One to the public network (encrypted traffic
only) - Connectivity Tester is on the private network
14VPN InteroperabilityConnectivity Tester
The Connectivity Tester on each LAN shows VPN
encrypted connectivity between vendors. Vendor
logos indicate a successful tunnel between this
tester and the other products shown
15VPN InteroperabilityProtocol Analysis
- W W G and Shomiti protocol analyzers are
available to watch IPSEC SA establishment
16VPN InteroperabilityParticipating VPN Products
(1 of 2)
17VPN InteroperabilityParticipating VPN Products
(2 of 2)
18VPN InteroperabilityInterop VPN Labs Team