NSX Edge VPN Services
IPSEC VPN is the Method to allow secure and reliable between sites or users over untrusted medium like Internet. IPSEC provide following types of security features:
- Data Authentication: Origin of data should be authenticated source
- Data Integrity: No one can alter data
- Data Confidentiality: No one can see data
To achieve above feature IPSEC uses various types of Authentication, Encryption protocols which should be negotiated before IPSEC tunnel are created and once IPSEC tunnels are created between peer, by using these above protocols , data is encrypted and sent to destination securely.
All these process is handled by a process called IKE (Internet KEY Exchange) and it has two phase.
- Phase 1 validates the two endpoints that want to be IPsec VPN peers and establishes a secure channel between the two.
- Phase 2 establishes the secure channel for the actual IPsec VPN traffic.
Below figure demonstrate the packet walk on site to site VPN and then we will see how IEK phases happens:
Traffic from user-X toward the web server goes like this:
- User X opens a web browser to reach a website in the DC – Y Data Center.
- The traffic is routed internally over to the Site – X router.
- The Site – X router has an entry for the web server’s subnet going over the IPsec VPN toward the Edge IPsec peer.
- The Site – X router encapsulates the traffic from user X and sends it over the IPsec tunnel, using the NAT router as the IPsec peer endpoint.
- The NAT router changes the destination IP of the IPsec header.
- The IPsec Peer Edge receives the IPsec traffic, validates it, decapsulates it, and routes it locally to the web server.
- The response traffic from the web server is routed locally by the IPsec Peer Edge.
- The IPsec Peer Edge has an entry for user X’s subnet pointing out of the IPsec VPN to the Site – X IPsec Peer router.
- The IPsec Peer Edge encapsulates the traffic from the web server and sends it over the IPsec VPN.
- The Site – X router receives the IPsec traffic, validates it, decapsulates it, and routes it locally to user X.