This chapter discussed methods for scaling and optimizing IPsec VPNs.
A number of topologies can be provisioned for IPsec VPNs, including full-mesh, partial-mesh, hub-and-spoke, and hierarchical IPsec VPNs. Each topology has its own applications and characteristics.
Two of the main problems when scaling IPsec VPNs are the amount of configuration that is necessary on IPsec VPN gateways and the provisioning of IKE authentication. The amount of configuration can be reduced using technologies such as TED and DMVPN. By using digital signature authentication, you can scale IKE authentication.
Another issue that concern when designing IPsec VPNs is high availabilityit is important that hub sites are highly available to ensure constant resource access from spoke sites. High availability can be provided in IPsec VPNs using a variety of techniques, including configuring multiple IPsec peer with IKE keepalives, using HSRP, and using GRE tunnels.
Fragmentation can cause high processor and memory overhead on IPsec VPN gateways and should be avoided if at all possible. This chapter introduced a number of techniques for avoiding fragmentation in an IPsec VPN, including ensuring that end hosts send smaller packets, fixing PMTUD, and using prefragmentation for IPsec.
This chapter also discussed provisioning QoS in IPsec VPNs. Provisioning QoS in an IPsec VPN can be problematical because after user packets are encapsulated by IPsec, information that might otherwise be used to classify traffic is hidden. It may be important when provisioning QoS in an IPsec VPN to consider anti-replay mechanisms. These mechanisms can, in some cases, cause IPsec packets to be dropped.