Efficient VPN
On an enterprise network with many branches, IPSec needs to be configured on headquarters and branch gateways. These IPSec configurations are complex and difficult to maintain. IPSec Efficient VPN can solve these problems with its high security, reliability, and flexibility. It has become the first choice for enterprises to establish VPNs.
Efficient VPN uses the client/server model. It concentrates IPSec and other configurations on the Efficient VPN server (headquarters gateway). When basic parameters for establishing SAs are configured on the remote devices (branch gateways), the remote devices initiate a negotiation and establish an IPSec tunnel with the server. After IPSec tunnels are established, the Efficient VPN server allocates other IPSec attributes and network resources to the remote devices. Efficient VPN simplifies configurations and maintenance of IPSec and network resources for branches.
Operation Modes
Client mode
- When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface.
When the number of loopback interfaces reaches the limit, the device cannot automatically create a loopback interface.
- The remote device uses the obtained IP address to establish an IPSec tunnel with the headquarters.
The client mode applies to scenarios where small-scale branches connect to the headquarters network through private networks, as shown in Figure 1.
- When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface.
Network mode
In network mode, a remote device does not apply to the Efficient VPN server for an IP address.
The network mode applies to scenarios where IP addresses of the headquarters and branches are planned uniformly. Ensure that IP addresses do not conflict.
Network-plus mode
Compared with the network mode, the remote device applies to the Efficient VPN server for an IP address in network-plus mode. IP addresses of branches and headquarters are configured beforehand. A remote device applies to the Efficient VPN server for an IP address. The Efficient VPN server uses the IP address to perform ping, STelnet, or other management and maintenance operations on the remote device.
Network resources including DNS domain names, DNS server IP addresses, and WINS server IP addresses
The Efficient VPN server delivers the preceding resources so that branches can access them.
ACL resources
The Efficient VPN server delivers headquarters network information defined in an ACL to remote devices. The ACL defines the headquarters subnets that branches can access. Branch traffic not destined for the subnets specified in the ACL is directly forwarded to the Internet. Such traffic does not pass through the IPSec tunnel.