VPN NEXUS PRO

Site-to-Site Hub-and-Spoke Implementation

Simulations List

SEC LEVEL: 0%

TUNNELS: 0 / 2

> STATUS: AWAITING MULTI-SITE CONFIGURATION

TACTICAL LOGS

[SYS] Core initialized. Verify all remote peers.

TERMINAL

PHASE 1 (IKE)

PHASE 2 (IPsec)

CIPHER VALIDATION

The Administrator's Master Reference: Hub-and-Spoke VPN

Welcome, Admin. Networking is a game of precision. One mismatched bit in an encryption cipher or a single incorrect digit in a subnet mask will result in a dropped handshake. This guide is designed to explain the Theory, the Logic, and the Mathematics behind this tactical environment.

Tunnelling vs. Encapsulation

Tunnelling is the architectural concept of creating a virtual point-to-point link across an untrusted network. It makes routers in different states feel like they are sitting in the same rack.

Encapsulation is the physical act of "hiding" your data. IPsec wraps your private IP packet (e.g., source 10.0.1.5) inside a new public header (e.g., source 198.51.100.1) using the ESP (Encapsulating Security Payload) protocol. This allows private data to travel across public routers that only understand public addresses.

Phase 1 (IKE): The "Secret Meeting"

In Phase 1, the gateways identify each other and build a secure management channel. If this phase fails, the tunnel never starts.

RADIUS (The Correct Choice): Centralized authentication. Instead of every router having a password saved in text, they check with a central RADIUS server. This is more scalable and secure for enterprise environments.
PSK (Pre-Shared Key): Often rejected in large labs because it is difficult to rotate keys across 50 branches. If one key is stolen, the whole network is at risk.
Certificates / EAP-TLS: Extremely secure but computationally expensive and requires a full PKI (Public Key Infrastructure) to manage.

Phase 1: Cryptographic Proposals

Legacy Warning: Why we never use the alternatives:

DES / 3DES: Data Encryption Standard is obsolete. 3DES is a "band-aid" that is too slow and can be cracked by high-performance clusters in hours.
MD5 / SHA-1: These hashing algorithms suffer from "collision attacks," where different files can produce the same hash. They are no longer considered "secure" for integrity.
DH Groups 2 & 5: These groups use 1024-bit keys. Modern computing can brute-force these exchanges. Group 14 (2048-bit) is the modern minimum baseline.

Modern Standard:

AES-256: Advanced Encryption Standard with a 256-bit key. It is currently the industry standard for securing government and financial data.
SHA-256: Provides a robust integrity check, ensuring the packet wasn't tampered with by a "Man-in-the-Middle" (MITM).

Phase 2 (IPsec): The "Data Highway"

Once Phase 1 is done, Phase 2 builds the actual pipe for your LAN traffic.

ESP (Encapsulating Security Payload): We choose this because it provides Encryption.
AH (Authentication Header): We reject this for VPNs because it provides integrity but no encryption. Anyone sitting between the sites could still read your data.

The Mathematics of the Mask (CIDR)

Subnetting is the process of borrowing bits from the host portion of an IP to create smaller networks. In this lab, we used three distinct CIDR notation masks:

/26 (HQ): 255.255.255.192. This borrows 2 bits ($2^2=4$ subnets). Each subnet has 64 addresses.
/27 (Alpha): 255.255.255.224. This borrows 3 bits ($2^3=8$ subnets). Each subnet has 32 addresses.
/28 (Sigma): 255.255.255.240. This borrows 4 bits ($2^4=16$ subnets). Each subnet has only 16 addresses.

Instructor Tip: To find the mask, take 256 and subtract the number of addresses in the block (e.g., $256 - 16 = 240$ for a /28).

Enterprise-Owned vs. 3rd Party

Enterprise-Owned: You own the HQ and the Branch routers. You have full visibility. If the tunnel drops, you can check logs on both sides. This lab simulates an Enterprise-Owned Hub-and-Spoke model.

3rd Party / Cloud: You own the HQ, but the "Branch" is a managed service (like AWS Site-to-Site VPN). You often cannot change the 3rd party settings; instead, you must download a "Config File" from them and match your side to theirs exactly. This is often more rigid and requires strict adherence to their supported Phase 1 proposals.

Final Pro-Tip: The Mirroring Rule

If HUB-CENTRAL has a Local network of 10.0.1.0/26 and a Remote of 192.168.10.0/27, then BRANCH-ALPHA must have the exact opposite: Local 192.168.10.0/27 and Remote 10.0.1.0/26. If even one digit of the subnet mask is off, the "Traffic Selectors" will not match, and the routers will refuse to encrypt the traffic.