VPNC / Network World Interoperability Demonstration

VPNcon Fall 2001

Introduction

The VPNC / Network World Interoperability Demonstration shows how IPsec systems from many vendors can interoperate in real-world situations. The live demonstration shows a VPN that is made up of a mesh of networks that would be similar to a WAN of a company with many offices, or of an extranet of a company with many partners. The fact that all of the systems work together shows that multi-vendor interoperability, while not always easy, is certainly possible to achieve.

The demonstration follows a review in a recent issue of Network World magazine comparing a wide variety of IPsec gateway products. The review by Joel Snyder delved into many aspects of IPsec gateways such as speed, ease of setup, and interoperability. This demo, however, focuses only on interoperability.

The live demonstration took place at VPNcon Fall 2001, held in October in Alexandria, Virginia. Six IPsec implementations were shown fully interoperating. The systems came from a variety of VPNC members:

• ADTRAN
• Alcatel
• Avaya
• Enterasys
• Nokia
• SafeNet

Each of the products had previously passed VPNC's conformance testing and received their conformance logo. These conformance logos show that the products tested conform to the industry-accepted IPsec standards. VPNC has ore information on the VPNC conformance logos.

VPNC and Joel Snyder of Opus One collaborated on the setup for the interop demo. Opus One was already testing a wide variety of IPsec systems for the Network World review, so setting up the interop demo was a natural extension of the review process. Note that the interop demo contains some products that were not in the Network World review, and that the review has some products that are not in the demo setup.

What the interop demo shows

The demo provides proof of many desired features for multi-vendor IPsec networks. Earlier interop demos from other groups showed how to set up a single tunnel between two gateways. However, this did not show the kind of real-world interoperability needed by companies today.

• Multiple simultaneous IPsec connections in a single network -- Most companies have more than just two sites, and therefore need more than two gateways and each gateway needs to have more than one tunnel.
• Live "n-way" interoperability -- It is not enough to show that two vendors can interoperate; you need to see that all vendors interoperate on the network at the same time. For example, if a company using two different vendors' solutions buys another company that is using two different vendors, they now have a four-vendor network. All systems must work correctly at the same time.
• IPsec sessions flowing over all tunnels -- Most IPsec systems work both as a firewall and a VPN. Setting up the firewall policies and then the IPsec policies is not always easy, especially in a multi-vendor environment. Thus, it is important to show all of the tunnels between all of the endpoints can be active at the same time.
• Typical WAN and extranet scenarios -- IPsec VPNs are used in many places. The most common use today is for wide-area networks (WANs), many of which have over a dozen nodes. Although extranets (networks where companies allow other companies to have limited access to their corporate networks) have not become as popular as people a few years ago expected, they still have very real uses, particularly in the manufacturing field. A demonstration must show scenarios that cover both situations.

Technical layout of the interop test

The demonstration setup is based on a single rack with all components housed within the rack. The test consists of five gateway systems and an IPsec client. There are "tester" systems behind each gateway that send UDP packets to other tester systems through IPsec tunnels that are set up by the gateways:

A schematic for parts of the test networks is:

In this schematic, only two of the gateways are shown; in the test, there were five gateways. Basically, this shows an "n-way" mesh of networks. Each tester system connects with each other tester system by sending a stream of UDP packets through the public network. The tester systems use the control network to report to the master system the number of UDP packets sent to, and received from, the other tester systems. The master system reports the status of the IPsec tunnels.

Hardware

The interop test fits into a single standard rack for demonstration. Had there been more than ten participants in the demonstration, a second rack could be added. A fair amount of the rack space was taken up with equipment that is not specific to the IPsec interoperability testing, such as an uninterruptible power supply, hubs, video display controllers, and so on.

Management of the gateway is done by the tester system over the private network. The tester systems and the master unit are blades in a Cubix multi-CPU system. The Cubix system has eight independent CPUs in a single rack-mount enclosure, making management of the gateways significantly easier. Each tester system has two network interfaces and is running Windows NT. An Avocent AutoView system allowed viewing of multiple systems simultaneously during testing and display during the demonstration.

Networks

The public network is not really "public" in that it is not really attached to the Internet. In the interop setup, the public network is simply an unmanaged hub. The public network has addresses in the range 172.17.0.0/24.

Each private network has only two nodes: the test gateway and the tester. Although a hub could be used for each private network, because there are only two nodes on each private network, the private network is simply a cross-over cable from the private side of the test gateway to the tester. Each test gateway protects the entire /24 network behind it. The private networks have addresses of 172.17.x.0/24. Future demos could have multiple testers behind a single gateway, necessitating hubs for the private networks.

A test gateway cannot see the control network and has no reason to know about it. The control network is only for sending the status of the testers to the master unit. The control network is simply an unmanaged hub connected to the second interfaces of the tester systems, plus to the master system (also in the Cubix).

Gateways that are acting as clients only do not have a private network behind them and do not have an associated tester. In this demo, there is one client implementation: SafeNet. Because SafeNet is a client, it has an address on the public network and it only protects that address. That is, the tunnel endpoint address is the same as the gateway address.

IPsec policies tested

The demo used common IPsec algorithms and policies in order to show typical interoperability in the field. All of the algorithms use high security.

As expected, we found no problems at all during the interop testing for the algorithms chosen. These algorithms are common to essentially all IPsec systems and have been extensively tested for many years.

Phase 1 (IKE)

Phase 2 (IPsec)

Most of the systems defaulted to values different from those above, so we had to do extensive setup using the administrative interfaces to get the initial settings.

About the demo sponsors

Three organizations came together to create the interop demo: VPNC, Network World, and VPNcon.

VPNC (the Virtual Private Network Consortium) is the international trade association for manufacturers in the VPN market. The primary purposes of the VPNC are:

• Promote the products of its members to the press and to potential customers
• Increase interoperability between members by showing where the products interoperate
• Serve as the forum for the VPN manufacturers throughout the world
• Help the press and potential customers understand VPN technologies and standards
• Provide publicity and support for interoperability testing events

Network World is the leading weekly news magazine for the computer networking industry. With over 150,000 readers, Network World carries a wide variety of breaking news stories, reviews, expert advice, user profiles, career information, and opinions about large and small computer networks.

VPNcon is the premiere education and marketing event for the VPN industry. The conference happens approximately three times a year, attracting attendees from all over the world.

Thanks also go to Cubix and Avocent for hardware loans for the demo.