• Like
  • Save
Presentation vpn
Upcoming SlideShare
Loading in...5
×
 

Presentation vpn

on

  • 1,202 views

 

Statistics

Views

Total Views
1,202
Views on SlideShare
1,202
Embed Views
0

Actions

Likes
0
Downloads
16
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Presentation vpn Presentation vpn Presentation Transcript

    • Christian Tettamanti, ing. HES1
    • VPN - Virtual Private Network Start date : 01.02.2002 Duration : 1+1 yearsChristian Tettamanti, ing. HES Stefano Ventura prof. HES Christian Tettamanti ing. HES Pascal Gachet ing. HES Gérald Litzistorf prof. HES Philippe Logean ing. HES Nicolas Sadeg ing. HES 2
    • VPN - Goals Of The Project VPN ProjectChristian Tettamanti, ing. HES rce O penSou Phase I Protocols Phase II Authentication Phase III Deployment 3
    • VPN - Goals Of The Project Phase I ProtocolsChristian Tettamanti, ing. HES • Phase I – Research and study of remote access solutions – Secure access on internal private network – Interoperability tests – Study of VPN protocols (L2TP, PPTP, IPSec) – LAN-to-LAN and HOST-to-LAN scenarios 4
    • VPN - Goals Of The Project • Phase I ProtocolsChristian Tettamanti, ing. HES – PPTP point-to-point tunneling protocol – L2TP layer 2 tunneling protocol – IPSEC IP security protocols • IKE authentication • AH integrity • ESP confidentiality, integrity 5
    • VPN - Goals Of The Project Phase II AuthenticationChristian Tettamanti, ing. HES • Phase II – Research and study of secure authentication mechanisms – Study of Public Key Infrastructure (PKI) – Interoperability tests 6
    • VPN - Goals Of The Project Phase III DeploymentChristian Tettamanti, ing. HES • Phase III – Deployment • LAN-to-LAN between EIG and TCOM • HOST-to-LAN at EIVD 7
    • VPN – Open Source Software Different solutions based on Open SourceChristian Tettamanti, ing. HES • Server OS: Slackware Linux • Firewall: Netfilter/iptables enSour ce Op • Gateway VPN: OpenSwan • PKI Authority: OpenCA • VPN Clients: Win2K: SSH Sentinel* Linux: OpenSwan 8 *Free License for universities
    • VPN – Scenario 1 EIG – Proprietary Solutions EIVD – Open Source SolutionsChristian Tettamanti, ing. HES VPN GW VPN GW internet VPN tunnel internet 10.5.0.0/16 10.4.1.0/24 9
    • VPN – Scenario 2 EIVD – Open Source SolutionsChristian Tettamanti, ing. HES Remote Client VPN GW internet VPN tunnel internet VPN Client 10.4.2.20 10.4.1.0/24 10
    • VPN – Scenario 3 EIG – Proprietary Solutions EIVD – Open Source SolutionsChristian Tettamanti, ing. HES VPN GW VPN GW VPN tunnel internet internet el nn tu N VP 10.5.0.0/16 10.4.1.0/24 VPN Client 10.4.2.20 11
    • VPN – Remote Client Authentication Dynamic IP 193.x.x.x Virtual IP VPN GWChristian Tettamanti, ing. HES 10.4.2.20 internettunnel IPSec internet 10.4.1.0/24 • The remote client authenticates himself on gw VPN • The authentication is based on X.509 certificates • The client acquire a private IP address with DCHP-over-IPSEC • The remote client is part of the internal private network 12
    • VPN – DHCP-over-IPSec • Internet Draft: draft-ietf-ipsec-dhcp-13.txt ISAKMP SA: Main Mode Auth.Christian Tettamanti, ing. HES DHCP Relay DHCP 10.4.1.0/16 10.4.1.0/16 Server DHCP DISCOVER DHCP SA: Life Time = 20 sec. DHCP 10.4.1.0/16 10.4.1.0/16 Server 10.4.2.20 ESP SA: 10.4.2.20 10.4.0.0/15 13
    • VPN – NAT-Traversal • Internet Drafts: draft-ietf-ipsec-udp-encaps-03.txt draft-ietf-ipsec-nat-t-03.txt intelligent NAT boxChristian Tettamanti, ing. HES ESP and IKE with one client ESP encapsulated in UDP (port 4500) NAT ESP and IKE with n clients 14
    • VPN – Encountered Problems • PKI – Token IntegrationChristian Tettamanti, ing. HES • Internet Service Provider (ISP) – Firewalls – Routing • NAT routers – Intelligent Box – Stupid Box • NAT-Traversal • ESP UDP Encapsulation 15
    • VPN – Gateway VPN Capabilities IKE: Encryption algorithm: aes-256bit Integrity function: SHA-2Christian Tettamanti, ing. HES DF Group: MODP 1536 (group 5) PKI authentication OK IPSEC – ESP (AH): Encryption algorithm: aes-256bit Integrity function: HMAC-SHA-2 DF Group: MODP 1536 (group 5) Other: DHCP over IPSEC OK NAT-Traversal OK 16
    • VPN – Final Architecture EIG NIDS Snort PKI OpenCAChristian Tettamanti, ing. HES EIG VPN area GW Clavister FireWall IPtables DC W2K Internet EIVD GW VPN PKI USB Key OpenSwan Protected Area Remote client EIVD VPN area 17
    • Christian Tettamanti, ing. HES18
    • Christian Tettamanti, ing. HES VPN – SSH Sentinell Configuration 19
    • Christian Tettamanti, ing. HES VPN – PKI Certificate Configuration 20
    • Christian Tettamanti, ing. HES VPN – SA Life & NAT Configuration 21
    • Christian Tettamanti, ing. HES VPN – IKE & ESP Configuration 22
    • Christian Tettamanti, ing. HES23 VPN – Connection example
    • VPN – Network Interfaces Before VPN ConnectionChristian Tettamanti, ing. HES After VPN Connection 24
    • Christian Tettamanti, ing. HES25