Introduction
Virtual private networks (VPNs) in their many and varied guises are becoming more and more prevalent throughout the world. For the service provider and enterprise, they provide a means of enabling new services and applications over a wide-area network (WAN), while providing considerable concomitant cost savings.
VPNs are complex, so when things go wrong, they can be difficult to troubleshoot. What are your options? One option is to contact Cisco TAC. Alternatively, you can buy this book, roll up your sleeves, and get to work. Armed with as much information as I could cram into 800-odd pages, you'll be well on your way to solving your problem. And if your organization is considering deploying or optimizing a VPN and wants to avoid all the issues described in this book and more, please see my company website (www.mjlnet.com) or contact me directly ([email protected]), and my very knowledgeable colleagues or I will soon be on site helping to ensure that the process goes smoothly (our services are chargeable, of course!). Furthermore, if your organization would like to improve staff productivity and expertise through advanced training, again please see the website.
A number of RFCs and Internet Drafts are referenced in this book. You should be able to locate many of these at the IETF Web site (www.ietf.org). Internet Drafts do, however, expire, so an alternative way of locating them is to use an archive such as www.watersprings.org.
Motivation for the Book
In my work designing, implementing, and troubleshooting VPNs, I noticed a lack of a single source that not only described the commands and techniques to troubleshoot VPNs, but also included the detailed protocol information necessary to correctly interpret troubleshooting command output. This book will provide you with that single source, and it will (hopefully) save you a lot of time and stress when troubleshooting your VPNs.
Audience
This book covers a wide range of VPN technologies, including IPSec, MPLS, L2TP version 3, L2TP version 2, PPTP, and L2F. It is suited to network support engineers and architects, whose job is to provide day-to-day support for VPNs or deploy VPNs successfully in the first place.
Because of the range of coverage, and the fact that each chapter covers not only troubleshooting, but also a technical overview and configuration guidelines, this book may be of considerable assistance to CCIE candidates preparing for the Service Provider and Security exams.
Organization
This book can be read in three different ways. First, it can be read end to end. This is the approach to take if you are curious about VPN technologies in general and want to improve your internetworking skills.
A second way of reading this book is to read a particular chapter or chapters that deals with VPN technologies deployed in your network in advance of problems occurring. This is a good idea—forewarned is forearmed, after all.
Lastly, you can dip into the chapters as and when problems do crop up. Each chapter has been arranged in a manner to facilitate this as much as possible.
As a bonus, a number of troubleshooting labs are included to help you develop and hone your VPN troubleshooting skills. Included on the Cisco Press Web site for this book (www.ciscopress.com/1587051044) are labs for L2F, L2TP version 2, MPLS Layer 3 VPN, and IPSec. Labs for PPTP are not included because Cisco IOS routers support only voluntary tunnel mode, and the list of possible client operating systems is extensive. Labs for L2TP version 3 and Any Transport over MPLS (AToM) are not included because the base platform required for these technologies at the time of writing is the Cisco 7200—I don't imagine that many people are lucky enough to have 7200s in their lab!
If and when support for L2TP version 3 and AToM is added to lower-end platforms, I may develop a few labs for these technologies. Check the Cisco Press web site in that case. You may also find one or two extra labs for the other technologies discussed in this book.
The chapters are arranged in the following order:
Chapter 1, “Basic Troubleshooting Methodology”— This chapter introduces a basic end-to-end troubleshooting methodology that is particularly suited to VPNs. Also discussed are the tools and techniques used for troubleshooting these technologies.
Chapter 2, “Troubleshooting Layer Two Forwarding Protocol VPNs”— L2F was one of the first virtual private dialup network technologies to be deployed. This chapter discusses the technology, its configuration, and in-depth troubleshooting techniques.
Chapter 3, “Troubleshooting Point-to-Point Tunneling Protocol VPNs”— The PPTP protocol, configuration, and in-depth troubleshooting are examined in this chapter.
Chapter 4, “Troubleshooting Layer 2 Tunneling Protocol Version 2 VPNs”— L2TP is based on L2F and PPTP. This chapter introduces L2TP, discusses configuration, and goes on to examine in-depth L2TPv2 troubleshooting techniques.
Chapter 5, “Troubleshooting L2TP v3 Based VPNs”— L2TPv3 is a technology that allows the tunneling of not only PPP, but also other Layer 2 protocols, such as Ethernet, HDLC, and Frame Relay. This chapter examines the technology itself, its configuration, and in-depth troubleshooting.
Chapter 6, “Troubleshooting Multiprotocol Label Switching Layer 3 VPNs”— MPLS Layer 3 VPNs are proving to be a very popular technology for service providers and enterprises alike. The technology, its configuration, and in-depth troubleshooting are discussed in this chapter.
Chapter 7, “Troubleshooting Any Transport over MPLS Based VPNs”— AToM can be used to provide transport of Layer 2 protocols such as HDLC, PPP, Frame Relay, and Ethernet over an MPLS backbone. The technology, configuration, and in-depth troubleshooting are examined.
Chapter 8, “Troubleshooting IPSec VPNs”— IPSec VPNs are typically deployed to provide secure VPNs in a site-to-site or remote access configuration. The IPSec technology, configuration, and in-depth troubleshooting are discussed in this chapter.
Appendix A, “Answers to Review Questions”— This appendix includes answers to the review questions provided at the end of each chapter.
Appendix B, “Lab Instructions and Solutions”— The L2F, L2TPv2, MPLS Layer 3 VPN, and IPSec chapters include troubleshooting labs to help readers understand and consolidate concepts and techniques discussed. This appendix explains how lab configuration can be loaded onto lab routers from the Cisco Press Web site (www.ciscopress.com/1587051044) and provides solutions to the labs themselves.