IPsec VPNs

Overview

You can create and manage the association between IPsec components, and public and private services, to form a secure VPN. See Typical applications for IPsec corporate services for the typical applications of an IPsec VPN.

You use the IPsec VPN step forms to perform the following:

• Configure the corporate service type.

• Enable the link between the corporate and secure service.

• Choose an NE service site.

• Configure the secure VPRN service.

• Configure the delivery service.

• Choose the tunnel group.

• Create the policy.

• Deploy the IPsec VPN.

Tunnel types

The following table lists the tunnel types for an IPSec VPN in different products.

Table 34-1: Tunnel types for an IPsec VPN

Tunnel type	7705 SAR	7750 SR	7450 ESS in mixed mode	7210 SAS
Dynamic (site-to-site)		✓	✓
Dynamic (soft client)		✓	✓
Static	✓	✓	✓	✓

The NFM-P creates the following after the successful creation of an IPsec VPN, regardless of the tunnel type:

• a secure VPRN service and NE sites

• the IES or VPRN delivery service and NE sites

• if you specify that the secure and corporate services are to be linked, a composite service that contains the corporate and secure services

The NFM-P performs specific configuration actions after the successful creation of an IPsec VPN, depending on the tunnel type; see To assign policies and configurations for a dynamic site-to-site IPsec VPN to To assign policies and configurations for a static IPsec VPN for information.

Typical applications for IPsec corporate services

The following figure shows a public VPRN service that is associated with a private VPRN service. The private service belongs to a larger private VPRN. The public service can be a VPRN or IES service. The private service can only be a VPRN service.

Figure 34-1: Static IPsec tunnel

The following figure shows two public L3 VPRNs, VPRN 1 and VPRN 2, which are connected to the private, secure service VPRN 3 through an IPsec gateway. The public services can be VPRN or IES services. The private service can only be a VPRN service.

Figure 34-2: IPsec tunnels for a site

Figure 34-3, IPsec tunnels for multiple sites is the same as Figure 34-1, Static IPsec tunnel, but Figure 34-3, IPsec tunnels for multiple sites shows IPsec tunnels across multiple sites. Site A, Site B, and Site C are part of the private service VPRN 4. For the site, there is a secure IPsec tunnel between a public service and a private service. The public services can be L3 VPRN or L3 IES services. The private service can only be a VPRN service.

Figure 34-3: IPsec tunnels for multiple sites

The following figure shows a private VPRN that is connected to a corporate VPLS. The public IES and private VPRN service connect to the VPLS through a CCAG or SCP. A CCAG connects the private VPRN to the VPLS.

Figure 34-4: IPsec VPN in a corporate network