Day One: ADVPN Design and Implementation

Using the AutoDiscovery VPN protocol is a new and different approach to solving real-world IPsec encryption problems. Get ahead of the curve and into the lab with this workbook full of overviews, configurations, and troubleshooting samples.

Neither the fully-meshed nor hub-and-spoke approaches to IPsec VPNs are optimal for modern network deployments where customers demand both the ease of provisioning encrypted overlay security services and the optimum flow of traffic to minimize application traffic latency. What is needed is an approach that takes the simplified provisioning of hub-and-spoke with the low application latency of fully-meshed.

Spokes should have the capability to temporary build tunnels between each other on an on-demand basis to create the most efficient forwarding path, so if a particular flow is required, the spokes build dynamic tunnels between themselves for that communication and then clear the tunnel when idle. In this way the fully-meshed approach is available to the network without the overhead of configuring all the necessary communication paths. The hub takes care of the task of identifying whether dynamic connections are required. The SRX Series employs a feature called AutoVPN to deliver this capability, which has been shipping since Junos 12.1X44. Now AutoVPN deployments can use the Auto Discovery VPN (ADVPN) protocol to dynamically establish spoke-to-spoke VPN tunnels.

This Day One book will tell you why and show you how, while providing sample implementations to investigate in your lab.

Sample Pages

Download Book

Day One books are a free download for our J-Net members*. If you’re not a J-Net member, create a user account now. It’s fast and there’s no commitment or spam. Once you’re a member you can come back and download any of the Day One books.

Download: J-Net Member
Download: Not a J-Net Member

* If you have an existing Juniper user account, you can use it to login to J-Net

About the Author(s)

Mark Barrett has been working in the networking industry for 28 years. He has been through many networking technology transitions (both protocols and transmission techniques) from his part time University jobs, to IBM, Cisco, and the Australian Federal Police, to his current position as a Juniper Networks Systems Engineer. No matter the technology, Mark has maintained a keen interest in high speed networking LAN and WAN technologies and, in particular, how they need to be secured.

Dale Shaw is a Systems Engineer in the Australian Federal Government team at Juniper Networks. He has worked for Juniper Networks in Canberra since the beginning of 2014, helping government enterprises to design, build and manage secure IP networks. Prior to Juniper Networks, Dale spent seven years working for Alphawest and Optus Business as a solutions designer and architect. In these roles Dale helped design, deploy and operate large scale IP networks carrying voice, video and data over IPsec VPNs. Dale holds a number of industry certifications such as JNCIP-ENT, JNCIP-SEC, and CCIE R&S (#24464).

Scott McKinnon is a Senior Product Manager in the Juniper Networks Security and Switching Product Team (SSPT) within the Juniper Design and Innovation (JDI) group. Scott has been working with IPsec and related encryption technologies for over 15 years, and has experience in post-sales and pre-sales, as well as product management. He has contributed to the development of the ADVPN capability and related technologies, like GDoI, from initial customer requirements through product specification and into customer trials and release. He holds an MBA in Technology Management from the Open University (UK), as well as a BEng(Hons) in Engineering from Glasgow Caledonian University(UK). Scott manages Juniper’s public sector accreditation program, where many of the ADVPN requirements originated. He is based in Sunnyvale, California.

Author Q & A

What got you started on this book?

As the volume of point-to-point traffic increases, most notably due to the deployment of delay sensitive multimedia applications such as voice and interactive video, the need for providing an optimal path through the network has become even more important. While building partial and full meshes of IPsec VPN tunnels is possible, managing them can quickly become unwieldy – a better, more scalable, and open solution is required, and that’s where ADVPN comes in.

The functionality provided by ADVPN is a key requirement in many enterprise-style networks around the world, including in two of the authors’ home territory – the Australian Government sector. Mark, Dale and Scott have a shared interest in public sector certifications (e.g. Common Criteria NDPP) for Juniper security products, so the team was established prior to this Day One book project.

Juniper’s Australian Government team championed the ADVPN feature, and Mark and Dale performed alpha and beta testing and collaborated with the software engineering team about how the feature should work in the field. During a regular phone hook-up between Scott in Sunnyvale, and Mark and Dale in Canberra, it was agreed that it would be helpful to document all of the scenarios that that had been tested. Mark got in touch with Patrick Ames, who provided some advice and encouragement to pursue a publication in the “Day One” format – shorter in length and more easily consumed by customers busy designing and managing networks. The rest, as they say, is history.

Who is this book for?

The book is aimed at three audiences –

  • The first couple of chapters will be interesting for network managers and system owners as it provides a backdrop on the various existing dynamic spoke-to-spoke VPN solutions, explains why an open protocol is required, and describes the approach taken with ADVPN.
  • For network architects and designers, the whole book is useful as it introduces ADVPN as a simple and elegant extension to an existing protocol (IKEv2), then moves through configuration, tuning, and validated designs.
  • The last few chapters focus on monitoring and troubleshooting, so network operators and support staff can get a head-start on coming to grips with ADVPN in a business-as-usual support sense.

After reading this book, what’s the take away?

The authors have tried to collate their collective experiences with implementing IPsec VPNs, together with the new functionality of ADVPN, in one place. A top-down approach was taken but there is still plenty of juicy technical information and examples to work through. One key goal of ADVPN, being an open protocol, is that multiple networking vendors release an implementation, allowing secure, dynamic WANs to be deployed without fear of lock-in.

What are you hoping that people will learn from this book?

Our goal is to give people a jump on learning how to design, implement and run a secure, dynamic WAN with ADVPN. We hope to demonstrate that ADVPN is a simple extension to IKEv2, and builds upon the existing “zero touch” functionality made available in the AutoVPN feature set. We also want people to know that, finally, there is an open, unencumbered alternative in the dynamic IPsec VPN marketplace.

What do you recommend as the next item to read after this book?

To solidify the knowledge gained through reading this book, the next resource is Juniper’s TechLibrary – specifically, the Junos 12.3X48 or 15.1X49 documentation on ADVPN: Understanding Auto Discovery VPN. We also encourage readers to keep an eye on future Junos for SRX release notes, and to keep in close contact with your Juniper account team, to stay up-to-date with ADVPN feature enhancements.

What’s your inspiration?

All three authors get a kick out of our customers realizing tangible operational benefits and increased security through the use of software features such as ADVPN – our customers are our inspiration. By taking away some of the operational overhead of managing static partial of full meshes of IPsec VPNs, while maintaining (and arguably, even increasing) security, network administrators can free up time to focus on other, more important aspects of their network operation.

What’s your favorite bit/part in the book?

Our favorite bits are the beginning, middle, and end :-) Seriously, with three authors, it’s an impossible question to answer!