VPN S2S 1 Flashcards
Site-to-site VPN
Are VPNs HA?
important
Yes, if you configure it correctly
Literally quoted from Cantrill
Site-to-site VPN
VPNs connect what?
VPCs and on-prem networks
Site-to-site VPN
How long to set up a S2S VPN?
important
Les than an hour
Direct from Cantrill: important contrast to DX and other physical things
Site-to-site VPN
What should you do if you care about latency and consistent response?
Don’t use a VPN :-) Goes over public Internet. Get a DX.
IKE and Tunnels
Are VPN tunnels kept up all the time?
Kinda! Phase 1 tunnels stay up, Phase 2 tunnels start and stop when needed
IKE and Tunnels
Phases to set up a VPN?
IKE Phase 1 (slow & heavy, asymmetric key stuff), IKE Phase 2 (fast, symmetric)
IKE and Tunnels
Why two?
Phase 1 stays up, Phase 2 can be torn down and re-established with new keys.
IKE and Tunnels
What is a VPN SA?
Security Association – a tunnel with keys attached to it to encrypt/decrypt.
IKE and Tunnels
What are the steps to create a Phase 1 tunnel?
1: Certificate exchange, only about proving identity. 2: exchange public keys, 3: create symmetric key
IKE and Tunnels
How are symmetric keys created in Phase 1?
Diffe-Hellmen (DH) keys: each side created pub/priv keypair, gives pub to other, my priv + other pub ==> DH symmetric key
IKE and Tunnels
What’s the really cool part about symmetric keys and how they work?
Created independently on each side from local priv + other’s pub keys. Symmetric key never traverses the network.
IKE and Tunnels
What do you have at the end of Phase 1?
Common symmetric key (but no actual tunnels to exchange traffic)
IKE and Tunnels
What happens when creating Phase 2?
Use symmetric key to encrypt, both sides agree on cipher suites, etc.
IKE and Tunnels
What do you have at the end of Phase 2?
Actual tunnels up and ready, with a separate SA for each direction.
Policy-based and Route-based
What are the two types of VPNs?
Policy-based and route-based VPNs