SlideShare a Scribd company logo

Virtual private networks in theory and practice

S
Shahid Riaz

This document provides an introduction to virtual private networks (VPNs). It defines a VPN as an encrypted connection between private networks over a public network. The document outlines several key VPN services, including confidentiality, integrity, authentication, availability, and anti-replay. It also discusses VPN advantages such as data security, private network access, bandwidth, cost reduction, and deployment flexibility. Finally, it introduces different VPN types, protocols, and supported devices.

Software
1 of 205
Download to read offline
Page | i Dedication This book is dedicated to my parents and my family.
Page | ii Acknowledgment All books are the product of a team work and I thank all the members of the Scholars Press publisher: including the project editor, friends, seniors, colleagues, and my teachers. I special acknowledge Dr. Muhammad Yousaf, Assistant Professor of Riphah Institute of Systems Engineering, Islamabad. He guided, motivated, and encouraged me in my research work. I also acknowledge Miss Muntaha Sohail, Lecturer in English Department, University of Sargodha, Sub-Campus Mandi Bahauddin. She minutely and skillfully proof red this book.
Page | iii ##'' Chapter 1 Introduction 1 Virtual Private Network ........................................................................2 1.1 VPN Services....................................................................................2 1.1.1 Confidentiality.........................................................................2 1.1.2 Integrity...................................................................................3 1.1.3 Authentication.........................................................................3 1.1.4 Availability..............................................................................4 1.1.5 Anti-Replay.............................................................................4 1.2 VPN Advantages ..............................................................................4 1.2.1 Data Security...........................................................................4 1.2.2 Private Network Access..........................................................4 1.2.3 Bandwidth ...............................................................................5 1.2.4 Cost Reduction........................................................................5 1.2.5 Deployment Flexibility ...........................................................5 1.3 VPN Types........................................................................................5 1.3.1 Remote Access VPN...............................................................5 1.3.2 Site-to-Site VPN......................................................................5 1.4 VPN Protocols ..................................................................................6 1.5 VPN Supported Devices...................................................................6 Chapter 2 PPTP VPN 2 PPTP VPN.............................................................................................8 2.1 PPTP Security...................................................................................8 2.2 Encapsulation....................................................................................9 2.3 Router as a PPTP VPN Server........................................................10 2.3.1 Lab Objectives ......................................................................10 2.3.2 Topology ...............................................................................10 2.3.3 Step-1 IP Addressing.............................................................10 2.3.4 Step-2 Configuring Static IP Routing...................................12 2.3.5 Step-3 Connectivity Testing..................................................13
Page | iv 2.3.6 Step-4 Configuring Router as a PPTP VPN Server..............14 2.3.7 Step-5 Configuring Setting of PPTP VPN Client.............15 2.3.8 Step-6 Connecting VPN Client.............................................19 2.3.9 Step-7 Testing .......................................................................21 Chapter 3 L2TP VPN 3 L2TP VPN...........................................................................................25 3.1 L2TP Security.................................................................................26 3.2 Encapsulation..................................................................................27 3.3 Router as a L2TP VPN Server........................................................28 3.3.1 Lab Objectives ......................................................................28 3.3.2 Topology ...............................................................................28 3.3.3 Step-1 IP Addressing.............................................................28 3.3.4 Step-2 Configuring Static IP Routing...................................30 3.3.5 Step-3 Configuring Router as a DNS Server ........................31 3.3.6 Step-4 Testing Connectivity..................................................31 3.3.7 Step-5 Configuring Router as a L2TP VPN Server..............33 3.3.8 Step-6 Configuring Setting L2TP VPN Client .................34 3.3.9 Step-7 Connecting VPN Client.............................................36 3.3.10 Step-8 Testing .......................................................................38 Chapter 4 L2TP over IPsec VPN 4 L2TP over IPsec VPN.........................................................................42 4.1 L2TP over IPsec Security...............................................................42 4.2 Encapsulation..................................................................................42 4.3 Router as an L2TP over IPsec VPN Server....................................44 4.3.1 Lab Objectives ......................................................................44 4.3.2 Topology ...............................................................................44 4.3.3 Step-1 IP Addressing.............................................................44 4.3.4 Step-2 Configuring Static IP Routing...................................46 4.3.5 Step-3 Testing Connectivity..................................................47 4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN......48
Page | v 4.3.7 Step-5 Configuring Setting L2TP over IPsec VPN Client49 4.3.8 Step-6 Connecting VPN Client.............................................70 4.3.9 Step-7 Testing .......................................................................72 Chapter 5 IPsec VPN 5 IPsec VPN ...........................................................................................79 5.1 IPsec Security Architecture ............................................................79 5.2 Encapsulation..................................................................................81 5.3 Site-to-Site IPsec VPN b/w Routers...............................................83 5.3.1 Lab Objectives ......................................................................83 5.3.2 Topology ...............................................................................83 5.3.3 Step-1 IP Addressing.............................................................83 5.3.4 Step-2 Configuring Static IP Routing...................................86 5.3.5 Step-3 Configuring NAT ......................................................88 5.3.6 Step-4 Testing Connectivity..................................................89 5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel .............90 5.3.8 Step-6 Testing .......................................................................92 5.4 Site-to-Site IPsec VPN b/w PIX ASA........................................95 5.4.1 Lab Objectives ......................................................................95 5.4.2 Topology ...............................................................................95 5.4.3 Step-1 IP Addressing.............................................................95 5.4.4 Step-2 Configuring Static IP Routing...................................99 5.4.5 Step-3 Testing Connectivity................................................100 5.4.6 Step-4 Configuring IPsec Tunnel........................................101 5.4.7 Step-5 Testing .....................................................................102 5.5 Remote Access IPsec VPN with Router (Easy VPN) ..................104 5.5.1 Lab Objectives ....................................................................104 5.5.2 Topology .............................................................................104 5.5.3 Step-1 IP Addressing...........................................................104 5.5.4 Step-2 Configuring Static IP Routing.................................106 5.5.5 Step-3 Testing Connectivity................................................107
Page | vi 5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel.....107 5.5.7 Step-5 Installing Setting CISCO IPsec VPN Client .......109 5.5.8 Step-6 Connecting IPsec VPN Client .................................113 5.5.9 Step-7 Testing .....................................................................115 5.6 Remote Access IPsec VPN with ASA (Easy VPN).....................116 5.6.1 Lab Objectives ....................................................................116 5.6.2 Topology .............................................................................116 5.6.3 Step-1 IP Addressing...........................................................116 5.6.4 Step-2 Configuring NAT ....................................................118 5.6.5 Step-3 Configuring Static IP Routing.................................118 5.6.6 Step-4 Testing Connectivity................................................119 5.6.7 Step-5 Configuring ASA as IPsec VPN Server..................120 5.6.8 Step-6 Configuring VPN Client..........................................121 5.6.9 Step-7 Connecting VPN Client...........................................121 5.6.10 Step-8 Testing .....................................................................121 Chapter 6 GRE VPN 6 GRE VPN..........................................................................................124 6.1 GRE Security................................................................................124 6.2 Encapsulation................................................................................124 6.3 Site-to-Site IPsec over GRE VPN ................................................125 6.3.1 Lab Objectives ....................................................................125 6.3.2 Topology .............................................................................125 6.3.3 Step-1 IP Addressing...........................................................125 6.3.4 Step-2 Configuring Static IP Routing.................................127 6.3.5 Step-3 Configuring NAT ....................................................128 6.3.6 Step-4 Testing Connectivity................................................129 6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel ..130 6.3.8 Step-6 Testing .....................................................................132 6.4 Site-to-Site IPsec over GRE VPN (Behind ASA)........................136 6.4.1 Lab Objectives ....................................................................136
Page | vii 6.4.2 Topology .............................................................................136 6.4.3 Step-1 IP Addressing...........................................................136 6.4.4 Step-2 Configuring Static IP Routing.................................139 6.4.5 Step-3 Configuring NAT ....................................................141 6.4.6 Step-4 Testing Connectivity................................................142 6.4.7 Step-5 Configuring IPsec over GRE...................................142 6.4.8 Step-6 Testing .....................................................................145 Chapter 7 DMVPN 7 DMVPN.............................................................................................147 7.1 DMVPN Security..........................................................................147 7.2 Encapsulation................................................................................147 7.3 Dynamic Multipoint VPN (Hub Spokes).................................148 7.3.1 Lab Objectives ....................................................................148 7.3.2 Topology .............................................................................148 7.3.3 Step-1 IP Addressing...........................................................148 7.3.4 Step-2 Configuring Static IP Routing.................................151 7.3.5 Step-3 Testing Connectivity................................................152 7.3.6 Step-4 Configuring DMVPN Tunnel..................................153 7.3.7 Step-5 Testing .....................................................................155 Chapter 8 SSL VPN 8 SSL VPN...........................................................................................159 8.1 SSL Security.................................................................................159 8.2 SSL Encapsulation........................................................................160 8.3 Router as an SSL VPN Gateway..................................................161 8.3.1 Lab Objectives ....................................................................161 8.3.2 Topology .............................................................................161 8.3.3 Step-1 IP Addressing...........................................................161 8.3.4 Step-2 Configuring Static IP Routing.................................163 8.3.5 Step-3 Configuring Router as a DNS Server ......................164 8.3.6 Step-4 Testing Connectivity................................................164
Page | viii 8.3.7 Step-5 Configuring Self-Signed Certificates ......................166 8.3.8 Step-6 Configuring SSL VPN Gateway .............................168 8.3.9 Step-7 Testing .....................................................................169 Chapter 9 High Availability VPN 9 High Availability VPN......................................................................172 9.1 HSRP ............................................................................................172 9.2 VRRP............................................................................................173 9.3 GLBP ............................................................................................173 9.4 Site-to-Site IPsec High Availability VPN with HSRP.................174 9.4.1 Lab Objectives ....................................................................174 9.4.2 Topology .............................................................................174 9.4.3 Step-1 IP Addressing...........................................................174 9.4.4 Step-2 Configuring Static IP Routing.................................177 9.4.5 Step-3 Testing Connectivity................................................179 9.4.6 Step-4 Configuring HSRP...................................................179 9.4.7 Step-5 Configuring IPsec VPN over HSRP........................182 9.4.8 Step-6 Testing .....................................................................184 References:................................................................................................186
Page | ix Learning Outcomes This book encompasses virtual private network technologies theoretical as well as practical. In this study guide, it demonstrates how the VPNs actually work and their practical implementation with different lab scenarios, step by step. The objective of this book is to teach the students and professionals in an easy way. In this book, a reader learns the theoretical knowledge of VPNs, but the IOS based practical implementation of several types of VPNs in his home and office. There are several types of VPNs with different scenarios. After a study of this book, the reader will familiar with almost all type of VPN and can perform all these types of VPNs with different scenarios in his office and home.
Introduction 1
Introduction Page | 2 Introduction 5 %'( %)' '*#% Virtual Private Network (VPN) is a secure, reliable and logical connection that is created over a public network (Internet). CISCO defines a VPN as an encrypted connection between private networks over a public network [1]. It is a virtual connection but not a physical. It extends the private network across shared or public network. It enables a computer to send or receive data safely through shared or public network, it does not matter if it is directly connected to the private network. It is done by establishing a virtual connection through the Internet. 5/5 %) VPNs provide different types of security services through different security protocols. These services are: 1. Confidentiality 2. Integrity 3. Authentication 4. Availability 5. Anti-replay 5/5/5 #' ', Confidentiality means secrecy. It is a technique in which original data may hide or replace with some other data. The concept behind is that the data is not disclosed to anyone intentionally or unintentionally during transmission. In network security, it is also called encryption. It is the process in which the plaintext (original text) is replaced or substituted with the help of certain encryption algorithm, key, and the mechanism. After this process, the plain text is converted into encrypted text (ciphertext). Encrypted text transmits over an insecure network. If somebody catches the encrypted text, it is not easy to understand it. On the receiving side, the reverse process of encryption takes place, it is called decryption. The same algorithm, key, and mechanism are used to decrypt the text and original text is extracted. There are several encryption algorithms. Some of them work character by character and remaining work block by block. There are two types of keys. Symmetric or asymmetric. In symmetric, the same key is used to encrypt or decrypt while in asymmetric, a pair of the key is used. One key is private key and the second key is called public key. The public key is used to encrypt the data if its private key is used to decrypt the data whereas the private key is used to
Introduction Page | 3 Introduction encrypt the data if its public key is used to decrypt data. The mechanism means, the way or method defines how to drive the algorithm and key. Modern encryption algorithms are: 1. DES (Data Encryption Standard) 2. 3DES (Triple Data Encryption Standard) 3. AES (Advanced Encryption Standard) 5/5/6 '%', Integrity means originality. It is a technique to ensure that data is not modified or altered by an unauthorized person during the transmission. The data remains consistent, both internally and externally. It is guaranteed that data is received by the receiver in original and there is no any change in data during transmission. In network security, it is also called hashing. Hashing is one-way process in which a 32-bit long hash value is calculated from the data with a specific algorithm. This hash value also transmits while transmitting the data. On the receiver side, the receiver once again calculates the hash value of the received data with the same algorithm and compares this hash value with that value which came with data. If the value is same then its integrity is not compromised on the other hand, the hash value is different even one character then it indicates that its integrity is compromised. The receiver will discard his receiving data. Modern hashing algorithms are: 1. MD-5 (Message Digest) 2. SHA-1 (Secure Hash Algorithm) 5/5/7 ('''# Authentication is a technique which verifies the identity of a user or a process. It restricts unauthorized users to access data or service. In this process, the credentials provided by the user are compared to those which are already saved in the database file. Moreover, the user is granted authorization for access if credentials match and the process is completed. If the credentials mismatch, the user is not granted access. Authentication is may be local or remote. In local authentication, the credentials are saved on the same machine while in remote authentication, user credentials are saved on another server. The receiver machine sends user credentials for checking either it is true or false to authentication server and responds. If the machine receives true by authentication server then it grants access and if it receives false then it denies access. For security purpose, Challenge Handshake
Introduction Page | 4 Introduction Authentication Protocol (CHAP) is used between machine and authentication server. Modern remote authentication servers are: 1. TACACS (Terminal Access Controller Access Control System) 2. RADIUS (Remote Authentication Dial-In User Service) 5/5/8 ) ', Availability provides reliable and timely access to data and resources. Once a VPN is connected, its time period is 24 hours by default. It means that user can access data or services at any time during the VPN connection. 5/5/9 '0$ , It is a technique in which the receiver verifies that each packet is unique and is not duplicate. In this process, sequence numbers are used with the packet and arranged all these packets on receiver side accordingly sequence numbers. If any duplicate packet is received then the receiver will discard. 5/6 )' VPN technology is heavily influenced the corporate sector by its many advantages. Due to these advantages, it is more popular and deployable technology in the industry. These advantages are: 5/6/5 '(%', Public network (Internet) is not a secure network and it is not possible to secure it, as complete. It is very risky and easy to access or alter data by a third person (Intruder) when data moves across the public network. So, it is needed to secure data before transferring it over a public network. VPN allows data to encapsulate it into security header before transmitting transfer to its destination. When data is encapsulated in security header then it is not easy to access or alter data. On the receiving side, it is decapsulated. 5/6/6 %)' '*#% VPNs allow employees to securely access their company's private network or data while travelling outside the office or at home. Most of the employees work in branch offices and others employees work as teleworker in the market. They are away from the central sites and if they are needed to access FRPSDQ¶V GDWDRU VHUYLces for business operations so they can access it securely through VPN connection.
Introduction Page | 5 Introduction 5/6/7 *' Users or branch offices use leased lines such as E1, T1, Frame Relay or Asynchronous Transfer Mode (ATM) to access compan¶VGDWDRUVHUYLFHV securely. These leased lines provide typically 128 Kbps, 256 Kbps, and 512 Kbps connection speeds. These leased lines are expensive. Users and branch offices require more bandwidth for their services or advance applications and its speed. The Internet Service Providers (ISPs) are providing relatively high- bandwidth IP connections, such as broadband Digital Subscriber Line (DSL) or cable access for VPN on shared bases. 5/6/8 #'('# ISPs are providing relatively high-bandwidth IP connections, such as broadband DSL or cable service on shared bases. As a result, many customers are migrating their primary WAN connectivity to these services or deploying such WAN alternatives as a secondary high-speed WAN circuit to augment their existing private network. These high-bandwidth and share bases IP connections are relatively lower cost as compared to leased lines. 5/6/9 $ #,!' + ', VPNs can be quickly established wherever an Internet access connection is available. They offer a great degree of flexibility in connecting branch offices or even while traveling outside the office or at home. 5/7 ,$ VPN can be connected in different forms. A secure connection is created over a public network. Sometimes it is called as a tunnel. All traffic is passed through this tunnel. There are two basic types of VPN and they are: 1. Remote Access VPN 2. Site-to-Site VPN 5/7/5 !#' In remote access VPN type, a single user is connected to a private network and access its services and resources remotely. The connection between the user and the private network happens through the Internet, this connection is secure and private. Usually, home users or teleworkers use this type of VPN. The teleworkers or employees use a remote access VPN to connect to his/her compan¶VSULYDWHQHWZRUNDQGUHPRWHODFFHVVILOHVDQGUHVRXUFHVRQWKH private network while traveling. 5/7/6 '0'#0' Site-to-Site VPN type is mostly used in the corporate network. In this type RI931FRPSDQ¶Voffices in different geographical locations, use Site-to-
Introduction Page | 6 Introduction site VPN to connect the network with head office or another branch office. In this VPN type, a device acts as a gateway in one branch office and similarly in another branch office. The connection is established between the both. When the connection is established, then multiple users can use this connection in their branch offices. 5/8 %#'## As we know, communication is between two devices based upon Open Systems Interconnection (OSI model) reference model. It is a universal standard which is proposed by International Organization for Standardization (ISO) in 1984. It consists of seven layers. Each layer of this model performs specific tasks through several communication protocols. These communication protocols are classified into different forms according to these layers. These VPN protocols are also classified according to OSI PRGHO¶VODHUV for security purposes. These VPN protocols are: 1. PPTP (Point-to-Point Tunneling Protocol) 2. L2TP (Layer 2 Tunneling Protocol) 3. IPsec (Internet Protocol Security) 4. L2TP over IPsec. 5. GRE (Generic Routing Encapsulation) 6. IPsec over GRE 7. TSL (Transport Layer Security) 8. SSL (Secure Sockets Layer) 5/9 ($$#%') A dedicated VPN support device is VPN Concentrator. A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. However, some other devices like (Routers, multi-layer switches, PIX, ASA, PCs, smartphones and tablets) may also support VPN. These devices should have VPN support operating systems. Multiple vendors have designed such types of devices like CISCO, Juniper, Linksys, Microsoft, Linux, and Mac etc. The VPN service provided by these devices is said to be IOS based VPN. Moreover, in this guide, CISCO based devices (Router, PIX ASA) and Window based PCs are used.
PPTP VPN 2
PPTP VPN Page | 8 PPTP VPN 6 Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN technique in network security. It was introduced by ³Matthew Ramsay´ in 1999 with the support of Microsoft. Its specification was described in RFC 2637 [2]. It basically extends the Point-to-Point Protocol (PPP). The PPP transfers multi-protocol datagrams over a point-to-point link. It uses dial-up networking method which is called Virtual Private Dial-up Network (VPDN). It is more suitable for remote access applications through VPN. It also supports LAN internetworking. It operates at layer 2 of the OSI model. It works as a client/server model which is simply configured. By default, the client is a software based system which is normally available in all Microsoft Windows, Linux and MAC operating systems. It remains most popular technology, especially on Microsoft Windows computers. It is connection oriented protocol and it uses TCP port 1723. In this tunneling technique, tunnels are created by following two steps: 1. First of all, the clients connect to their ISPs through using any service (dial-up, ISDN, DSL modem or LAN). 2. Secondly, PPTP creates a TCP session between client and server to establish a secure tunnel. Once the PPTP tunnel is established between client and server then two types of information can be passed through a tunnel. Moreover, a unique Call ID value is assigned to each session for its identification. 1. Control Messages: These messages directly pass through the tunnel to the client and server and finally tearing down the connections. The variety of these control messages are used to maintain the VPN connections whereas, some of these messages are shown in the Fig. 2.1 below. 2. Data Packets: It passes through the tunnel to the client and the client sends back. 6/5 (%', PPTP supports authentication, encryption and packet filtering. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP- TLS, and PAP are used. MS-CHAPv1 is insecure. EAP-TLS is a superior choice. However, it requires a Public Key Infrastructure implementation for both client and server certificates. When MS-CHAPv1/v2 is used in PPTP
PPTP VPN Page | 9 PPTP VPN then the payloads encrypt by using Microsoft Point-to-Point Encryption (MPPE). The MPPE supported 40-bits, 56-bits 128-bits encryption. It enhances the confidentiality of PPP-encapsulated packets [3]. Packet filtering is implemented on VPN servers. Figure 2.1 PPTP Control Messages 6/6 $( '# PPTP encapsulates the PPP frames in IP packet. It uses TCP connection for tunnel management. The encapsulated PPP frames may encrypt, compress or the both as it is highlighted in the Fig. 2.2. Figure 2.2 PPTP Encapsulation In Oct. 2012, security of PPTP is broken and its usage is no longer and also not recommended by Microsoft [4].
PPTP VPN Page | 10 PPTP VPN 6/7 #('% %)% 6/7/5 ') ¾ Assign IP addresses according to topology ¾ Configure IP Routing ¾ Test Connectivity ¾ Configure Router as a PPTP VPN Server ¾ Configure PC as a Microsoft PPTP VPN Client ¾ Try to Connect VPN Client ¾ Test VPN 6/7/6 #$# #, Figure 2.3 PPTP VPN Setup 6/7/7 '$05 % ..$) - .. . on router’s interface. ) . ( )/$*) *1 $) /*+*'*$'$-(S;T; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!ANG )/ -) /N
PPTP VPN Page | 11 PPTP VPN )/ -) /N*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RY()0' 0+0+ .//# -) /QRSQT;Q;RRT;TT()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QR )%4 -)#a )' -)#N*)!$0- / -($)' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!AN 3$/ -)#@*)!$AN %+)*++)%+?6@ -)#@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TU ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#N
PPTP VPN Page | 12 PPTP VPN 4 Figure 2.4 Client IP Address 6/7/8 '$06 #(%'' #(' 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: ,0 .//$( *0/; ,0 .//$( *0/; ,0 .//$( *0/; ,0 .//$( *0/; $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _Q8 *./_U@RQQ]'*..A8 :=a
PPTP VPN Page | 13 PPTP VPN )%4 -)#@*)!$AN '),+?5?5?5??5?5?5?A?B5?5@@B5BB -)#@*)!$AN 3$/ -)#N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-Q;Q;Q;Q FQ;Q;Q;QQBRQC1$SQT;Q;RRT;TT RZS;RWY;R;QSU$.$- /'4*)) / 8.//# -) /QR SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ -)#N 6/7/9 '$07 #')',' 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: ,0 .//$( *0/; +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SVY(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RYV(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RYU(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _T8 *./_R@SV]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_RYU(.83$(0(_SVY(.81 - _SQZ(. :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
PPTP VPN Page | 14 PPTP VPN +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_Q(.83$(0(_Q(.81 - _Q(. )%4 -)#N' %A?B5?5@@B5@F 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;RX8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RRSRYTSYU(. -)#N 6/7/: '$08 #(%#('% %)% -)#@*)!$AN-'%%# -)#@*)!$AN1+)-*0+++/+1+) -)#@*)!$1+)AN +/$'$) -)#@*)!$1+)$)AN')+#''+' -)#@*)!$1+)$)AN1$-/0'/ (+'/ R -)#@*)!$1+)$)AN 3$/ -)#@*)!$1+)AN 3$/ -)#@*)!$AN -)#@*)!$AN '##'#''+'7'#@FA5@E5@5@?@FA5@E5@5D? -)#@*)!$AN,*)%$+*+'**.)?+*+ -)#@*)!$AN %+)- )+,#7+$'#+@ -)#@*)!$$!AN%'*,#+ %''' -)#@*)!$$!AN'),#+ ')**'#''+'7'# -)#@*)!$$!AN ',%%,$)*++)%+?6@ -)#@*)!$$!AN)* +'$1 -)#@*)!$$!AN+++ )-4+/(++ ,+- ,0$- -)#@*)!$$!AN''',+%+ + %$*7'$*7'7-A -)#@*)!$$!ANG -)#N
PPTP VPN Page | 15 PPTP VPN -)#N*. ' %+)) )/ -! - ..
7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0' 0+0+ .//# -) /QRRZS;RWY;R;R()0' 0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*.-'%),' -*0+R -*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q -*0+++/+1+) -*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q -)#N*.-'%*** % ]*/$1 /0)) '. 6/7/; '$09 #(%-''# ' R; #**. +)+L%+)#%#L +.)) %%+)L+,' . %%+ % Figure 2.5 Set up a new Connection
PPTP VPN Page | 16 PPTP VPN S; !/ -/# /2*-*)) /$*)$5-2$)*2++ -.8#**. %%+ +.)'#J'$ /+ Figure 2.6 Connect to a Workplace T; #**. 2)+%.%%+ %J'$ /+ Figure 2.7 Create new Connection
PPTP VPN Page | 17 PPTP VPN U; ' /*$0 %+)%+%%+ % Figure 2.8 New Connection Name IP Address V; #**. +)+ L %+)# %# L +.) ) % %+) L % '+) ++ %* ) . ' / /# ')')+ * *! /# - )/'4 *)!$0- *)) /$*) Figure 2.9 Properties
PPTP VPN Page | 18 PPTP VPN W; #*. ,) +0 Figure 2.10 Security X; ) -4+ *!#**. 2#**. (, )%)0'+ %!-*( /)-4+/$*)8#+,+%+ + %)+#*)'$ Figure 2.11 Select Properties
PPTP VPN Page | 19 PPTP VPN 6/7/ '$0: #' ' R; -4/**)) / Figure 2.12 Username Password S; 4+ 0. -)( +*+J+..2*-+*+)'$ Figure 2.13 Connecting
PPTP VPN Page | 20 PPTP VPN T; # 1 -$!4$)0. -)( )+..2*-2$)*2++ -. Figure 2.14 Verifying U; # - $./ -$)4*0-*(+0/ -*)/# ) /2*-2$)*2++ -. Figure 2.15 Completing
PPTP VPN Page | 21 PPTP VPN V; # )*)) / /# )$/)# /# .//0.*!/# *)) /$*) Figure 2.16 Connection Status 6/7/= '$0; ' 4 Figure 2.17 Connection Details
PPTP VPN Page | 22 PPTP VPN :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STS(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SSW(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TTY(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TVR(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_SSW(.83$(0(_TVR(.81 - _SYW(. )%4 -)#N*. ' %+)) )/ -! - ..
7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..RRZS;RWY;R;R0). /0+0+ $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*. %+)- )+,#7**@ $-/0' ..R$.0+8'$) +-*/**'$.0+ -2- $.$-/0' ..$)/ -! )/ -! $.0))0( - ;.$)- ..*!.//# -) /QR@RZS;RWY;R;RA RVQQ4/ .8RQQQQQ
$/. 8 RQQQQQ0. 8 - '$$'$/4SVVSVV8/3'*RSVV8-3'*RSVV )+.0'/$*)8 + ) + ): 8 *1 ..8'*) !-*($-/0' (+'/ R ...//0.Q3UU -*/**'++/+8/0)) '$TWXXW8. ..$*)$SQWTS8'**+)*/. /
+'$1 )*/. / $.+0'. !*-V. *).*)- . / ./$)+0/QQ:QV:QX8*0/+0/) 1 -8*0/+0/#)) 1 - ./' -$)*!I.#*2$)/ -! I*0)/ -.QQ:SS:VX
PPTP VPN Page | 23 PPTP VPN -)#N*.,*)* $) . - *./@.A ' */$*) FQ*)Q$' QQ:QQ:QQ )/ -! . -* ' -- .. $T/ ./*QQ:QZ:VVRXS;RW;R;RR -)#N*.-'%*** % ..$*) )!*-(/$*)*/'/0)) '.R. ..$*).R * ( 0) )/!. -)( // ./#)$, SQWTSSVWTWXXW$T/ ./ ./QQ:QQ:URS -)#N*.-'%+,%%#''+' 0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R * (;( // (*/ - ..*-/ ..$*).-*0+ TWXXW ./SQT;Q;RRT;RXUZZTRR -)#N*.-'%+,%%#''+'+)%*')+ 0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R * 4+ *'- ..*-/ (*/ - ..*-/ TWXXW SQT;Q;RRT;TURXSTSQT;Q;RRT;RXUZZT -)#N*.-'%+,%%#'+* 0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R * /. )/.0/4/ . )4/ .0/ TWXXWWRSRWWXZVSR -)#N
L2TP VPN 3
L2TP VPN Page | 25 L2TP VPN 7 6 Layer 2 Tunneling Protocol (L2TP) was introduced with the combination of two tunneling protocols in 1999. Firstly, Layer 2 Forwarding (L2F) protocol by CISCO Systems and second is Point-to-Point Tunneling Protocol (PPTP) by Microsoft. It merges the best features of the both. In other words, it is an extension of PPTP. It was specified in RFC 2661 [5]. The L2F is a tunneling protocol and it was developed to establish VPN over the public network (Internet). It does not provide encryption by itself. It was specially designed to tunnel PPP traffic. In 2005, a new version of L2TP was introduced as L2TPv3 with additional security features, improved encapsulation and the ability to carry data links over the network. Its specification was described in RFC 3931 [6]. The entire L2TP packet including (payload L2TP header) is sent within a User Datagram Protocol (UDP) with port number 1701. It is common to carry PPP session within an L2TP tunnel. It does not support strong authentication and confidentiality by itself. The IPsec protocol is often used with L2TP to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. L2TP allows creating a VPDN to connect remote clients to its corporate network by using different connecting services provided by ISPs. It operates at layer 2 of the OSI model. It works as a client/server model. Two endpoints of the L2TP tunnel are called LAC (L2TP Access Concentrator) and LNS (L2TP Network Server). The LNS waits for new tunnels. The LAC remains between an LNS and a remote system and forwards packets to the server. Once the tunnel is established between peer then, the network traffic moves in bidirectional. The packets exchanged within the tunnel characterized as either it is controlled packet or it is a data packet, it is reliable for control packets and not reliable for data packets. If the reliability is desired for data packets then it is provided by another protocol running within the session of the tunnel. In this tunneling technique as the tunnels are created by following two steps: 1. A control connection is established for a tunnel between LAC and LNS. 2. Secondly, a session is established between client and server.
L2TP VPN Page | 26 L2TP VPN During the setup of the L2TP tunnel, different types of control messages and data messages are exchanged between LAC and LNS. It is highlighted in the Fig. 3.1 below. The traffic of each session is secluded by L2TP. So, it is possible to setup multiple virtual networks against a single tunnel. The Maximum Transmission Unit (MTU) remains same. The Hello messages are sent to peer as control messages for keep alive after every 60 seconds. Figure 3.1 Tunnel Setup Once the tunnel is established, PPP frames from the remote systems are received at LAC. It encapsulates in L2TP and forwards to LNS over the appropriate tunnel. 7/5 6(%', L2TP supports authentication and encryption. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used. When MS-CHAPv1/v2 is used then the payloads encrypt by using MPPE. It also supports Triple Data Encryption Standard (3DES) and Advanced
L2TP VPN Page | 27 L2TP VPN Encryption Standard (AES-256 bits). It enhances the confidentiality of PPP- encapsulated packets. 7/6 $( '# Data messages are used to encapsulate the PPP frames. These frames are passed over unreliable data channels. Data is not retransmitted when a packet loss occurs. The entire PPP frame is encapsulated in L2TP header first and then L2TP frame is encapsulated in UDP header as it is shown in the Fig. 3.2 below. Figure 3.2 L2TP Encapsulation
L2TP VPN Page | 28 L2TP VPN 7/7 #('%6 %)% 7/7/5 ') ¾ Assign IP addresses according to topology ¾ Configure IP Routing ¾ Configure Router as a DNS Server ¾ Test Connectivity ¾ Configure Router as a L2TP VPN Server ¾ Configure PC as a Microsoft L2TP VPN Client ¾ Try to Connect VPN Client by Domain Name ¾ Test VPN 7/7/6 #$# #, Figure 3.3 L2TP VPN Setup 7/7/7 '$05 % Assign IP addresses on router’s interfaces and PC as mentioned above in /*+*'*$'$-(T;T; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!ANG )/ -) /N
L2TP VPN Page | 29 L2TP VPN )/ -) /N*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RY()0' 0+0+ .//# -) /QRSQT;Q;RRT;TT()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QR )%4 -)#a )' -)#N*)!$0- / -($)' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!AN 3$/ -)#@*)!$AN %+)*++)%+?6@ -)#@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TU ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#N
L2TP VPN Page | 30 L2TP VPN 4 Figure 3.4 Client IP Addressing 7/7/8 '$06 #(%'' #(' )%4 -)#@*)!$AN '),+?5?5?5??5?5?5?A?B5?5@@B5BB -)#@*)!$AN 3$/ -)#N -)#N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-Q;Q;Q;Q
L2TP VPN Page | 31 L2TP VPN FQ;Q;Q;QQBRQC1$SQT;Q;RRT;TT RZS;RWY;R;QSU$.$- /'4*)) / 8.//# -) /QR SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ -)#N 7/7/9 '$07 #(%#('% %)% %+)%+4 )/ -) /@*)!$AN '%**)-) )/ -) /@*)!$AN '%$7*)-)A?B5?5@@B5@G )/ -) /@*)!$AN '*+#A+'-'%5$A?B5?5@@B5BC )/ -) /@*)!$AN)*$+*($)'**0+ )/ -) /@*)!$AN 3$/ )/ -) /N )/ -) /N*. '%*- . $ 2 !0'/+-( / -.: *$)$.*!! .*'1 -. //$).: *($)'**0+$.$.' !0'/*($))( :';'*' *($). -#'$./: **0+/$( *0/:T. *). **0+- /-$ .:S *($))( . -1 -.: SQT;Q;RRT;RY -1 -. //$).: *-2-$)*!,0 -$ .$.$.' *-2- -/$( *0/:T. *). *-2- -- /-$ .:S *-2- -- .. .: 7/7/: '$08 '#')', 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTT(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SUS(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTY(. _SVU
L2TP VPN Page | 32 L2TP VPN +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SWV(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_SUS(.83$(0(_TTY(.81 - _SZU(. :=a' %#A+'-'%5$ $)$)'S/+1+);*(BSQT;Q;RRT;TUC2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUY(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SRT(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RZR(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SSQ(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_RUY(.83$(0(_SSQ(.81 - _RZT(. :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_Q(.83$(0(_Q(.81 - _Q(. )%4 -)#N' %A?B5?5@@B5@F 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;RX8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RRSRYTSYU(. -)#N
L2TP VPN Page | 33 L2TP VPN %+)%+4 )/ -) /N*. '%**++ *+ * - ,0 ./.- $1 _S@S^QA - ,0 ./.-*++ _Q@Q^QA - .+*). .- +'$ _S@S^QA *-2- -,0 0 .//$./$.: 0-- )/.$5 _Q 3$(0(.$5 _V -*+._Q 7/7/; '$09 #(%#('%6 %)% -)#@*)!$AN-'%%# -)#@*)!$AN-'%7),'#A+'7-'% -)#@*)!$1+)AN +/$'$) -)#@*)!$1+)$)AN')+##A+' -)#@*)!$1+)$)AN1$-/0'/ (+'/ R -)#@*)!$1+)$)AN 3$/ -)#@*)!$1+)AN 3$/ -)#@*)!$AN -)#@*)!$AN '##'##A+'7'#@FA5@E5@5@@FA5@E5@5D? -)#@*)!$AN,*)%$+*+'**.)?+*+ -)#@*)!$AN %+)- )+,#7+$'#+@ -)#@*)!$$!AN%'*,#+ %''' -)#@*)!$$!AN'),#+ ')**'##A+'7'# -)#@*)!$$!AN$+0))0( - !.//# -) /QR -)#@*)!$$!AN+++ )-4+/(++ ,+- ,0$- -)#@*)!$$!AN''',+%+ + %$*7'$*7'7-A -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N
L2TP VPN Page | 34 L2TP VPN -)#N*.-'%),' -*0+'S/+1+) -*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q -)#N*.-'%+,%%##A+' ]*/$1 S/0)) '. 7/7/ '$0: #(%-''6 ' R; *''*2/ +V$) S; 4+ *+%$@'S/+1+);*(A$)./ *! - .. Figure 3.5 Properties
L2TP VPN Page | 35 L2TP VPN T; #*. ,) +0 Figure 3.6 Security U; ) -4+ *!#**. A 2#**. (, )%)0'+ %!-*( /)-4+/$*)8#+,+%+ + %)+#* Figure 3.7 Select Protocol
L2TP VPN Page | 36 L2TP VPN V; '$*)-%++ %* Figure 3.8 Advance Setting 7/7/= '$0; #' ' R; !/ -/4+ 0. -)( J+..2*-'$%%+ Figure 3.9 Connecting
L2TP VPN Page | 37 L2TP VPN S; # -$!4$)0. -)( )+..2*-2$)*2++ -. Figure 3.10 Verifying T; # $./ -$)4*0-*(+0/ -*)/# ) /2*-2$)*2++ -. Figure 3.11 Completing
L2TP VPN Page | 38 L2TP VPN U; # *)) /$*)//0.2$)*2++ -. Figure 3.12 Connection Status 7/7/54 '$0 ' 4 Figure 3.13 Connection Details
L2TP VPN Page | 39 L2TP VPN :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _RWW(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SUW(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SYV(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SXX(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_RWW(.83$(0(_SYV(.81 - _SUT(. )%4 -)#N' %@FA5@E5@5C 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*RXS;RW;R;U8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RWUSQUTQQ(. -)#N*. ' %+)) )/ -! - ..
7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' ..S0)..$) 0). /0+0+ $-/0' ..TRZS;RWY;R;R0). /0+0+ $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*. %+)*- )+,#7**B $-/0' ..T$.0+8'$) +-*/**'$.0+ -2- $.$-/0' ..$)/ -! )/ -! $.0))0( - ;.$)- ..*!.//# -) /QR@RZS;RWY;R;RA RVQQ4/ .8RQQQQ
$/. 8 RQQQQQ0. 8 - '$$'$/4SVVSVV8/3'*RSVV8-3'*RSVV )+.0'/$*)8 + ) + ): *1 ..8'*) !-*($-/0' (+'/ R ...//0.Q3Q -*/**''S/+8/0)) '$TVZUZ8. ..$*)$SZYTZ
L2TP VPN Page | 40 L2TP VPN
+'$1 . /@RQ. A UQ+ /.$)+0/8UVSS4/ . RV+ /.*0/+0/8STX4/ . ./' -$)*!I.#*2$)/ -! I*0)/ -.) 1 - -)#N*.,*)* $) . - *./@.A ' */$*) FQ*)Q$' QQ:QQ:QQ )/ -! . -* ' -- .. $T/ ./*QQ:QZ:VVRXS;RW;R;U -)#N*.-'%),' -*0+'S/+1+) -*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R -)#N*.-'%+,%%##A+' S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) (0) (*/ ( // (*/ - .. ..) S'.. TVZUZR5 .#) ./SQT;Q;RRT;RXR'S/+ -)#N*.-'%*** %#A+'*++ S ..$*) )!*-(/$*)*/'/0)) '.R. ..$*).R * ( 0) . -)( 8 )/!// ./#)$, $ VWYZURTVZUZ/ ./8 $T ./QQ:RQ:SUW -)#N*.-'%+,%%##A+'+)%*')+ S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) 4+ -*/ *'- ..*-/ (*/ - ..*-/ TVZUZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR -)#N*.-'%+,%%##A+''+* S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) /. )/.0/4/ . )4/ .0/ TVZUZRVURRUYTTSSUXX
L2TP over IPsec 4
L2TP over IPsec VPN Page | 42 L2TP over IPsec VPN 8 6#)% L2TP does not provide strong authentication and confidentiality by itself. It is often used with IPsec protocol to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. The IPsec is a protocol suite which is used at upper layer (network layer) to provide secure communication between two peers [7]. This protocol provides IP Security Architecture, Internet Key Exchange (IKE), IPsec Authentication Header (AH) and IPsec Encapsulation Security Payload (ESP). The IKE is the key management protocol while AH and ESP are used to protect IP traffic. It would be discussed in detail in the next part. 8/5 6#)% (%', L2TP is used over IPsec then its security is high. The client negotiates the IPsec Security Association (SA) usually through IKE. It is carried out over UDP with port 500. It uses a pre-shared key, public key or certificates for authentication. Transport mode of IPsec is used in this security mechanism. IPsec supports a variety of encryption standards like (DES, 3DES AES) for data confidentiality. It also supports a range of data integrity protocols like (MD-5 SHA). 8/6 $( '# The connection is established between two endpoints. Here, L2TP packets are encapsulated by IPsec header as it is displayed in the Fig. 4.1 below. Figure 4.1 L2TP over IPsec Encapsulation Since L2TP packet is wrapped within the IPsec header and it does not gather any information about the internal L2TP packet. So, it is not necessary to open UDP port 1701 on firewalls between the endpoints. The inner packet is
L2TP over IPsec VPN Page | 43 L2TP over IPsec VPN not acted upon until after IPsec data has been decrypted and stripped which only takes place at the endpoints.
L2TP over IPsec VPN Page | 44 L2TP over IPsec VPN 8/7 #('%6#)% %)% 8/7/5 ') ¾ Assign IP addresses according to topology ¾ Configure IP Routing ¾ Test Connectivity ¾ Configure Router as an L2TP over IPsec VPN Server ¾ Configure PC as a Microsoft L2TP over IPsec VPN Client ¾ Try to Connect VPN Client ¾ Test VPN 8/7/6 #$# #, Figure 4.2 L2TP over IPsec VPN Setup 8/7/7 '$05 % Assign IP addresses on router’s interfaces and PC as mentioned above in /*+*'*$'$-(U;S; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!ANG )/ -) /N
L2TP over IPsec VPN Page | 45 L2TP over IPsec VPN )/ -) /N*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RY()0' 0+0+ .//# -) /QRSQT;Q;RRT;TT()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QR )%4 -)#a )' -)#N*)!$0- / -($)' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!AN 3$/ -)#@*)!$AN %+)*++)%+?6@ -)#@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TU ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#N
L2TP over IPsec VPN Page | 46 L2TP over IPsec VPN 4 Figure 4.3 Client IP Addressing 8/7/8 '$06 #(%'' #(' )%4 -)#@*)!$AN '),+?5?5?5??5?5?5?A?B5?5@@B5BB -)#@*)!$AN 3$/ -)#N -)#N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-Q;Q;Q;Q
L2TP over IPsec VPN Page | 47 L2TP over IPsec VPN FQ;Q;Q;QQBRQC1$SQT;Q;RRT;TT RZS;RWY;R;QSU$.$- /'4*)) / 8.//# -) /QR SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ -)#N 8/7/9 '$07 '#')', 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTT(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SUS(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTY(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SWV(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_SUS(.83$(0(_TTY(.81 - _SZU(. :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_Q(.83$(0(_Q(.81 - _Q(. )%4 -)#N' %A?B5?5@@B5@F 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;RX8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RRSRYTSYU(.
L2TP over IPsec VPN Page | 48 L2TP over IPsec VPN 8/7/: '$08 #(%#('%6#)% -)#@*)!$AN-'%%# -)#@*)!$AN-'%7),'#A+'7-'% -)#@*)!$1+)AN +/$'$) -)#@*)!$1+)$)AN')+##A+' -)#@*)!$1+)$)AN1$-/0'/ (+'/ R -)#@*)!$1+)$)AN 3$/ -)#@*)!$1+)AN 3$/ -)#@*)!$AN -)#@*)!$AN '##'##A+'7'#@FA5@E5@5@@FA5@E5@5D? -)#@*)!$AN,*)%$+*+'**.)?+*+ -)#@*)!$AN %+)- )+,#7+$'#+@ -)#@*)!$$!AN%'*,#+ %''' -)#@*)!$$!AN'),#+ ')**'##A+'7'# -)#@*)!$$!AN$+0))0( - !.//# -) /QR -)#@*)!$$!AN''',+%+ + %$*7'$*7'7-A -)#@*)!$$!AN 3$/ -)#@*)!$AN)0'+ *$''# 0D -)#@*)!$$.(+AN%)0'+ %B* -)#@*)!$$.(+AN** -)#@*)!$$.(+AN,+%+ + %')7*) -)#@*)!$$.(+AN),'A -)#@*)!$$.(+AN 3$/ -)#@*)!$AN -)#@*)!$AN)0'+ *$'0#A+' '*)**?5?5?5??5?5?5? -)#@*)!$AN)0'+ '*+)%*)$7*++*+*'7B**'7*7$ -)#@!-4+/*/-).AN$+)%*')+ -)#@!-4+/*/-).AN 3$/ -)#@*)!$AN)0'+0%$ 7$'$'@? -)#@*)!$-4+/*(+AN*++)%*)$7*++*+ -)#@*)!$-4+/*(+AN 3$/ -)#@*)!$AN)0'+$'#A+'$'@? '*7 *$'0%$ $' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN)0'+$' #A+'$' -)#@*)!$$!ANG -)#N
L2TP over IPsec VPN Page | 49 L2TP over IPsec VPN 8/7/; '$09 #(%-''6#)% ' R; *''*2/ +W$) S ; S; '$*)-%++ %*) )/ -/# +- .#- 4 Figure 4.4 Advanced Properties T; @+/$*)'8 $! /# *+ -/$) .4./ ( $. *' '$ $)*2. SQQQA; 3 0/ $$5/*(()$),%/*() . 0-$/4+*'$4; Figure 4.5 Run
L2TP over IPsec VPN Page | 50 L2TP over IPsec VPN U; ,) +0# 0
%$%+4#**.$)6$-%'7 %!-*( #; Figure 4.6 Console V; #**. ,) +0# 0
%$%+)'$; Figure 4.7 Add or Remove
L2TP over IPsec VPN Page | 51 L2TP over IPsec VPN W; # )/# !*''*2$).- )++ -.8+' . #**. #$',+))'$ % *5 Figure 4.8 Select Domain X; # ,) +0# 0
%$%+$. $)%'7 %'$ ; Figure 4.9 Add IP Security Policies
L2TP over IPsec VPN Page | 52 L2TP over IPsec VPN Y; # ,) +0# 0
%$%+$. '$ Figure 4.10 IP Security Policy Management Z; ' /)+ ,) +0# 0/*- / +*'$4!*- !-*(+ %; Figure 4.11 Console
L2TP over IPsec VPN Page | 53 L2TP over IPsec VPN RQ;# )/# ,) +0# 0 1)++ -.8+' . '$ /+5 Figure 4.12 IP Security Policy Wizard RR;Type a suitable name in the name field, such as “A-) *”)'$ /+; Figure 4.13 IP Security Policy Name
L2TP over IPsec VPN Page | 54 L2TP over IPsec VPN RS;)# + -++,#+)*'%*),#)'$ /+; Figure 4.14 Request for Secure Communication RT;# ) /# !*''*2$) 2$)*2 ++ -.8 +' . # + ')')+ * ) '$ % *; Figure 4.15 Completing IP Security Policy
L2TP over IPsec VPN Page | 55 L2TP over IPsec VPN RU;+ ) *)')+ *window, there is a default rule “K0%$ L”. Please click ; Figure 4.16 Filter Rules RV;# )/# ,) +0,# 1)++ -.8+' . '$ /+5 Figure 4.17 Creating New Security Rule
L2TP over IPsec VPN Page | 56 L2TP over IPsec VPN RW; ' /+ *),#*%+*' 0+,%%#)'$ /+; Figure 4.18 Tunnel Endpoint RX; ' /##%+.)%%+ %*)'$ /+; Figure 4.19 Network Type
L2TP over IPsec VPN Page | 57 L2TP over IPsec VPN RY;) $'/ -'$.//*/#$.-0' 4'$$); Figure 4.20 Add New Filter List RZ;4+ *,+./# )( )'$; Figure 4.21 IP Filter List for Outside
L2TP over IPsec VPN Page | 58 L2TP over IPsec VPN SQ;# )/# #+) 1)++ -.8+' . '$ /+5 Figure 4.22 New IP Filter Wizard SR;4+ $'/ - .-$+/$*))'$ /+; Figure 4.23 IP Filter Description
L2TP over IPsec VPN Page | 59 L2TP over IPsec VPN SS;#**. *' )**J/4+ /# - ...@*0- A)'$ /+; Figure 4.24 IP Traffic Source ST;#**. *' )**J/4+ /# - ...@ ./$)/$*)A)'$ /+; Figure 4.25 IP Traffic Destination
L2TP over IPsec VPN Page | 60 L2TP over IPsec VPN SU;#**. ./# +-*/**'/4+ ;'$ /+; Figure 4.26 IP Protocol Types SV; //# ')+%5.@F?@)'$ /+; Figure 4.27 IP Protocol Ports
L2TP over IPsec VPN Page | 61 L2TP over IPsec VPN SW;# *3 +')')+ *)'$ % */**(+' /$)/# !$'/ -2$5-; Figure 4.28 Completing IP Filter Wizard SX;'$ /*!$)$.#/# . //$).; Figure 4.29 IP Filter Properties
L2TP over IPsec VPN Page | 62 L2TP over IPsec VPN SY;'$ /*!$)$.#/# . //$).; Figure 4.30 IP Filter List SZ;#**. *,+$)/# $'/ -'$./)'$ /+; Figure 4.31 IPsec Filter List
L2TP over IPsec VPN Page | 63 L2TP over IPsec VPN TQ;'$/*. /0+/$*)!*-/#$.-0' ; Figure 4.32 New Filter Rule TR;# #+)+ % 1)2$''++ -8/# );' . '$ //; Figure 4.33 New IP Security Filter Wizard
L2TP over IPsec VPN Page | 64 L2TP over IPsec VPN TS;4+ *,+./# )( )'$ /+; Figure 4.34 Filter Action Name TT;#**. + +*,) +0)'$ /+; Figure 4.35 General Options
L2TP over IPsec VPN Page | 65 L2TP over IPsec VPN TU;#**. Do not communicate…. )'$ /+; Figure 4.36 Communicating with Computers TV;#**. %)0'+ %% %+) +0)'$ /+; Figure 4.37 IP Traffic Security Policies
L2TP over IPsec VPN Page | 66 L2TP over IPsec VPN TW;)# +')')+ *)'$ % *; Figure 4.38 Completing IP Security Filter Wizard TX; ' / *,+!-*( #+)# *+8)'$ /+; Figure 4.39 Filter Action
L2TP over IPsec VPN Page | 67 L2TP over IPsec VPN TY;4+ 4.),+%+ + %
+@+- .#- 4A)'$ /+; Figure 4.40 Authentication Method TZ;#**. *,+!*- #+)+ %8)'$ /+; Figure 4.41 Completing Security Rule
L2TP over IPsec VPN Page | 68 L2TP over IPsec VPN UQ;*24*0). *,+-0' ;'$ ; Figure 4.42 IPsec Rules UR;'$ 0-$/4*'$$ .*) *'*(+0/ - Figure 4.43 New Created Security Policy
L2TP over IPsec VPN Page | 69 L2TP over IPsec VPN US;#**. A-) *L** %!-*(/# *).*' .- ); Figure 4.44 Assigned Policy UT;*24*0). /#//# +*'$4$./$1/ ; Figure 4.45 Policy Activated UU;1 //$);
L2TP over IPsec VPN Page | 70 L2TP over IPsec VPN 8/7/ '$0: #' ' R; !/ -/4+ 0. -)( J+..2*-'$%%+ Figure 4.46 Connecting S; # -$!4$)0. -)( )+..2*-2$)*2++ -. Figure 4.47 Verifying
L2TP over IPsec VPN Page | 71 L2TP over IPsec VPN T; # $./ -$)4*0-*(+0/ -*)/# ) /2*-2$)*2++ -. Figure 4.48 Completing U; # *)) /$*)//0.2$)*2 Figure 4.49 Connection Status
L2TP over IPsec VPN Page | 72 L2TP over IPsec VPN 8/7/= '$0; ' 4 Figure 4.50 Connection Details :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_STX(.83$(0(_TWQ(.81 - _TRS(.
L2TP over IPsec VPN Page | 73 L2TP over IPsec VPN )%4 -)#N' %@FA5@E5@5@ 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*RXS;RW;R;R8/$( *0/$.S. *).: 6;666 0 ..-/ $.YQ+ - )/@UVA8-*0)/-$+($)1(3_RYUSRQSUY(. -)#N*. ' %+)) )/ -! - ..
7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' ..S0)..$) 0). /0+0+ $-/0' ..S;RRZS;RWY;R;R0). /0+0+ $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*.-'%),' -*0+'S/+ -*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R -)#N*.-'%+,%%##A+'*++ S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) (0) *'( (*/ ( // ./# UXVYZR-)#5 .#) ./QQ:RQ:VV -)#N*.-'%+,%%##A+'*,$$)0 S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) (0) (*/ ( // (*/ - .. ..) S'.. UXVYZR5 .#) ./SQT;Q;RRT;RXR'S/+ -)#N*.-'%+,%%#+)%*')+ S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) 4+ -*/ *'- ..*-/ (*/ - ..*-/ UXVYZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR
L2TP over IPsec VPN Page | 74 L2TP over IPsec VPN -)#N*. %+)*- )+,#7**A5@ $-/0' ..S;R$.0+8'$) +-*/**'$.0+ -2- $.$-/0' ..$)/ -! )/ -! $.0))0( - ;.$)- ..*!.//# -) /QR@RZS;RWY;R;RA RVQQ4/ .8RQQQQ
$/. 8 RQQQQQ0. 8 - '$$'$/4SVVSVV8/3'*RSVV8-3'*RSVV )+.0'/$*)8 + ) + ): *1 ..8'*) !-*($-/0' (+'/ R ...//0.Q3Q -*/**''S/+8/0)) '$UXVYZ8. ..$*)$ZYR
+'$1 . /@RQ. A RVR+ /.$)+0/8YQWW4/ . RTS+ /.*0/+0/8TVXV4/ . ./' -$)*!I.#*2$)/ -! I*0)/ -.) 1 - -)#N*.-'%+,%%#'+* S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) /. )/.0/4/ . )4/ .0/ UXVYZSRVSRVRTQXUWXSX -)#N*.)0'+*** % -4+/*. ..$*)0-- )/.//0. )/ -! :.//# -) /QQ ..$*).//0.: -:SQT;Q;RRT;RX+*-/VQQ
:'*'SQT;Q;RRT;TUVQQ- (*/ SQT;Q;RRT;RXVQQ/$1 :+ -($/RX#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX+*-/RXQR /$1 .:S8*-$$):4)($-4+/*(+ -)#N*.)0'+*** %) //0.:/$1 8+8*2)8 ' 8/)48 */$/$)
*
$1-!_@)*) A - . -)( -*0+#. R?$+/$( //0. SQT;Q;RRT;RX QQSQT;Q;RRT;RX QQ:RS:QS
L2TP over IPsec VPN Page | 75 L2TP over IPsec VPN -)#N*.)0'+ *$'0
4-$) *./)( - ..- .#-
4 !0'/Q;Q;Q;QBQ;Q;Q;QC'S/+$+. -)#N*.)0'+ *$'*,%+ /$1
H.:R /)4
H.:Q 0-- )/'4 $)) */$/
H.:Q
H.:Q -)#N*.)0'+ *$'')* -:SQT;Q;RRT;RX*-/:VQQ *':SQT;Q;RRT;TU #. R$:SQT;Q;RRT;RX -)#N*.)0'+ *$'* 1U-4+/*
./.-.// *))$.//0. SQT;Q;RRT;TUSQT;Q;RRT;RX? RQQR -)#N*.)0'+ '*+)%*)$7*+ -).!*-(. //. /:D .+T . .+.##(E 2$'') */$/ _D-).+*-/8E8 -).!*-(. /NM6 !0'/?/-).!*-(?. /?Q:D .+T . .+.##(E 2$'') */$/ _D-).+*-/8E8 -)#N*.)0'+ *$''# 0 '*'
+*'$4 -*/ /$*).0$/ *!+-$*-$/4V )-4+/$*)'*-$/#(:#- 4/-$+' #.#'*-$/#(: 0- .#/)- 0/# )/$/$*)( /#*:- #-
4 $!!$ ''()-*0+:NS@RQSU$/A '$! /$( :YWUQQ. *).8)*1*'0( '$($/
L2TP over IPsec VPN Page | 76 L2TP over IPsec VPN -)#N*.)0'+ '** $)/ -! :.//# -) /QQ -4+/*(+/:'S/+8'*'-SQT;Q;RRT;TU +-*/ / 1-!:@)*) A '*'$ )/@-(.+-*/+*-/A:@SQT;Q;RRT;TUSVV;SVV;SVV;SVVRXQA - (*/ $ )/@-(.+-*/+*-/A: @SQT;Q;RRT;RXSVV;SVV;SVV;SVVRXRXQRA 0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ 8!'._DE N+/. )+.:RZ8N+/. )-4+/:RZ8N+/.$ ./:RZ N+/. +.:RZ8N+/. -4+/:RZ8N+/.1 -$!4:RZ '*'-4+/* )+/;:SQT;Q;RRT;TU8- (*/ -4+/* )+/;:SQT;Q;RRT;RX +/#(/0RVQQ8$+(/0RVQQ8$+(/0$.//# -) /QQ 0-- )/*0/*0).+$:Q3UZVS@TQSZXSZSVQA @A:8 -*0+:)*) B0/+0/*($// C 4 :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_STX(.83$(0(_TWQ(.81 - _TRS(. -)#N*.)0'+ '** $)/ -! :.//# -) /QQ -4+/*(+/:'S/+8'*'-SQT;Q;RRT;TU +-*/ / 1-!:@)*) A '*'$ )/@-(.+-*/+*-/A:@SQT;Q;RRT;TUSVV;SVV;SVV;SVVRXQA - (*/ $ )/@-(.+-*/+*-/A: @SQT;Q;RRT;RXSVV;SVV;SVV;SVVRXRXQRA 0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ
L2TP over IPsec VPN Page | 77 L2TP over IPsec VPN 8!'._DE N+/. )+.:UZ8N+/. )-4+/:UZ8N+/.$ ./:UZ N+/. +.:UZ8N+/. -4+/:UZ8N+/.1 -$!4:UZ N+/.*(+- .. :Q8N+/. *(+- .. :Q N+/.)*/*(+- .. :Q8N+/.*(+-;!$' :Q N+/.)*/ *(+- .. :Q8N+/. *(+- ..!$' :Q N. ) --*-.Q8N- 1 --*-.Q -)#N*.)0'+$' -4+/*+I'S/+(+IRQ$+. $.(+ 4)($(+/ (+'/ /:(+ -4+/*+I'S/+(+IWVVTW$+. $.(+ -_SQT;Q;RRT;RX 3/ ) ..'$./ ..'$./+ -($/0+#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX+*-/_RXQR 4)($@- / !-*(4)($(+(+RQA 0-- )/+ -:SQT;Q;RRT;RX 0-$/4..*$/$*)'$! /$( :UWQYQQQ$'*4/ .TWQQ. *). .+*) -)'4@A: @A: -).!*-(. /._D /. /:D .+T . .+.##(E8 E )/ -! .0.$)-4+/*(+'S/+(+: .//# -) /QQ
IPsec VPN 5
IPsec VPN Page | 79 IPsec VPN 9 Internet Protocol Security (IPsec) is a network security protocol suite. It provides strong authentication, data encryption, data origin authentication and data integrity features. It can use as network-to-network, host-to-host, and host-to-network over the public network (Internet). It works at the network layer of the OSI model to provide end-to-end security. In 1992, IETF started to create an open and freely available security protocol for Internet Protocol (IP). It is officially standardized by IETF. It was specified in RFC 1825 [8]. The IP is used at the network layer of the OSI model to deliver datagrams over the public network. There are two versions of IP: IPv4 and IPv6. IPv4 is a 32-bits while IPv6 is a 128-bits IP addressing protocol. The Network Address Translation (NAT) is used with IPv4 in private networks to save the public IP addresses as well as to provide security in a way that it hides the public addresses during communication. Today, NAT is widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels [9]. The fast growth of the Internet has shattered the IPv4 addresses. In 1990, the IETF has introduced IPv6 protocol with new features in terms of simple header format, larger address space, built-in security, efficient routing and better QoS [10]. The Internet Service Providers (ISPs) are trying to replace their IPv4 networks with IPv6 gradually. This transition is very slow because there are millions of devices in around the world. IPv6 is a next-generation IP network. IPsec provides security to both versions of IP. In this project, the focus is on IPv4. 9/5 (%',%''(% IPsec is an open standard protocol suite. It uses different types of protocols to provide security. These protocols are: Authentication Header (AH), Encapsulating Security Payloads (ESP), Security Associations (SA), Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE IKEv2). The AH provides the connectionless data integrity, data origin authentication for IP datagrams and protection against replays [11]. It does not encrypt data packets. The text is transported in clear text. Data integrity means, it assures that the data will not alter during the transmission over the network. Before sending the data, it calculates 32-bits numeric and unique hash value of data
IPsec VPN Page | 80 IPsec VPN by using different hashing algorithms like (MD5, SHA-1) and sends this hash value along with data. Hashing is a one-way process [12]. On the receiving side, it verifies the hash value by re-calculating the hash value of the received data. If both hash values are equal then it means that the integrity of the data is maintained and there is no any tampering with data during transmission over the network while if the hash value does not same then it means that the integrity has intercepted and the receiver will discard the data. The anti- replay protection ensures that each packet must be unique and no duplication by using sequence numbers. The origin authentication means that to know who is on another side. The device on the other side of the tunnel must be verified before the path is considered secure. The sender sends data (certificate) after encryption with its private key and that data is verified at receiver end by decrypt with VHQGHU¶VSXEOLFNHIRUDXWKHQWLFDWLRQ There are three authentication methods: 1. Pre-shared Key 2. RSA Signature 3. RSA Encryption Nonce In pre-shared key authentication, the same key is used to configure each peer in IPsec. In RSA signature authentication, different keys (private key public key) are used to encrypt or decrypt digitally. It is also called digital certificates. These digital signature and digital certificates are forwarded to the other side. Finally, RSA encryption nonce authentication, nonce (a random number generated by the peer) is encrypted and exchanged between peers, this nonce is used during the authentication peer process. The ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service and limited traffic flow confidentiality [13]. The set of services, is provided, depends on options selected at the time of Security Association (SA) establishment. It encrypts the payload to provide confidentiality. It supports several encryption algorithms. Most of the algorithms are symmetric. The DES (56-bits) is a basic and symmetric encryption algorithm, however, it also supports 3DES and AES for stronger encryption. The ESP can be used alone or with the combination of AH. The SA is a logical group of security parameters. It is used to establish and share security attributes between two entities to provide secure communication. These attributes are cryptographic algorithm, mode and encryption key. The SA is established by using ISAKMP.
IPsec VPN Page | 81 IPsec VPN The ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations [14]. It only provides a framework for authentication and key exchange. It is implemented by manual configuration with pre-shared key or IKE. During the establishment of a secure connection between two nodes, it is needed to share some security parameters such as keys over the network. Two methods are used for key exchange: manual and automatic. Manual method does not secure nor scales well [15]. Therefore, a protocol is needed to exchange or establish security parameters dynamically. The IKE is the protocol used to set up a security association dynamically. It uses X.509 certificates for authentication either pre-shared or distributed and a ³Diffie± Hellman´ key exchange algorithm to share a secret key between nodes over the public network. 9/6 $( '# IPsec can be configured in two different modes and they are: 1. Transport Mode 2. Tunnel Mode The transport mode is used to provide end-to-end security. The communication between a client and a server is the best example of end-to- end. In this mode, only the payload of the IP packet is usually encrypted or authenticated. The original IP header is not encrypted nor modified except that the IP protocol field is changed to ESP (50) or AH (51). The payload is encapsulated by the IPsec ESP headers trailers as it is displayed in the Fig.5.1. It is usually used when another tunneling protocol (like GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the other tunnel packets. The IPsec protects the GRE or L2TP tunnel traffic in transport mode. The ESP is identified in the original IP header with an IP protocol ID of 50. Figure 5.1 Transport Mode IPsec Encapsulation
IPsec VPN Page | 82 IPsec VPN The tunnel mode is the default mode. It is used to provide security between gateways (Router, PIX or ASA). In this mode, the entire original IP packet is protected. The entire IP packet is encapsulated with IPsec ESP headers trailers, adds a new IP header and sends it to the other side of the tunnel as it is shown in the Fig. 5.2. The ESP is identified in the New IP header with an IP protocol ID of 50. The tunnel mode supports NAT traversal. Figure 5.2 Tunnel Mode IPsec Encapsulation
IPsec VPN Page | 83 IPsec VPN 9/7 '0'#0' 1*#('% 9/7/5 ') ¾ Assign IP addresses according to the topology ¾ Configure IP Routing ¾ Configure NAT ¾ Test Connectivity ¾ Configure IPsec VPN Tunnel on both sides ¾ Test VPN 9/7/6 #$# #, Figure 5.3 Site-to-Site IPsec VPN Setup 9/7/7 '$05 % Assign IP addresses on router’s interfaces and PC. . ( )/$*) *1 $) /*+*'*$'$-(V;T; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2)
IPsec VPN Page | 84 IPsec VPN )/ -) /@*)!$$!ANG )/ -) /N )/ -) /N*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TT()0' 0+0+ .//# -) /QRSQT;Q;RRT;RY()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QR )%7@4 -)#Ra )' -)#RN*)!$0- / -($)' -)#R@*)!$AN %+)*++)%+?6? -)#R@*)!$$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC? -)#R@*)!$$!AN)*.#0/*2) -)#R@*)!$$!AN 3$/ -)#R@*)!$AN %+)*++)%+?6@ -)#R@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#R@*)!$$!AN)*.#0/*2) -)#R@*)!$$!ANG -)#RN -)#RN*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RX ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#RN
IPsec VPN Page | 85 IPsec VPN )%7A4 -)#Sa )' -)#SN*)!$0- / -($)' -)#S@*)!$AN %+)*++)%+?6@ -)#S@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#S@*)!$$!AN)*.#0/*2) -)#S@*)!$$!AN 3$/ -)#S@*)!$AN %+)*++)%+?6? -)#S@*)!$$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5? -)#S@*)!$$!AN)*.#0/*2) -)#S@*)!$$!ANG -)#SN -)#SN*. ' %+)) )/ -! - ..
7 /#* //0.-*/**' .//# -) /QQRZS;RWY;S;R ()0' 0+0+ .//# -) /QRSQT;Q;RRT;TU ()0' 0+0+ -)#SN 7@4 Figure 5.4 PC-1 IP Addressing
IPsec VPN Page | 86 IPsec VPN 7A4 Figure 5.5 PC-2 IP Addressing 9/7/8 '$06 #(%'' #(' )%7@4 -)#RN' %A?B5?5@@B5BC 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;TU8/$( *0/$.S. *).: ;;;;; 0 ..-/ $.Q+ - )/@QVA -)#RN -)#R@*)!$AN '),+A?B5?5@@B5BAADD5ADD5ADD5AC?A?B5?5@@B5@G -)#R@*)!$AN 3$/ -)#RN -)#RN*. '),+ * .:*)) / 8.//$8 8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S8
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice
Virtual private networks in theory and practice

Recommended

How to program in c++ with 100 examples
How to program in c++ with 100 examples How to program in c++ with 100 examples
How to program in c++ with 100 examples
Shahid Riaz
 
Ruby Essentials
Ruby EssentialsRuby Essentials
Ruby Essentials
Arulalan T
 
Abs guide
Abs guideAbs guide
Abs guideSankara Narayanan A
 
«Modern greek grammar notes for absolute beginners» e books4greeks.gr
«Modern greek grammar notes for absolute beginners» e books4greeks.gr«Modern greek grammar notes for absolute beginners» e books4greeks.gr
«Modern greek grammar notes for absolute beginners» e books4greeks.gr
AikateriniFotopoulou1
 
Guide hsql
Guide hsqlGuide hsql
Guide hsql
LE DUC HAN
 
0500 I G Impress Guide6x9a
0500 I G Impress Guide6x9a0500 I G Impress Guide6x9a
0500 I G Impress Guide6x9aguest6db212f
 
Abs guide
Abs guideAbs guide
Abs guidegavin shaw
 
Specifying, choosing and implementing computer systems
Specifying, choosing and implementing computer systemsSpecifying, choosing and implementing computer systems
Specifying, choosing and implementing computer systems
David Griffiths
 

Recommended

How to program in c++ with 100 examples
How to program in c++ with 100 examples How to program in c++ with 100 examples
How to program in c++ with 100 examples
Shahid Riaz
 
Ruby Essentials
Ruby EssentialsRuby Essentials
Ruby Essentials
Arulalan T
 
Abs guide
Abs guideAbs guide
Abs guideSankara Narayanan A
 
«Modern greek grammar notes for absolute beginners» e books4greeks.gr
«Modern greek grammar notes for absolute beginners» e books4greeks.gr«Modern greek grammar notes for absolute beginners» e books4greeks.gr
«Modern greek grammar notes for absolute beginners» e books4greeks.gr
AikateriniFotopoulou1
 
Guide hsql
Guide hsqlGuide hsql
Guide hsql
LE DUC HAN
 
0500 I G Impress Guide6x9a
0500 I G Impress Guide6x9a0500 I G Impress Guide6x9a
0500 I G Impress Guide6x9aguest6db212f
 
Abs guide
Abs guideAbs guide
Abs guidegavin shaw
 
Specifying, choosing and implementing computer systems
Specifying, choosing and implementing computer systemsSpecifying, choosing and implementing computer systems
Specifying, choosing and implementing computer systems
David Griffiths
 
Ibm tivoli usage accounting manager v7.1 handbook sg247404
Ibm tivoli usage accounting manager v7.1 handbook sg247404Ibm tivoli usage accounting manager v7.1 handbook sg247404
Ibm tivoli usage accounting manager v7.1 handbook sg247404Banking at Ho Chi Minh city
 
Cmd
CmdCmd
CmdRuber Alva
 
293 Tips For Producing And Managing Flash Based E Learning Content
293 Tips For Producing And Managing Flash Based E Learning Content293 Tips For Producing And Managing Flash Based E Learning Content
293 Tips For Producing And Managing Flash Based E Learning ContentHidayathulla NS
 
Gdfs sg246374
Gdfs sg246374Gdfs sg246374
Gdfs sg246374Accenture
 
Java web programming
Java web programmingJava web programming
Java web programming
Mumbai Academisc
 
Getting started in Transmedia Storytelling
Getting started in Transmedia Storytelling Getting started in Transmedia Storytelling
Getting started in Transmedia Storytelling
Robert Pratten
 
CallQ scope and user specification summary
CallQ scope and user specification summaryCallQ scope and user specification summary
CallQ scope and user specification summary
MakeNET
 
tutorial.pdf
tutorial.pdftutorial.pdf
tutorial.pdf
SandeepSinha80
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquement
chiensy
 
Red paper
Red paperRed paper
Red paperVideoguy
 
R Ints
R IntsR Ints
R IntsAjay Ohri
 
IBM Streams - Redbook
IBM Streams - RedbookIBM Streams - Redbook
IBM Streams - Redbook
Pesta Ria Henny Beatrice
 
Learn python the right way
Learn python the right wayLearn python the right way
Learn python the right way
DianaLaCruz2
 
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrHp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrFelippe Costa
 
Ref arch for ve sg248155
Ref arch for ve sg248155Ref arch for ve sg248155
Ref arch for ve sg248155Accenture
 
BOOK - IBM Security on ibm z vse
BOOK - IBM Security on ibm z vseBOOK - IBM Security on ibm z vse
BOOK - IBM Security on ibm z vse
Satya Harish
 
Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 helpok71
 
Threading in c#
Threading in c#Threading in c#
Threading in c#
gohsiauken
 
Creating andrCreating-Android-Applicationsoid-applications
Creating andrCreating-Android-Applicationsoid-applicationsCreating andrCreating-Android-Applicationsoid-applications
Creating andrCreating-Android-Applicationsoid-applicationsMarwoutta Dh
 
12.06.2014
12.06.201412.06.2014
12.06.2014
vishnu kumar prajapati
 
Mixed Streaming of Video over Wireless Networks
Mixed Streaming of Video over Wireless NetworksMixed Streaming of Video over Wireless Networks
Mixed Streaming of Video over Wireless NetworksVideoguy
 
Wireshark guia - prático
Wireshark guia - práticoWireshark guia - prático
Wireshark guia - prático
bob Silva
 

More Related Content

What's hot

Ibm tivoli usage accounting manager v7.1 handbook sg247404
Ibm tivoli usage accounting manager v7.1 handbook sg247404Ibm tivoli usage accounting manager v7.1 handbook sg247404
Ibm tivoli usage accounting manager v7.1 handbook sg247404Banking at Ho Chi Minh city
 
293 Tips For Producing And Managing Flash Based E Learning Content
293 Tips For Producing And Managing Flash Based E Learning Content293 Tips For Producing And Managing Flash Based E Learning Content
293 Tips For Producing And Managing Flash Based E Learning ContentHidayathulla NS
 
Gdfs sg246374
Gdfs sg246374Gdfs sg246374
Gdfs sg246374Accenture
 
Java web programming
Java web programmingJava web programming
Java web programming
Mumbai Academisc
 
Getting started in Transmedia Storytelling
Getting started in Transmedia Storytelling Getting started in Transmedia Storytelling
Getting started in Transmedia Storytelling
Robert Pratten
 
CallQ scope and user specification summary
CallQ scope and user specification summaryCallQ scope and user specification summary
CallQ scope and user specification summary
MakeNET
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquement
chiensy
 
IBM Streams - Redbook
IBM Streams - RedbookIBM Streams - Redbook
IBM Streams - Redbook
Pesta Ria Henny Beatrice
 
Learn python the right way
Learn python the right wayLearn python the right way
Learn python the right way
DianaLaCruz2
 
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrHp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrFelippe Costa
 
Ref arch for ve sg248155
Ref arch for ve sg248155Ref arch for ve sg248155
Ref arch for ve sg248155Accenture
 
BOOK - IBM Security on ibm z vse
BOOK - IBM Security on ibm z vseBOOK - IBM Security on ibm z vse
BOOK - IBM Security on ibm z vse
Satya Harish
 
Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 helpok71
 
Threading in c#
Threading in c#Threading in c#
Threading in c#
gohsiauken
 
Creating andrCreating-Android-Applicationsoid-applications
Creating andrCreating-Android-Applicationsoid-applicationsCreating andrCreating-Android-Applicationsoid-applications
Creating andrCreating-Android-Applicationsoid-applicationsMarwoutta Dh
 

What's hot (19)

Ibm tivoli usage accounting manager v7.1 handbook sg247404
Ibm tivoli usage accounting manager v7.1 handbook sg247404Ibm tivoli usage accounting manager v7.1 handbook sg247404
Ibm tivoli usage accounting manager v7.1 handbook sg247404
 
Cmd
CmdCmd
Cmd
 
293 Tips For Producing And Managing Flash Based E Learning Content
293 Tips For Producing And Managing Flash Based E Learning Content293 Tips For Producing And Managing Flash Based E Learning Content
293 Tips For Producing And Managing Flash Based E Learning Content
 
Gdfs sg246374
Gdfs sg246374Gdfs sg246374
Gdfs sg246374
 
Java web programming
Java web programmingJava web programming
Java web programming
 
Getting started in Transmedia Storytelling
Getting started in Transmedia Storytelling Getting started in Transmedia Storytelling
Getting started in Transmedia Storytelling
 
CallQ scope and user specification summary
CallQ scope and user specification summaryCallQ scope and user specification summary
CallQ scope and user specification summary
 
tutorial.pdf
tutorial.pdftutorial.pdf
tutorial.pdf
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquement
 
Red paper
Red paperRed paper
Red paper
 
R Ints
R IntsR Ints
R Ints
 
IBM Streams - Redbook
IBM Streams - RedbookIBM Streams - Redbook
IBM Streams - Redbook
 
Learn python the right way
Learn python the right wayLearn python the right way
Learn python the right way
 
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrHp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
 
Ref arch for ve sg248155
Ref arch for ve sg248155Ref arch for ve sg248155
Ref arch for ve sg248155
 
BOOK - IBM Security on ibm z vse
BOOK - IBM Security on ibm z vseBOOK - IBM Security on ibm z vse
BOOK - IBM Security on ibm z vse
 
Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 help
 
Threading in c#
Threading in c#Threading in c#
Threading in c#
 
Creating andrCreating-Android-Applicationsoid-applications
Creating andrCreating-Android-Applicationsoid-applicationsCreating andrCreating-Android-Applicationsoid-applications
Creating andrCreating-Android-Applicationsoid-applications
 

Similar to Virtual private networks in theory and practice

12.06.2014
12.06.201412.06.2014
12.06.2014
vishnu kumar prajapati
 
Mixed Streaming of Video over Wireless Networks
Mixed Streaming of Video over Wireless NetworksMixed Streaming of Video over Wireless Networks
Mixed Streaming of Video over Wireless NetworksVideoguy
 
Wireshark guia - prático
Wireshark guia - práticoWireshark guia - prático
Wireshark guia - prático
bob Silva
 
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Mostafa El-Beheiry
 
My PhD Thesis
My PhD Thesis My PhD Thesis
My PhD Thesis
Suman Srinivasan
 
Network Basics (printouts)
Network Basics (printouts)Network Basics (printouts)
Network Basics (printouts)
wx672
 
Distributed vs. centralized energy storage for power system applications
Distributed vs. centralized energy storage for power system applicationsDistributed vs. centralized energy storage for power system applications
Distributed vs. centralized energy storage for power system applications
Andrew Gelston
 
user-guide-a4.pdf
user-guide-a4.pdfuser-guide-a4.pdf
user-guide-a4.pdf
Drm/Bss Gueda
 
Guide c07-733457
Guide c07-733457Guide c07-733457
Guide c07-733457
Bootcamp SCL
 
Porting aodv uu implementation to ns-2
Porting aodv uu implementation to ns-2Porting aodv uu implementation to ns-2
Porting aodv uu implementation to ns-2Xaris1985
 
Scale The Realtime Web
Scale The Realtime WebScale The Realtime Web
Scale The Realtime Webpfleidi
 
Nethserver
NethserverNethserver
Nethserver
Ufjf
 
Applying The Rapid Serial Visual Presentation Technique To Small Screens
Applying The Rapid Serial Visual Presentation Technique To Small ScreensApplying The Rapid Serial Visual Presentation Technique To Small Screens
Applying The Rapid Serial Visual Presentation Technique To Small Screens
Monica Waters
 
2 4routing
2 4routing2 4routing
2 4routing
Rupesh Basnet
 
Smooth wall express_3_administrator_guide_v2
Smooth wall express_3_administrator_guide_v2Smooth wall express_3_administrator_guide_v2
Smooth wall express_3_administrator_guide_v2
Romildo Silva
 
Master Arbeit_Chand _Piyush
Master Arbeit_Chand _PiyushMaster Arbeit_Chand _Piyush
Master Arbeit_Chand _Piyush
Piyush Chand
 
Sanskrit Parser Report
Sanskrit Parser ReportSanskrit Parser Report
Sanskrit Parser Report
Laxmi Kant Yadav
 

Similar to Virtual private networks in theory and practice (20)

12.06.2014
12.06.201412.06.2014
12.06.2014
 
Mixed Streaming of Video over Wireless Networks
Mixed Streaming of Video over Wireless NetworksMixed Streaming of Video over Wireless Networks
Mixed Streaming of Video over Wireless Networks
 
Wireshark guia - prático
Wireshark guia - práticoWireshark guia - prático
Wireshark guia - prático
 
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
 
My PhD Thesis
My PhD Thesis My PhD Thesis
My PhD Thesis
 
web_based_ide
web_based_ideweb_based_ide
web_based_ide
 
Network Basics (printouts)
Network Basics (printouts)Network Basics (printouts)
Network Basics (printouts)
 
Distributed vs. centralized energy storage for power system applications
Distributed vs. centralized energy storage for power system applicationsDistributed vs. centralized energy storage for power system applications
Distributed vs. centralized energy storage for power system applications
 
user-guide-a4.pdf
user-guide-a4.pdfuser-guide-a4.pdf
user-guide-a4.pdf
 
thesis
thesisthesis
thesis
 
KHAN_FAHAD_FL14
KHAN_FAHAD_FL14KHAN_FAHAD_FL14
KHAN_FAHAD_FL14
 
Guide c07-733457
Guide c07-733457Guide c07-733457
Guide c07-733457
 
Porting aodv uu implementation to ns-2
Porting aodv uu implementation to ns-2Porting aodv uu implementation to ns-2
Porting aodv uu implementation to ns-2
 
Scale The Realtime Web
Scale The Realtime WebScale The Realtime Web
Scale The Realtime Web
 
Nethserver
NethserverNethserver
Nethserver
 
Applying The Rapid Serial Visual Presentation Technique To Small Screens
Applying The Rapid Serial Visual Presentation Technique To Small ScreensApplying The Rapid Serial Visual Presentation Technique To Small Screens
Applying The Rapid Serial Visual Presentation Technique To Small Screens
 
2 4routing
2 4routing2 4routing
2 4routing
 
Smooth wall express_3_administrator_guide_v2
Smooth wall express_3_administrator_guide_v2Smooth wall express_3_administrator_guide_v2
Smooth wall express_3_administrator_guide_v2
 
Master Arbeit_Chand _Piyush
Master Arbeit_Chand _PiyushMaster Arbeit_Chand _Piyush
Master Arbeit_Chand _Piyush
 
Sanskrit Parser Report
Sanskrit Parser ReportSanskrit Parser Report
Sanskrit Parser Report
 

More from Shahid Riaz

Shimla deputation (1906)
Shimla deputation (1906)Shimla deputation (1906)
Shimla deputation (1906)
Shahid Riaz
 
#Syed ahmad shaheed barailvi
#Syed ahmad shaheed barailvi#Syed ahmad shaheed barailvi
#Syed ahmad shaheed barailvi
Shahid Riaz
 
Database systems administration week 1
Database systems administration week 1Database systems administration week 1
Database systems administration week 1
Shahid Riaz
 
Database systems administration traning 02
Database systems administration traning 02Database systems administration traning 02
Database systems administration traning 02
Shahid Riaz
 
Database systems administration traning 02
Database systems administration traning 02Database systems administration traning 02
Database systems administration traning 02
Shahid Riaz
 
Database systems administration traning 01
Database systems administration traning 01Database systems administration traning 01
Database systems administration traning 01
Shahid Riaz
 
Database systems administration traning 0
Database systems administration traning 0Database systems administration traning 0
Database systems administration traning 0
Shahid Riaz
 
Database systems administration traning 04
Database systems administration traning 04Database systems administration traning 04
Database systems administration traning 04
Shahid Riaz
 
Managing people and organizing team
Managing people and organizing teamManaging people and organizing team
Managing people and organizing team
Shahid Riaz
 
Lec 1 intro to internet
Lec 1 intro to internetLec 1 intro to internet
Lec 1 intro to internet
Shahid Riaz
 
Course guidlines course book it 3548
Course guidlines course book it 3548Course guidlines course book it 3548
Course guidlines course book it 3548
Shahid Riaz
 
Lecture12 software design class diagram
Lecture12 software design class diagramLecture12 software design class diagram
Lecture12 software design class diagram
Shahid Riaz
 
Lecture11 use case sequence diagram
Lecture11 use case sequence diagramLecture11 use case sequence diagram
Lecture11 use case sequence diagram
Shahid Riaz
 
Lecture10 use case model operation contracts
Lecture10 use case model operation contractsLecture10 use case model operation contracts
Lecture10 use case model operation contracts
Shahid Riaz
 
Lecture9 domain model visualizing
Lecture9 domain model visualizingLecture9 domain model visualizing
Lecture9 domain model visualizing
Shahid Riaz
 
Lecture8 system sequence
Lecture8 system sequenceLecture8 system sequence
Lecture8 system sequence
Shahid Riaz
 
Lecture7 use case modeling
Lecture7 use case modelingLecture7 use case modeling
Lecture7 use case modeling
Shahid Riaz
 
Lecture6 activity diagrams
Lecture6 activity diagramsLecture6 activity diagrams
Lecture6 activity diagrams
Shahid Riaz
 
Lecture 5 defining the system
Lecture 5 defining the systemLecture 5 defining the system
Lecture 5 defining the system
Shahid Riaz
 
Lecture4 requirement engineering
Lecture4 requirement engineeringLecture4 requirement engineering
Lecture4 requirement engineering
Shahid Riaz
 

More from Shahid Riaz (20)

Shimla deputation (1906)
Shimla deputation (1906)Shimla deputation (1906)
Shimla deputation (1906)
 
#Syed ahmad shaheed barailvi
#Syed ahmad shaheed barailvi#Syed ahmad shaheed barailvi
#Syed ahmad shaheed barailvi
 
Database systems administration week 1
Database systems administration week 1Database systems administration week 1
Database systems administration week 1
 
Database systems administration traning 02
Database systems administration traning 02Database systems administration traning 02
Database systems administration traning 02
 
Database systems administration traning 02
Database systems administration traning 02Database systems administration traning 02
Database systems administration traning 02
 
Database systems administration traning 01
Database systems administration traning 01Database systems administration traning 01
Database systems administration traning 01
 
Database systems administration traning 0
Database systems administration traning 0Database systems administration traning 0
Database systems administration traning 0
 
Database systems administration traning 04
Database systems administration traning 04Database systems administration traning 04
Database systems administration traning 04
 
Managing people and organizing team
Managing people and organizing teamManaging people and organizing team
Managing people and organizing team
 
Lec 1 intro to internet
Lec 1 intro to internetLec 1 intro to internet
Lec 1 intro to internet
 
Course guidlines course book it 3548
Course guidlines course book it 3548Course guidlines course book it 3548
Course guidlines course book it 3548
 
Lecture12 software design class diagram
Lecture12 software design class diagramLecture12 software design class diagram
Lecture12 software design class diagram
 
Lecture11 use case sequence diagram
Lecture11 use case sequence diagramLecture11 use case sequence diagram
Lecture11 use case sequence diagram
 
Lecture10 use case model operation contracts
Lecture10 use case model operation contractsLecture10 use case model operation contracts
Lecture10 use case model operation contracts
 
Lecture9 domain model visualizing
Lecture9 domain model visualizingLecture9 domain model visualizing
Lecture9 domain model visualizing
 
Lecture8 system sequence
Lecture8 system sequenceLecture8 system sequence
Lecture8 system sequence
 
Lecture7 use case modeling
Lecture7 use case modelingLecture7 use case modeling
Lecture7 use case modeling
 
Lecture6 activity diagrams
Lecture6 activity diagramsLecture6 activity diagrams
Lecture6 activity diagrams
 
Lecture 5 defining the system
Lecture 5 defining the systemLecture 5 defining the system
Lecture 5 defining the system
 
Lecture4 requirement engineering
Lecture4 requirement engineeringLecture4 requirement engineering
Lecture4 requirement engineering
 

Recently uploaded

Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 

Recently uploaded (20)

Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 

Virtual private networks in theory and practice

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6. Page | i Dedication This book is dedicated to my parents and my family.
  • 7. Page | ii Acknowledgment All books are the product of a team work and I thank all the members of the Scholars Press publisher: including the project editor, friends, seniors, colleagues, and my teachers. I special acknowledge Dr. Muhammad Yousaf, Assistant Professor of Riphah Institute of Systems Engineering, Islamabad. He guided, motivated, and encouraged me in my research work. I also acknowledge Miss Muntaha Sohail, Lecturer in English Department, University of Sargodha, Sub-Campus Mandi Bahauddin. She minutely and skillfully proof red this book.
  • 8. Page | iii ##'' Chapter 1 Introduction 1 Virtual Private Network ........................................................................2 1.1 VPN Services....................................................................................2 1.1.1 Confidentiality.........................................................................2 1.1.2 Integrity...................................................................................3 1.1.3 Authentication.........................................................................3 1.1.4 Availability..............................................................................4 1.1.5 Anti-Replay.............................................................................4 1.2 VPN Advantages ..............................................................................4 1.2.1 Data Security...........................................................................4 1.2.2 Private Network Access..........................................................4 1.2.3 Bandwidth ...............................................................................5 1.2.4 Cost Reduction........................................................................5 1.2.5 Deployment Flexibility ...........................................................5 1.3 VPN Types........................................................................................5 1.3.1 Remote Access VPN...............................................................5 1.3.2 Site-to-Site VPN......................................................................5 1.4 VPN Protocols ..................................................................................6 1.5 VPN Supported Devices...................................................................6 Chapter 2 PPTP VPN 2 PPTP VPN.............................................................................................8 2.1 PPTP Security...................................................................................8 2.2 Encapsulation....................................................................................9 2.3 Router as a PPTP VPN Server........................................................10 2.3.1 Lab Objectives ......................................................................10 2.3.2 Topology ...............................................................................10 2.3.3 Step-1 IP Addressing.............................................................10 2.3.4 Step-2 Configuring Static IP Routing...................................12 2.3.5 Step-3 Connectivity Testing..................................................13
  • 9. Page | iv 2.3.6 Step-4 Configuring Router as a PPTP VPN Server..............14 2.3.7 Step-5 Configuring Setting of PPTP VPN Client.............15 2.3.8 Step-6 Connecting VPN Client.............................................19 2.3.9 Step-7 Testing .......................................................................21 Chapter 3 L2TP VPN 3 L2TP VPN...........................................................................................25 3.1 L2TP Security.................................................................................26 3.2 Encapsulation..................................................................................27 3.3 Router as a L2TP VPN Server........................................................28 3.3.1 Lab Objectives ......................................................................28 3.3.2 Topology ...............................................................................28 3.3.3 Step-1 IP Addressing.............................................................28 3.3.4 Step-2 Configuring Static IP Routing...................................30 3.3.5 Step-3 Configuring Router as a DNS Server ........................31 3.3.6 Step-4 Testing Connectivity..................................................31 3.3.7 Step-5 Configuring Router as a L2TP VPN Server..............33 3.3.8 Step-6 Configuring Setting L2TP VPN Client .................34 3.3.9 Step-7 Connecting VPN Client.............................................36 3.3.10 Step-8 Testing .......................................................................38 Chapter 4 L2TP over IPsec VPN 4 L2TP over IPsec VPN.........................................................................42 4.1 L2TP over IPsec Security...............................................................42 4.2 Encapsulation..................................................................................42 4.3 Router as an L2TP over IPsec VPN Server....................................44 4.3.1 Lab Objectives ......................................................................44 4.3.2 Topology ...............................................................................44 4.3.3 Step-1 IP Addressing.............................................................44 4.3.4 Step-2 Configuring Static IP Routing...................................46 4.3.5 Step-3 Testing Connectivity..................................................47 4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN......48
  • 10. Page | v 4.3.7 Step-5 Configuring Setting L2TP over IPsec VPN Client49 4.3.8 Step-6 Connecting VPN Client.............................................70 4.3.9 Step-7 Testing .......................................................................72 Chapter 5 IPsec VPN 5 IPsec VPN ...........................................................................................79 5.1 IPsec Security Architecture ............................................................79 5.2 Encapsulation..................................................................................81 5.3 Site-to-Site IPsec VPN b/w Routers...............................................83 5.3.1 Lab Objectives ......................................................................83 5.3.2 Topology ...............................................................................83 5.3.3 Step-1 IP Addressing.............................................................83 5.3.4 Step-2 Configuring Static IP Routing...................................86 5.3.5 Step-3 Configuring NAT ......................................................88 5.3.6 Step-4 Testing Connectivity..................................................89 5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel .............90 5.3.8 Step-6 Testing .......................................................................92 5.4 Site-to-Site IPsec VPN b/w PIX ASA........................................95 5.4.1 Lab Objectives ......................................................................95 5.4.2 Topology ...............................................................................95 5.4.3 Step-1 IP Addressing.............................................................95 5.4.4 Step-2 Configuring Static IP Routing...................................99 5.4.5 Step-3 Testing Connectivity................................................100 5.4.6 Step-4 Configuring IPsec Tunnel........................................101 5.4.7 Step-5 Testing .....................................................................102 5.5 Remote Access IPsec VPN with Router (Easy VPN) ..................104 5.5.1 Lab Objectives ....................................................................104 5.5.2 Topology .............................................................................104 5.5.3 Step-1 IP Addressing...........................................................104 5.5.4 Step-2 Configuring Static IP Routing.................................106 5.5.5 Step-3 Testing Connectivity................................................107
  • 11. Page | vi 5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel.....107 5.5.7 Step-5 Installing Setting CISCO IPsec VPN Client .......109 5.5.8 Step-6 Connecting IPsec VPN Client .................................113 5.5.9 Step-7 Testing .....................................................................115 5.6 Remote Access IPsec VPN with ASA (Easy VPN).....................116 5.6.1 Lab Objectives ....................................................................116 5.6.2 Topology .............................................................................116 5.6.3 Step-1 IP Addressing...........................................................116 5.6.4 Step-2 Configuring NAT ....................................................118 5.6.5 Step-3 Configuring Static IP Routing.................................118 5.6.6 Step-4 Testing Connectivity................................................119 5.6.7 Step-5 Configuring ASA as IPsec VPN Server..................120 5.6.8 Step-6 Configuring VPN Client..........................................121 5.6.9 Step-7 Connecting VPN Client...........................................121 5.6.10 Step-8 Testing .....................................................................121 Chapter 6 GRE VPN 6 GRE VPN..........................................................................................124 6.1 GRE Security................................................................................124 6.2 Encapsulation................................................................................124 6.3 Site-to-Site IPsec over GRE VPN ................................................125 6.3.1 Lab Objectives ....................................................................125 6.3.2 Topology .............................................................................125 6.3.3 Step-1 IP Addressing...........................................................125 6.3.4 Step-2 Configuring Static IP Routing.................................127 6.3.5 Step-3 Configuring NAT ....................................................128 6.3.6 Step-4 Testing Connectivity................................................129 6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel ..130 6.3.8 Step-6 Testing .....................................................................132 6.4 Site-to-Site IPsec over GRE VPN (Behind ASA)........................136 6.4.1 Lab Objectives ....................................................................136
  • 12. Page | vii 6.4.2 Topology .............................................................................136 6.4.3 Step-1 IP Addressing...........................................................136 6.4.4 Step-2 Configuring Static IP Routing.................................139 6.4.5 Step-3 Configuring NAT ....................................................141 6.4.6 Step-4 Testing Connectivity................................................142 6.4.7 Step-5 Configuring IPsec over GRE...................................142 6.4.8 Step-6 Testing .....................................................................145 Chapter 7 DMVPN 7 DMVPN.............................................................................................147 7.1 DMVPN Security..........................................................................147 7.2 Encapsulation................................................................................147 7.3 Dynamic Multipoint VPN (Hub Spokes).................................148 7.3.1 Lab Objectives ....................................................................148 7.3.2 Topology .............................................................................148 7.3.3 Step-1 IP Addressing...........................................................148 7.3.4 Step-2 Configuring Static IP Routing.................................151 7.3.5 Step-3 Testing Connectivity................................................152 7.3.6 Step-4 Configuring DMVPN Tunnel..................................153 7.3.7 Step-5 Testing .....................................................................155 Chapter 8 SSL VPN 8 SSL VPN...........................................................................................159 8.1 SSL Security.................................................................................159 8.2 SSL Encapsulation........................................................................160 8.3 Router as an SSL VPN Gateway..................................................161 8.3.1 Lab Objectives ....................................................................161 8.3.2 Topology .............................................................................161 8.3.3 Step-1 IP Addressing...........................................................161 8.3.4 Step-2 Configuring Static IP Routing.................................163 8.3.5 Step-3 Configuring Router as a DNS Server ......................164 8.3.6 Step-4 Testing Connectivity................................................164
  • 13. Page | viii 8.3.7 Step-5 Configuring Self-Signed Certificates ......................166 8.3.8 Step-6 Configuring SSL VPN Gateway .............................168 8.3.9 Step-7 Testing .....................................................................169 Chapter 9 High Availability VPN 9 High Availability VPN......................................................................172 9.1 HSRP ............................................................................................172 9.2 VRRP............................................................................................173 9.3 GLBP ............................................................................................173 9.4 Site-to-Site IPsec High Availability VPN with HSRP.................174 9.4.1 Lab Objectives ....................................................................174 9.4.2 Topology .............................................................................174 9.4.3 Step-1 IP Addressing...........................................................174 9.4.4 Step-2 Configuring Static IP Routing.................................177 9.4.5 Step-3 Testing Connectivity................................................179 9.4.6 Step-4 Configuring HSRP...................................................179 9.4.7 Step-5 Configuring IPsec VPN over HSRP........................182 9.4.8 Step-6 Testing .....................................................................184 References:................................................................................................186
  • 14. Page | ix Learning Outcomes This book encompasses virtual private network technologies theoretical as well as practical. In this study guide, it demonstrates how the VPNs actually work and their practical implementation with different lab scenarios, step by step. The objective of this book is to teach the students and professionals in an easy way. In this book, a reader learns the theoretical knowledge of VPNs, but the IOS based practical implementation of several types of VPNs in his home and office. There are several types of VPNs with different scenarios. After a study of this book, the reader will familiar with almost all type of VPN and can perform all these types of VPNs with different scenarios in his office and home.
  • 16. Introduction Page | 2 Introduction 5 %'( %)' '*#% Virtual Private Network (VPN) is a secure, reliable and logical connection that is created over a public network (Internet). CISCO defines a VPN as an encrypted connection between private networks over a public network [1]. It is a virtual connection but not a physical. It extends the private network across shared or public network. It enables a computer to send or receive data safely through shared or public network, it does not matter if it is directly connected to the private network. It is done by establishing a virtual connection through the Internet. 5/5 %) VPNs provide different types of security services through different security protocols. These services are: 1. Confidentiality 2. Integrity 3. Authentication 4. Availability 5. Anti-replay 5/5/5 #' ', Confidentiality means secrecy. It is a technique in which original data may hide or replace with some other data. The concept behind is that the data is not disclosed to anyone intentionally or unintentionally during transmission. In network security, it is also called encryption. It is the process in which the plaintext (original text) is replaced or substituted with the help of certain encryption algorithm, key, and the mechanism. After this process, the plain text is converted into encrypted text (ciphertext). Encrypted text transmits over an insecure network. If somebody catches the encrypted text, it is not easy to understand it. On the receiving side, the reverse process of encryption takes place, it is called decryption. The same algorithm, key, and mechanism are used to decrypt the text and original text is extracted. There are several encryption algorithms. Some of them work character by character and remaining work block by block. There are two types of keys. Symmetric or asymmetric. In symmetric, the same key is used to encrypt or decrypt while in asymmetric, a pair of the key is used. One key is private key and the second key is called public key. The public key is used to encrypt the data if its private key is used to decrypt the data whereas the private key is used to
  • 17. Introduction Page | 3 Introduction encrypt the data if its public key is used to decrypt data. The mechanism means, the way or method defines how to drive the algorithm and key. Modern encryption algorithms are: 1. DES (Data Encryption Standard) 2. 3DES (Triple Data Encryption Standard) 3. AES (Advanced Encryption Standard) 5/5/6 '%', Integrity means originality. It is a technique to ensure that data is not modified or altered by an unauthorized person during the transmission. The data remains consistent, both internally and externally. It is guaranteed that data is received by the receiver in original and there is no any change in data during transmission. In network security, it is also called hashing. Hashing is one-way process in which a 32-bit long hash value is calculated from the data with a specific algorithm. This hash value also transmits while transmitting the data. On the receiver side, the receiver once again calculates the hash value of the received data with the same algorithm and compares this hash value with that value which came with data. If the value is same then its integrity is not compromised on the other hand, the hash value is different even one character then it indicates that its integrity is compromised. The receiver will discard his receiving data. Modern hashing algorithms are: 1. MD-5 (Message Digest) 2. SHA-1 (Secure Hash Algorithm) 5/5/7 ('''# Authentication is a technique which verifies the identity of a user or a process. It restricts unauthorized users to access data or service. In this process, the credentials provided by the user are compared to those which are already saved in the database file. Moreover, the user is granted authorization for access if credentials match and the process is completed. If the credentials mismatch, the user is not granted access. Authentication is may be local or remote. In local authentication, the credentials are saved on the same machine while in remote authentication, user credentials are saved on another server. The receiver machine sends user credentials for checking either it is true or false to authentication server and responds. If the machine receives true by authentication server then it grants access and if it receives false then it denies access. For security purpose, Challenge Handshake
  • 18. Introduction Page | 4 Introduction Authentication Protocol (CHAP) is used between machine and authentication server. Modern remote authentication servers are: 1. TACACS (Terminal Access Controller Access Control System) 2. RADIUS (Remote Authentication Dial-In User Service) 5/5/8 ) ', Availability provides reliable and timely access to data and resources. Once a VPN is connected, its time period is 24 hours by default. It means that user can access data or services at any time during the VPN connection. 5/5/9 '0$ , It is a technique in which the receiver verifies that each packet is unique and is not duplicate. In this process, sequence numbers are used with the packet and arranged all these packets on receiver side accordingly sequence numbers. If any duplicate packet is received then the receiver will discard. 5/6 )' VPN technology is heavily influenced the corporate sector by its many advantages. Due to these advantages, it is more popular and deployable technology in the industry. These advantages are: 5/6/5 '(%', Public network (Internet) is not a secure network and it is not possible to secure it, as complete. It is very risky and easy to access or alter data by a third person (Intruder) when data moves across the public network. So, it is needed to secure data before transferring it over a public network. VPN allows data to encapsulate it into security header before transmitting transfer to its destination. When data is encapsulated in security header then it is not easy to access or alter data. On the receiving side, it is decapsulated. 5/6/6 %)' '*#% VPNs allow employees to securely access their company's private network or data while travelling outside the office or at home. Most of the employees work in branch offices and others employees work as teleworker in the market. They are away from the central sites and if they are needed to access FRPSDQ¶V GDWDRU VHUYLces for business operations so they can access it securely through VPN connection.
  • 19. Introduction Page | 5 Introduction 5/6/7 *' Users or branch offices use leased lines such as E1, T1, Frame Relay or Asynchronous Transfer Mode (ATM) to access compan¶VGDWDRUVHUYLFHV securely. These leased lines provide typically 128 Kbps, 256 Kbps, and 512 Kbps connection speeds. These leased lines are expensive. Users and branch offices require more bandwidth for their services or advance applications and its speed. The Internet Service Providers (ISPs) are providing relatively high- bandwidth IP connections, such as broadband Digital Subscriber Line (DSL) or cable access for VPN on shared bases. 5/6/8 #'('# ISPs are providing relatively high-bandwidth IP connections, such as broadband DSL or cable service on shared bases. As a result, many customers are migrating their primary WAN connectivity to these services or deploying such WAN alternatives as a secondary high-speed WAN circuit to augment their existing private network. These high-bandwidth and share bases IP connections are relatively lower cost as compared to leased lines. 5/6/9 $ #,!' + ', VPNs can be quickly established wherever an Internet access connection is available. They offer a great degree of flexibility in connecting branch offices or even while traveling outside the office or at home. 5/7 ,$ VPN can be connected in different forms. A secure connection is created over a public network. Sometimes it is called as a tunnel. All traffic is passed through this tunnel. There are two basic types of VPN and they are: 1. Remote Access VPN 2. Site-to-Site VPN 5/7/5 !#' In remote access VPN type, a single user is connected to a private network and access its services and resources remotely. The connection between the user and the private network happens through the Internet, this connection is secure and private. Usually, home users or teleworkers use this type of VPN. The teleworkers or employees use a remote access VPN to connect to his/her compan¶VSULYDWHQHWZRUNDQGUHPRWHODFFHVVILOHVDQGUHVRXUFHVRQWKH private network while traveling. 5/7/6 '0'#0' Site-to-Site VPN type is mostly used in the corporate network. In this type RI931FRPSDQ¶Voffices in different geographical locations, use Site-to-
  • 20. Introduction Page | 6 Introduction site VPN to connect the network with head office or another branch office. In this VPN type, a device acts as a gateway in one branch office and similarly in another branch office. The connection is established between the both. When the connection is established, then multiple users can use this connection in their branch offices. 5/8 %#'## As we know, communication is between two devices based upon Open Systems Interconnection (OSI model) reference model. It is a universal standard which is proposed by International Organization for Standardization (ISO) in 1984. It consists of seven layers. Each layer of this model performs specific tasks through several communication protocols. These communication protocols are classified into different forms according to these layers. These VPN protocols are also classified according to OSI PRGHO¶VODHUV for security purposes. These VPN protocols are: 1. PPTP (Point-to-Point Tunneling Protocol) 2. L2TP (Layer 2 Tunneling Protocol) 3. IPsec (Internet Protocol Security) 4. L2TP over IPsec. 5. GRE (Generic Routing Encapsulation) 6. IPsec over GRE 7. TSL (Transport Layer Security) 8. SSL (Secure Sockets Layer) 5/9 ($$#%') A dedicated VPN support device is VPN Concentrator. A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. However, some other devices like (Routers, multi-layer switches, PIX, ASA, PCs, smartphones and tablets) may also support VPN. These devices should have VPN support operating systems. Multiple vendors have designed such types of devices like CISCO, Juniper, Linksys, Microsoft, Linux, and Mac etc. The VPN service provided by these devices is said to be IOS based VPN. Moreover, in this guide, CISCO based devices (Router, PIX ASA) and Window based PCs are used.
  • 22. PPTP VPN Page | 8 PPTP VPN 6 Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN technique in network security. It was introduced by ³Matthew Ramsay´ in 1999 with the support of Microsoft. Its specification was described in RFC 2637 [2]. It basically extends the Point-to-Point Protocol (PPP). The PPP transfers multi-protocol datagrams over a point-to-point link. It uses dial-up networking method which is called Virtual Private Dial-up Network (VPDN). It is more suitable for remote access applications through VPN. It also supports LAN internetworking. It operates at layer 2 of the OSI model. It works as a client/server model which is simply configured. By default, the client is a software based system which is normally available in all Microsoft Windows, Linux and MAC operating systems. It remains most popular technology, especially on Microsoft Windows computers. It is connection oriented protocol and it uses TCP port 1723. In this tunneling technique, tunnels are created by following two steps: 1. First of all, the clients connect to their ISPs through using any service (dial-up, ISDN, DSL modem or LAN). 2. Secondly, PPTP creates a TCP session between client and server to establish a secure tunnel. Once the PPTP tunnel is established between client and server then two types of information can be passed through a tunnel. Moreover, a unique Call ID value is assigned to each session for its identification. 1. Control Messages: These messages directly pass through the tunnel to the client and server and finally tearing down the connections. The variety of these control messages are used to maintain the VPN connections whereas, some of these messages are shown in the Fig. 2.1 below. 2. Data Packets: It passes through the tunnel to the client and the client sends back. 6/5 (%', PPTP supports authentication, encryption and packet filtering. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP- TLS, and PAP are used. MS-CHAPv1 is insecure. EAP-TLS is a superior choice. However, it requires a Public Key Infrastructure implementation for both client and server certificates. When MS-CHAPv1/v2 is used in PPTP
  • 23. PPTP VPN Page | 9 PPTP VPN then the payloads encrypt by using Microsoft Point-to-Point Encryption (MPPE). The MPPE supported 40-bits, 56-bits 128-bits encryption. It enhances the confidentiality of PPP-encapsulated packets [3]. Packet filtering is implemented on VPN servers. Figure 2.1 PPTP Control Messages 6/6 $( '# PPTP encapsulates the PPP frames in IP packet. It uses TCP connection for tunnel management. The encapsulated PPP frames may encrypt, compress or the both as it is highlighted in the Fig. 2.2. Figure 2.2 PPTP Encapsulation In Oct. 2012, security of PPTP is broken and its usage is no longer and also not recommended by Microsoft [4].
  • 24. PPTP VPN Page | 10 PPTP VPN 6/7 #('% %)% 6/7/5 ') ¾ Assign IP addresses according to topology ¾ Configure IP Routing ¾ Test Connectivity ¾ Configure Router as a PPTP VPN Server ¾ Configure PC as a Microsoft PPTP VPN Client ¾ Try to Connect VPN Client ¾ Test VPN 6/7/6 #$# #, Figure 2.3 PPTP VPN Setup 6/7/7 '$05 % ..$) - .. . on router’s interface. ) . ( )/$*) *1 $) /*+*'*$'$-(S;T; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!ANG )/ -) /N
  • 25. PPTP VPN Page | 11 PPTP VPN )/ -) /N*. ' %+)) )/ -! - ..
  • 26. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RY()0' 0+0+ .//# -) /QRSQT;Q;RRT;TT()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QR )%4 -)#a )' -)#N*)!$0- / -($)' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!AN 3$/ -)#@*)!$AN %+)*++)%+?6@ -)#@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
  • 27. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TU ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#N
  • 28. PPTP VPN Page | 12 PPTP VPN 4 Figure 2.4 Client IP Address 6/7/8 '$06 #(%'' #(' 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: ,0 .//$( *0/; ,0 .//$( *0/; ,0 .//$( *0/; ,0 .//$( *0/; $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _Q8 *./_U@RQQ]'*..A8 :=a
  • 29. PPTP VPN Page | 13 PPTP VPN )%4 -)#@*)!$AN '),+?5?5?5??5?5?5?A?B5?5@@B5BB -)#@*)!$AN 3$/ -)#N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-Q;Q;Q;Q FQ;Q;Q;QQBRQC1$SQT;Q;RRT;TT RZS;RWY;R;QSU$.$- /'4*)) / 8.//# -) /QR SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ -)#N 6/7/9 '$07 #')',' 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: ,0 .//$( *0/; +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SVY(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RYV(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RYU(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _T8 *./_R@SV]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_RYU(.83$(0(_SVY(.81 - _SQZ(. :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
  • 30. PPTP VPN Page | 14 PPTP VPN +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_Q(.83$(0(_Q(.81 - _Q(. )%4 -)#N' %A?B5?5@@B5@F 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;RX8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RRSRYTSYU(. -)#N 6/7/: '$08 #(%#('% %)% -)#@*)!$AN-'%%# -)#@*)!$AN1+)-*0+++/+1+) -)#@*)!$1+)AN +/$'$) -)#@*)!$1+)$)AN')+#''+' -)#@*)!$1+)$)AN1$-/0'/ (+'/ R -)#@*)!$1+)$)AN 3$/ -)#@*)!$1+)AN 3$/ -)#@*)!$AN -)#@*)!$AN '##'#''+'7'#@FA5@E5@5@?@FA5@E5@5D? -)#@*)!$AN,*)%$+*+'**.)?+*+ -)#@*)!$AN %+)- )+,#7+$'#+@ -)#@*)!$$!AN%'*,#+ %''' -)#@*)!$$!AN'),#+ ')**'#''+'7'# -)#@*)!$$!AN ',%%,$)*++)%+?6@ -)#@*)!$$!AN)* +'$1 -)#@*)!$$!AN+++ )-4+/(++ ,+- ,0$- -)#@*)!$$!AN''',+%+ + %$*7'$*7'7-A -)#@*)!$$!ANG -)#N
  • 31. PPTP VPN Page | 15 PPTP VPN -)#N*. ' %+)) )/ -! - ..
  • 32. 7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0' 0+0+ .//# -) /QRRZS;RWY;R;R()0' 0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*.-'%),' -*0+R -*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q -*0+++/+1+) -*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q -)#N*.-'%*** % ]*/$1 /0)) '. 6/7/; '$09 #(%-''# ' R; #**. +)+L%+)#%#L +.)) %%+)L+,' . %%+ % Figure 2.5 Set up a new Connection
  • 33. PPTP VPN Page | 16 PPTP VPN S; !/ -/# /2*-*)) /$*)$5-2$)*2++ -.8#**. %%+ +.)'#J'$ /+ Figure 2.6 Connect to a Workplace T; #**. 2)+%.%%+ %J'$ /+ Figure 2.7 Create new Connection
  • 34. PPTP VPN Page | 17 PPTP VPN U; ' /*$0 %+)%+%%+ % Figure 2.8 New Connection Name IP Address V; #**. +)+ L %+)# %# L +.) ) % %+) L % '+) ++ %* ) . ' / /# ')')+ * *! /# - )/'4 *)!$0- *)) /$*) Figure 2.9 Properties
  • 35. PPTP VPN Page | 18 PPTP VPN W; #*. ,) +0 Figure 2.10 Security X; ) -4+ *!#**. 2#**. (, )%)0'+ %!-*( /)-4+/$*)8#+,+%+ + %)+#*)'$ Figure 2.11 Select Properties
  • 36. PPTP VPN Page | 19 PPTP VPN 6/7/ '$0: #' ' R; -4/**)) / Figure 2.12 Username Password S; 4+ 0. -)( +*+J+..2*-+*+)'$ Figure 2.13 Connecting
  • 37. PPTP VPN Page | 20 PPTP VPN T; # 1 -$!4$)0. -)( )+..2*-2$)*2++ -. Figure 2.14 Verifying U; # - $./ -$)4*0-*(+0/ -*)/# ) /2*-2$)*2++ -. Figure 2.15 Completing
  • 38. PPTP VPN Page | 21 PPTP VPN V; # )*)) / /# )$/)# /# .//0.*!/# *)) /$*) Figure 2.16 Connection Status 6/7/= '$0; ' 4 Figure 2.17 Connection Details
  • 39. PPTP VPN Page | 22 PPTP VPN :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STS(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SSW(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TTY(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TVR(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_SSW(.83$(0(_TVR(.81 - _SYW(. )%4 -)#N*. ' %+)) )/ -! - ..
  • 40. 7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..RRZS;RWY;R;R0). /0+0+ $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*. %+)- )+,#7**@ $-/0' ..R$.0+8'$) +-*/**'$.0+ -2- $.$-/0' ..$)/ -! )/ -! $.0))0( - ;.$)- ..*!.//# -) /QR@RZS;RWY;R;RA RVQQ4/ .8RQQQQQ
  • 41. $/. 8 RQQQQQ0. 8 - '$$'$/4SVVSVV8/3'*RSVV8-3'*RSVV )+.0'/$*)8 + ) + ): 8 *1 ..8'*) !-*($-/0' (+'/ R ...//0.Q3UU -*/**'++/+8/0)) '$TWXXW8. ..$*)$SQWTS8'**+)*/. /
  • 42. +'$1 )*/. / $.+0'. !*-V. *).*)- . / ./$)+0/QQ:QV:QX8*0/+0/) 1 -8*0/+0/#)) 1 - ./' -$)*!I.#*2$)/ -! I*0)/ -.QQ:SS:VX
  • 43. PPTP VPN Page | 23 PPTP VPN -)#N*.,*)* $) . - *./@.A ' */$*) FQ*)Q$' QQ:QQ:QQ )/ -! . -* ' -- .. $T/ ./*QQ:QZ:VVRXS;RW;R;RR -)#N*.-'%*** % ..$*) )!*-(/$*)*/'/0)) '.R. ..$*).R * ( 0) )/!. -)( // ./#)$, SQWTSSVWTWXXW$T/ ./ ./QQ:QQ:URS -)#N*.-'%+,%%#''+' 0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R * (;( // (*/ - ..*-/ ..$*).-*0+ TWXXW ./SQT;Q;RRT;RXUZZTRR -)#N*.-'%+,%%#''+'+)%*')+ 0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R * 4+ *'- ..*-/ (*/ - ..*-/ TWXXW SQT;Q;RRT;TURXSTSQT;Q;RRT;RXUZZT -)#N*.-'%+,%%#'+* 0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R * /. )/.0/4/ . )4/ .0/ TWXXWWRSRWWXZVSR -)#N
  • 45. L2TP VPN Page | 25 L2TP VPN 7 6 Layer 2 Tunneling Protocol (L2TP) was introduced with the combination of two tunneling protocols in 1999. Firstly, Layer 2 Forwarding (L2F) protocol by CISCO Systems and second is Point-to-Point Tunneling Protocol (PPTP) by Microsoft. It merges the best features of the both. In other words, it is an extension of PPTP. It was specified in RFC 2661 [5]. The L2F is a tunneling protocol and it was developed to establish VPN over the public network (Internet). It does not provide encryption by itself. It was specially designed to tunnel PPP traffic. In 2005, a new version of L2TP was introduced as L2TPv3 with additional security features, improved encapsulation and the ability to carry data links over the network. Its specification was described in RFC 3931 [6]. The entire L2TP packet including (payload L2TP header) is sent within a User Datagram Protocol (UDP) with port number 1701. It is common to carry PPP session within an L2TP tunnel. It does not support strong authentication and confidentiality by itself. The IPsec protocol is often used with L2TP to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. L2TP allows creating a VPDN to connect remote clients to its corporate network by using different connecting services provided by ISPs. It operates at layer 2 of the OSI model. It works as a client/server model. Two endpoints of the L2TP tunnel are called LAC (L2TP Access Concentrator) and LNS (L2TP Network Server). The LNS waits for new tunnels. The LAC remains between an LNS and a remote system and forwards packets to the server. Once the tunnel is established between peer then, the network traffic moves in bidirectional. The packets exchanged within the tunnel characterized as either it is controlled packet or it is a data packet, it is reliable for control packets and not reliable for data packets. If the reliability is desired for data packets then it is provided by another protocol running within the session of the tunnel. In this tunneling technique as the tunnels are created by following two steps: 1. A control connection is established for a tunnel between LAC and LNS. 2. Secondly, a session is established between client and server.
  • 46. L2TP VPN Page | 26 L2TP VPN During the setup of the L2TP tunnel, different types of control messages and data messages are exchanged between LAC and LNS. It is highlighted in the Fig. 3.1 below. The traffic of each session is secluded by L2TP. So, it is possible to setup multiple virtual networks against a single tunnel. The Maximum Transmission Unit (MTU) remains same. The Hello messages are sent to peer as control messages for keep alive after every 60 seconds. Figure 3.1 Tunnel Setup Once the tunnel is established, PPP frames from the remote systems are received at LAC. It encapsulates in L2TP and forwards to LNS over the appropriate tunnel. 7/5 6(%', L2TP supports authentication and encryption. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used. When MS-CHAPv1/v2 is used then the payloads encrypt by using MPPE. It also supports Triple Data Encryption Standard (3DES) and Advanced
  • 47. L2TP VPN Page | 27 L2TP VPN Encryption Standard (AES-256 bits). It enhances the confidentiality of PPP- encapsulated packets. 7/6 $( '# Data messages are used to encapsulate the PPP frames. These frames are passed over unreliable data channels. Data is not retransmitted when a packet loss occurs. The entire PPP frame is encapsulated in L2TP header first and then L2TP frame is encapsulated in UDP header as it is shown in the Fig. 3.2 below. Figure 3.2 L2TP Encapsulation
  • 48. L2TP VPN Page | 28 L2TP VPN 7/7 #('%6 %)% 7/7/5 ') ¾ Assign IP addresses according to topology ¾ Configure IP Routing ¾ Configure Router as a DNS Server ¾ Test Connectivity ¾ Configure Router as a L2TP VPN Server ¾ Configure PC as a Microsoft L2TP VPN Client ¾ Try to Connect VPN Client by Domain Name ¾ Test VPN 7/7/6 #$# #, Figure 3.3 L2TP VPN Setup 7/7/7 '$05 % Assign IP addresses on router’s interfaces and PC as mentioned above in /*+*'*$'$-(T;T; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!ANG )/ -) /N
  • 49. L2TP VPN Page | 29 L2TP VPN )/ -) /N*. ' %+)) )/ -! - ..
  • 50. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RY()0' 0+0+ .//# -) /QRSQT;Q;RRT;TT()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QR )%4 -)#a )' -)#N*)!$0- / -($)' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!AN 3$/ -)#@*)!$AN %+)*++)%+?6@ -)#@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
  • 51. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TU ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#N
  • 52. L2TP VPN Page | 30 L2TP VPN 4 Figure 3.4 Client IP Addressing 7/7/8 '$06 #(%'' #(' )%4 -)#@*)!$AN '),+?5?5?5??5?5?5?A?B5?5@@B5BB -)#@*)!$AN 3$/ -)#N -)#N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-Q;Q;Q;Q
  • 53. L2TP VPN Page | 31 L2TP VPN FQ;Q;Q;QQBRQC1$SQT;Q;RRT;TT RZS;RWY;R;QSU$.$- /'4*)) / 8.//# -) /QR SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ -)#N 7/7/9 '$07 #(%#('% %)% %+)%+4 )/ -) /@*)!$AN '%**)-) )/ -) /@*)!$AN '%$7*)-)A?B5?5@@B5@G )/ -) /@*)!$AN '*+#A+'-'%5$A?B5?5@@B5BC )/ -) /@*)!$AN)*$+*($)'**0+ )/ -) /@*)!$AN 3$/ )/ -) /N )/ -) /N*. '%*- . $ 2 !0'/+-( / -.: *$)$.*!! .*'1 -. //$).: *($)'**0+$.$.' !0'/*($))( :';'*' *($). -#'$./: **0+/$( *0/:T. *). **0+- /-$ .:S *($))( . -1 -.: SQT;Q;RRT;RY -1 -. //$).: *-2-$)*!,0 -$ .$.$.' *-2- -/$( *0/:T. *). *-2- -- /-$ .:S *-2- -- .. .: 7/7/: '$08 '#')', 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTT(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SUS(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTY(. _SVU
  • 54. L2TP VPN Page | 32 L2TP VPN +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SWV(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_SUS(.83$(0(_TTY(.81 - _SZU(. :=a' %#A+'-'%5$ $)$)'S/+1+);*(BSQT;Q;RRT;TUC2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUY(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SRT(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RZR(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SSQ(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_RUY(.83$(0(_SSQ(.81 - _RZT(. :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_Q(.83$(0(_Q(.81 - _Q(. )%4 -)#N' %A?B5?5@@B5@F 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;RX8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RRSRYTSYU(. -)#N
  • 55. L2TP VPN Page | 33 L2TP VPN %+)%+4 )/ -) /N*. '%**++ *+ * - ,0 ./.- $1 _S@S^QA - ,0 ./.-*++ _Q@Q^QA - .+*). .- +'$ _S@S^QA *-2- -,0 0 .//$./$.: 0-- )/.$5 _Q 3$(0(.$5 _V -*+._Q 7/7/; '$09 #(%#('%6 %)% -)#@*)!$AN-'%%# -)#@*)!$AN-'%7),'#A+'7-'% -)#@*)!$1+)AN +/$'$) -)#@*)!$1+)$)AN')+##A+' -)#@*)!$1+)$)AN1$-/0'/ (+'/ R -)#@*)!$1+)$)AN 3$/ -)#@*)!$1+)AN 3$/ -)#@*)!$AN -)#@*)!$AN '##'##A+'7'#@FA5@E5@5@@FA5@E5@5D? -)#@*)!$AN,*)%$+*+'**.)?+*+ -)#@*)!$AN %+)- )+,#7+$'#+@ -)#@*)!$$!AN%'*,#+ %''' -)#@*)!$$!AN'),#+ ')**'##A+'7'# -)#@*)!$$!AN$+0))0( - !.//# -) /QR -)#@*)!$$!AN+++ )-4+/(++ ,+- ,0$- -)#@*)!$$!AN''',+%+ + %$*7'$*7'7-A -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
  • 56. 7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N
  • 57. L2TP VPN Page | 34 L2TP VPN -)#N*.-'%),' -*0+'S/+1+) -*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q -)#N*.-'%+,%%##A+' ]*/$1 S/0)) '. 7/7/ '$0: #(%-''6 ' R; *''*2/ +V$) S; 4+ *+%$@'S/+1+);*(A$)./ *! - .. Figure 3.5 Properties
  • 58. L2TP VPN Page | 35 L2TP VPN T; #*. ,) +0 Figure 3.6 Security U; ) -4+ *!#**. A 2#**. (, )%)0'+ %!-*( /)-4+/$*)8#+,+%+ + %)+#* Figure 3.7 Select Protocol
  • 59. L2TP VPN Page | 36 L2TP VPN V; '$*)-%++ %* Figure 3.8 Advance Setting 7/7/= '$0; #' ' R; !/ -/4+ 0. -)( J+..2*-'$%%+ Figure 3.9 Connecting
  • 60. L2TP VPN Page | 37 L2TP VPN S; # -$!4$)0. -)( )+..2*-2$)*2++ -. Figure 3.10 Verifying T; # $./ -$)4*0-*(+0/ -*)/# ) /2*-2$)*2++ -. Figure 3.11 Completing
  • 61. L2TP VPN Page | 38 L2TP VPN U; # *)) /$*)//0.2$)*2++ -. Figure 3.12 Connection Status 7/7/54 '$0 ' 4 Figure 3.13 Connection Details
  • 62. L2TP VPN Page | 39 L2TP VPN :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _RWW(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SUW(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SYV(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SXX(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_RWW(.83$(0(_SYV(.81 - _SUT(. )%4 -)#N' %@FA5@E5@5C 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*RXS;RW;R;U8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RWUSQUTQQ(. -)#N*. ' %+)) )/ -! - ..
  • 63. 7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' ..S0)..$) 0). /0+0+ $-/0' ..TRZS;RWY;R;R0). /0+0+ $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*. %+)*- )+,#7**B $-/0' ..T$.0+8'$) +-*/**'$.0+ -2- $.$-/0' ..$)/ -! )/ -! $.0))0( - ;.$)- ..*!.//# -) /QR@RZS;RWY;R;RA RVQQ4/ .8RQQQQ
  • 64. $/. 8 RQQQQQ0. 8 - '$$'$/4SVVSVV8/3'*RSVV8-3'*RSVV )+.0'/$*)8 + ) + ): *1 ..8'*) !-*($-/0' (+'/ R ...//0.Q3Q -*/**''S/+8/0)) '$TVZUZ8. ..$*)$SZYTZ
  • 65. L2TP VPN Page | 40 L2TP VPN
  • 66. +'$1 . /@RQ. A UQ+ /.$)+0/8UVSS4/ . RV+ /.*0/+0/8STX4/ . ./' -$)*!I.#*2$)/ -! I*0)/ -.) 1 - -)#N*.,*)* $) . - *./@.A ' */$*) FQ*)Q$' QQ:QQ:QQ )/ -! . -* ' -- .. $T/ ./*QQ:QZ:VVRXS;RW;R;U -)#N*.-'%),' -*0+'S/+1+) -*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R -)#N*.-'%+,%%##A+' S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) (0) (*/ ( // (*/ - .. ..) S'.. TVZUZR5 .#) ./SQT;Q;RRT;RXR'S/+ -)#N*.-'%*** %#A+'*++ S ..$*) )!*-(/$*)*/'/0)) '.R. ..$*).R * ( 0) . -)( 8 )/!// ./#)$, $ VWYZURTVZUZ/ ./8 $T ./QQ:RQ:SUW -)#N*.-'%+,%%##A+'+)%*')+ S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) 4+ -*/ *'- ..*-/ (*/ - ..*-/ TVZUZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR -)#N*.-'%+,%%##A+''+* S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) /. )/.0/4/ . )4/ .0/ TVZUZRVURRUYTTSSUXX
  • 68. L2TP over IPsec VPN Page | 42 L2TP over IPsec VPN 8 6#)% L2TP does not provide strong authentication and confidentiality by itself. It is often used with IPsec protocol to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. The IPsec is a protocol suite which is used at upper layer (network layer) to provide secure communication between two peers [7]. This protocol provides IP Security Architecture, Internet Key Exchange (IKE), IPsec Authentication Header (AH) and IPsec Encapsulation Security Payload (ESP). The IKE is the key management protocol while AH and ESP are used to protect IP traffic. It would be discussed in detail in the next part. 8/5 6#)% (%', L2TP is used over IPsec then its security is high. The client negotiates the IPsec Security Association (SA) usually through IKE. It is carried out over UDP with port 500. It uses a pre-shared key, public key or certificates for authentication. Transport mode of IPsec is used in this security mechanism. IPsec supports a variety of encryption standards like (DES, 3DES AES) for data confidentiality. It also supports a range of data integrity protocols like (MD-5 SHA). 8/6 $( '# The connection is established between two endpoints. Here, L2TP packets are encapsulated by IPsec header as it is displayed in the Fig. 4.1 below. Figure 4.1 L2TP over IPsec Encapsulation Since L2TP packet is wrapped within the IPsec header and it does not gather any information about the internal L2TP packet. So, it is not necessary to open UDP port 1701 on firewalls between the endpoints. The inner packet is
  • 69. L2TP over IPsec VPN Page | 43 L2TP over IPsec VPN not acted upon until after IPsec data has been decrypted and stripped which only takes place at the endpoints.
  • 70. L2TP over IPsec VPN Page | 44 L2TP over IPsec VPN 8/7 #('%6#)% %)% 8/7/5 ') ¾ Assign IP addresses according to topology ¾ Configure IP Routing ¾ Test Connectivity ¾ Configure Router as an L2TP over IPsec VPN Server ¾ Configure PC as a Microsoft L2TP over IPsec VPN Client ¾ Try to Connect VPN Client ¾ Test VPN 8/7/6 #$# #, Figure 4.2 L2TP over IPsec VPN Setup 8/7/7 '$05 % Assign IP addresses on router’s interfaces and PC as mentioned above in /*+*'*$'$-(U;S; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!ANG )/ -) /N
  • 71. L2TP over IPsec VPN Page | 45 L2TP over IPsec VPN )/ -) /N*. ' %+)) )/ -! - ..
  • 72. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RY()0' 0+0+ .//# -) /QRSQT;Q;RRT;TT()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QR )%4 -)#a )' -)#N*)!$0- / -($)' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!AN 3$/ -)#@*)!$AN %+)*++)%+?6@ -)#@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#@*)!$$!AN)*.#0/*2) -)#@*)!$$!ANG -)#N -)#N*. ' %+)) )/ -! - ..
  • 73. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TU ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#N
  • 74. L2TP over IPsec VPN Page | 46 L2TP over IPsec VPN 4 Figure 4.3 Client IP Addressing 8/7/8 '$06 #(%'' #(' )%4 -)#@*)!$AN '),+?5?5?5??5?5?5?A?B5?5@@B5BB -)#@*)!$AN 3$/ -)#N -)#N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-Q;Q;Q;Q
  • 75. L2TP over IPsec VPN Page | 47 L2TP over IPsec VPN FQ;Q;Q;QQBRQC1$SQT;Q;RRT;TT RZS;RWY;R;QSU$.$- /'4*)) / 8.//# -) /QR SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ -)#N 8/7/9 '$07 '#')', 4 :=a' %A?B5?5@@B5BC $)$)SQT;Q;RRT;TU2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTT(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SUS(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTY(. _SVU +'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SWV(. _SVU $).//$./$.!*-SQT;Q;RRT;TU: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_SUS(.83$(0(_TTY(.81 - _SZU(. :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; +'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ; $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_Q(.83$(0(_Q(.81 - _Q(. )%4 -)#N' %A?B5?5@@B5@F 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;RX8/$( *0/$.S. *).: 66666 0 ..-/ $.RQQ+ - )/@VVA8-*0)/-$+($)1(3_RRSRYTSYU(.
  • 76. L2TP over IPsec VPN Page | 48 L2TP over IPsec VPN 8/7/: '$08 #(%#('%6#)% -)#@*)!$AN-'%%# -)#@*)!$AN-'%7),'#A+'7-'% -)#@*)!$1+)AN +/$'$) -)#@*)!$1+)$)AN')+##A+' -)#@*)!$1+)$)AN1$-/0'/ (+'/ R -)#@*)!$1+)$)AN 3$/ -)#@*)!$1+)AN 3$/ -)#@*)!$AN -)#@*)!$AN '##'##A+'7'#@FA5@E5@5@@FA5@E5@5D? -)#@*)!$AN,*)%$+*+'**.)?+*+ -)#@*)!$AN %+)- )+,#7+$'#+@ -)#@*)!$$!AN%'*,#+ %''' -)#@*)!$$!AN'),#+ ')**'##A+'7'# -)#@*)!$$!AN$+0))0( - !.//# -) /QR -)#@*)!$$!AN''',+%+ + %$*7'$*7'7-A -)#@*)!$$!AN 3$/ -)#@*)!$AN)0'+ *$''# 0D -)#@*)!$$.(+AN%)0'+ %B* -)#@*)!$$.(+AN** -)#@*)!$$.(+AN,+%+ + %')7*) -)#@*)!$$.(+AN),'A -)#@*)!$$.(+AN 3$/ -)#@*)!$AN -)#@*)!$AN)0'+ *$'0#A+' '*)**?5?5?5??5?5?5? -)#@*)!$AN)0'+ '*+)%*)$7*++*+*'7B**'7*7$ -)#@!-4+/*/-).AN$+)%*')+ -)#@!-4+/*/-).AN 3$/ -)#@*)!$AN)0'+0%$ 7$'$'@? -)#@*)!$-4+/*(+AN*++)%*)$7*++*+ -)#@*)!$-4+/*(+AN 3$/ -)#@*)!$AN)0'+$'#A+'$'@? '*7 *$'0%$ $' -)#@*)!$AN %+)*++)%+?6? -)#@*)!$$!AN)0'+$' #A+'$' -)#@*)!$$!ANG -)#N
  • 77. L2TP over IPsec VPN Page | 49 L2TP over IPsec VPN 8/7/; '$09 #(%-''6#)% ' R; *''*2/ +W$) S ; S; '$*)-%++ %*) )/ -/# +- .#- 4 Figure 4.4 Advanced Properties T; @+/$*)'8 $! /# *+ -/$) .4./ ( $. *' '$ $)*2. SQQQA; 3 0/ $$5/*(()$),%/*() . 0-$/4+*'$4; Figure 4.5 Run
  • 78. L2TP over IPsec VPN Page | 50 L2TP over IPsec VPN U; ,) +0# 0
  • 79. %$%+4#**.$)6$-%'7 %!-*( #; Figure 4.6 Console V; #**. ,) +0# 0
  • 81. L2TP over IPsec VPN Page | 51 L2TP over IPsec VPN W; # )/# !*''*2$).- )++ -.8+' . #**. #$',+))'$ % *5 Figure 4.8 Select Domain X; # ,) +0# 0
  • 82. %$%+$. $)%'7 %'$ ; Figure 4.9 Add IP Security Policies
  • 83. L2TP over IPsec VPN Page | 52 L2TP over IPsec VPN Y; # ,) +0# 0
  • 84. %$%+$. '$ Figure 4.10 IP Security Policy Management Z; ' /)+ ,) +0# 0/*- / +*'$4!*- !-*(+ %; Figure 4.11 Console
  • 85. L2TP over IPsec VPN Page | 53 L2TP over IPsec VPN RQ;# )/# ,) +0# 0 1)++ -.8+' . '$ /+5 Figure 4.12 IP Security Policy Wizard RR;Type a suitable name in the name field, such as “A-) *”)'$ /+; Figure 4.13 IP Security Policy Name
  • 86. L2TP over IPsec VPN Page | 54 L2TP over IPsec VPN RS;)# + -++,#+)*'%*),#)'$ /+; Figure 4.14 Request for Secure Communication RT;# ) /# !*''*2$) 2$)*2 ++ -.8 +' . # + ')')+ * ) '$ % *; Figure 4.15 Completing IP Security Policy
  • 87. L2TP over IPsec VPN Page | 55 L2TP over IPsec VPN RU;+ ) *)')+ *window, there is a default rule “K0%$ L”. Please click ; Figure 4.16 Filter Rules RV;# )/# ,) +0,# 1)++ -.8+' . '$ /+5 Figure 4.17 Creating New Security Rule
  • 88. L2TP over IPsec VPN Page | 56 L2TP over IPsec VPN RW; ' /+ *),#*%+*' 0+,%%#)'$ /+; Figure 4.18 Tunnel Endpoint RX; ' /##%+.)%%+ %*)'$ /+; Figure 4.19 Network Type
  • 89. L2TP over IPsec VPN Page | 57 L2TP over IPsec VPN RY;) $'/ -'$.//*/#$.-0' 4'$$); Figure 4.20 Add New Filter List RZ;4+ *,+./# )( )'$; Figure 4.21 IP Filter List for Outside
  • 90. L2TP over IPsec VPN Page | 58 L2TP over IPsec VPN SQ;# )/# #+) 1)++ -.8+' . '$ /+5 Figure 4.22 New IP Filter Wizard SR;4+ $'/ - .-$+/$*))'$ /+; Figure 4.23 IP Filter Description
  • 91. L2TP over IPsec VPN Page | 59 L2TP over IPsec VPN SS;#**. *' )**J/4+ /# - ...@*0- A)'$ /+; Figure 4.24 IP Traffic Source ST;#**. *' )**J/4+ /# - ...@ ./$)/$*)A)'$ /+; Figure 4.25 IP Traffic Destination
  • 92. L2TP over IPsec VPN Page | 60 L2TP over IPsec VPN SU;#**. ./# +-*/**'/4+ ;'$ /+; Figure 4.26 IP Protocol Types SV; //# ')+%5.@F?@)'$ /+; Figure 4.27 IP Protocol Ports
  • 93. L2TP over IPsec VPN Page | 61 L2TP over IPsec VPN SW;# *3 +')')+ *)'$ % */**(+' /$)/# !$'/ -2$5-; Figure 4.28 Completing IP Filter Wizard SX;'$ /*!$)$.#/# . //$).; Figure 4.29 IP Filter Properties
  • 94. L2TP over IPsec VPN Page | 62 L2TP over IPsec VPN SY;'$ /*!$)$.#/# . //$).; Figure 4.30 IP Filter List SZ;#**. *,+$)/# $'/ -'$./)'$ /+; Figure 4.31 IPsec Filter List
  • 95. L2TP over IPsec VPN Page | 63 L2TP over IPsec VPN TQ;'$/*. /0+/$*)!*-/#$.-0' ; Figure 4.32 New Filter Rule TR;# #+)+ % 1)2$''++ -8/# );' . '$ //; Figure 4.33 New IP Security Filter Wizard
  • 96. L2TP over IPsec VPN Page | 64 L2TP over IPsec VPN TS;4+ *,+./# )( )'$ /+; Figure 4.34 Filter Action Name TT;#**. + +*,) +0)'$ /+; Figure 4.35 General Options
  • 97. L2TP over IPsec VPN Page | 65 L2TP over IPsec VPN TU;#**. Do not communicate…. )'$ /+; Figure 4.36 Communicating with Computers TV;#**. %)0'+ %% %+) +0)'$ /+; Figure 4.37 IP Traffic Security Policies
  • 98. L2TP over IPsec VPN Page | 66 L2TP over IPsec VPN TW;)# +')')+ *)'$ % *; Figure 4.38 Completing IP Security Filter Wizard TX; ' / *,+!-*( #+)# *+8)'$ /+; Figure 4.39 Filter Action
  • 99. L2TP over IPsec VPN Page | 67 L2TP over IPsec VPN TY;4+ 4.),+%+ + %
  • 100. +@+- .#- 4A)'$ /+; Figure 4.40 Authentication Method TZ;#**. *,+!*- #+)+ %8)'$ /+; Figure 4.41 Completing Security Rule
  • 101. L2TP over IPsec VPN Page | 68 L2TP over IPsec VPN UQ;*24*0). *,+-0' ;'$ ; Figure 4.42 IPsec Rules UR;'$ 0-$/4*'$$ .*) *'*(+0/ - Figure 4.43 New Created Security Policy
  • 102. L2TP over IPsec VPN Page | 69 L2TP over IPsec VPN US;#**. A-) *L** %!-*(/# *).*' .- ); Figure 4.44 Assigned Policy UT;*24*0). /#//# +*'$4$./$1/ ; Figure 4.45 Policy Activated UU;1 //$);
  • 103. L2TP over IPsec VPN Page | 70 L2TP over IPsec VPN 8/7/ '$0: #' ' R; !/ -/4+ 0. -)( J+..2*-'$%%+ Figure 4.46 Connecting S; # -$!4$)0. -)( )+..2*-2$)*2++ -. Figure 4.47 Verifying
  • 104. L2TP over IPsec VPN Page | 71 L2TP over IPsec VPN T; # $./ -$)4*0-*(+0/ -*)/# ) /2*-2$)*2++ -. Figure 4.48 Completing U; # *)) /$*)//0.2$)*2 Figure 4.49 Connection Status
  • 105. L2TP over IPsec VPN Page | 72 L2TP over IPsec VPN 8/7/= '$0; ' 4 Figure 4.50 Connection Details :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_STX(.83$(0(_TWQ(.81 - _TRS(.
  • 106. L2TP over IPsec VPN Page | 73 L2TP over IPsec VPN )%4 -)#N' %@FA5@E5@5@ 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*RXS;RW;R;R8/$( *0/$.S. *).: 6;666 0 ..-/ $.YQ+ - )/@UVA8-*0)/-$+($)1(3_RYUSRQSUY(. -)#N*. ' %+)) )/ -! - ..
  • 107. 7 /#*//0.-*/**' .//# -) /QQSQT;Q;RRT;TU()0'0+0+ .//# -) /QRRZS;RWY;R;R()0'0+0+ $-/0' ..R0)..$) 0). /*2)*2) $-/0' ..S0)..$) 0). /0+0+ $-/0' ..S;RRZS;RWY;R;R0). /0+0+ $-/0' (+'/ RRZS;RWY;R;R0). /*2)*2) -)#N*.-'%),' -*0+'S/+ -*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R -)#N*.-'%+,%%##A+'*++ S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) (0) *'( (*/ ( // ./# UXVYZR-)#5 .#) ./QQ:RQ:VV -)#N*.-'%+,%%##A+'*,$$)0 S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) (0) (*/ ( // (*/ - .. ..) S'.. UXVYZR5 .#) ./SQT;Q;RRT;RXR'S/+ -)#N*.-'%+,%%#+)%*')+ S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) 4+ -*/ *'- ..*-/ (*/ - ..*-/ UXVYZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR
  • 108. L2TP over IPsec VPN Page | 74 L2TP over IPsec VPN -)#N*. %+)*- )+,#7**A5@ $-/0' ..S;R$.0+8'$) +-*/**'$.0+ -2- $.$-/0' ..$)/ -! )/ -! $.0))0( - ;.$)- ..*!.//# -) /QR@RZS;RWY;R;RA RVQQ4/ .8RQQQQ
  • 109. $/. 8 RQQQQQ0. 8 - '$$'$/4SVVSVV8/3'*RSVV8-3'*RSVV )+.0'/$*)8 + ) + ): *1 ..8'*) !-*($-/0' (+'/ R ...//0.Q3Q -*/**''S/+8/0)) '$UXVYZ8. ..$*)$ZYR
  • 110. +'$1 . /@RQ. A RVR+ /.$)+0/8YQWW4/ . RTS+ /.*0/+0/8TVXV4/ . ./' -$)*!I.#*2$)/ -! I*0)/ -.) 1 - -)#N*.-'%+,%%#'+* S0)) ' )!*-(/$*)*/'/0)) '.R. ..$*).R *0) /. )/.0/4/ . )4/ .0/ UXVYZSRVSRVRTQXUWXSX -)#N*.)0'+*** % -4+/*. ..$*)0-- )/.//0. )/ -! :.//# -) /QQ ..$*).//0.: -:SQT;Q;RRT;RX+*-/VQQ
  • 111. :'*'SQT;Q;RRT;TUVQQ- (*/ SQT;Q;RRT;RXVQQ/$1 :+ -($/RX#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX+*-/RXQR /$1 .:S8*-$$):4)($-4+/*(+ -)#N*.)0'+*** %) //0.:/$1 8+8*2)8 ' 8/)48 */$/$)
  • 112. *
  • 113. $1-!_@)*) A - . -)( -*0+#. R?$+/$( //0. SQT;Q;RRT;RX QQSQT;Q;RRT;RX QQ:RS:QS
  • 114. L2TP over IPsec VPN Page | 75 L2TP over IPsec VPN -)#N*.)0'+ *$'0
  • 119. H.:Q
  • 120. H.:Q -)#N*.)0'+ *$'')* -:SQT;Q;RRT;RX*-/:VQQ *':SQT;Q;RRT;TU #. R$:SQT;Q;RRT;RX -)#N*.)0'+ *$'* 1U-4+/*
  • 121. ./.-.// *))$.//0. SQT;Q;RRT;TUSQT;Q;RRT;RX? RQQR -)#N*.)0'+ '*+)%*)$7*+ -).!*-(. //. /:D .+T . .+.##(E 2$'') */$/ _D-).+*-/8E8 -).!*-(. /NM6 !0'/?/-).!*-(?. /?Q:D .+T . .+.##(E 2$'') */$/ _D-).+*-/8E8 -)#N*.)0'+ *$''# 0 '*'
  • 122. +*'$4 -*/ /$*).0$/ *!+-$*-$/4V )-4+/$*)'*-$/#(:#- 4/-$+' #.#'*-$/#(: 0- .#/)- 0/# )/$/$*)( /#*:- #-
  • 123. 4 $!!$ ''()-*0+:NS@RQSU$/A '$! /$( :YWUQQ. *).8)*1*'0( '$($/
  • 124. L2TP over IPsec VPN Page | 76 L2TP over IPsec VPN -)#N*.)0'+ '** $)/ -! :.//# -) /QQ -4+/*(+/:'S/+8'*'-SQT;Q;RRT;TU +-*/ / 1-!:@)*) A '*'$ )/@-(.+-*/+*-/A:@SQT;Q;RRT;TUSVV;SVV;SVV;SVVRXQA - (*/ $ )/@-(.+-*/+*-/A: @SQT;Q;RRT;RXSVV;SVV;SVV;SVVRXRXQRA 0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ 8!'._DE N+/. )+.:RZ8N+/. )-4+/:RZ8N+/.$ ./:RZ N+/. +.:RZ8N+/. -4+/:RZ8N+/.1 -$!4:RZ '*'-4+/* )+/;:SQT;Q;RRT;TU8- (*/ -4+/* )+/;:SQT;Q;RRT;RX +/#(/0RVQQ8$+(/0RVQQ8$+(/0$.//# -) /QQ 0-- )/*0/*0).+$:Q3UZVS@TQSZXSZSVQA @A:8 -*0+:)*) B0/+0/*($// C 4 :=a' %@HA5@EG5@5@ $)$)RZS;RWY;R;R2$/#TS4/ .*!/: +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(. _SVV +'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(. _SVV $).//$./$.!*-RZS;RWY;R;R: /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8 ++-*3$(/ -*0)/-$+/$( .$)($''$. *).: $)$(0(_STX(.83$(0(_TWQ(.81 - _TRS(. -)#N*.)0'+ '** $)/ -! :.//# -) /QQ -4+/*(+/:'S/+8'*'-SQT;Q;RRT;TU +-*/ / 1-!:@)*) A '*'$ )/@-(.+-*/+*-/A:@SQT;Q;RRT;TUSVV;SVV;SVV;SVVRXQA - (*/ $ )/@-(.+-*/+*-/A: @SQT;Q;RRT;RXSVV;SVV;SVV;SVVRXRXQRA 0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ
  • 125. L2TP over IPsec VPN Page | 77 L2TP over IPsec VPN 8!'._DE N+/. )+.:UZ8N+/. )-4+/:UZ8N+/.$ ./:UZ N+/. +.:UZ8N+/. -4+/:UZ8N+/.1 -$!4:UZ N+/.*(+- .. :Q8N+/. *(+- .. :Q N+/.)*/*(+- .. :Q8N+/.*(+-;!$' :Q N+/.)*/ *(+- .. :Q8N+/. *(+- ..!$' :Q N. ) --*-.Q8N- 1 --*-.Q -)#N*.)0'+$' -4+/*+I'S/+(+IRQ$+. $.(+ 4)($(+/ (+'/ /:(+ -4+/*+I'S/+(+IWVVTW$+. $.(+ -_SQT;Q;RRT;RX 3/ ) ..'$./ ..'$./+ -($/0+#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX+*-/_RXQR 4)($@- / !-*(4)($(+(+RQA 0-- )/+ -:SQT;Q;RRT;RX 0-$/4..*$/$*)'$! /$( :UWQYQQQ$'*4/ .TWQQ. *). .+*) -)'4@A: @A: -).!*-(. /._D /. /:D .+T . .+.##(E8 E )/ -! .0.$)-4+/*(+'S/+(+: .//# -) /QQ
  • 127. IPsec VPN Page | 79 IPsec VPN 9 Internet Protocol Security (IPsec) is a network security protocol suite. It provides strong authentication, data encryption, data origin authentication and data integrity features. It can use as network-to-network, host-to-host, and host-to-network over the public network (Internet). It works at the network layer of the OSI model to provide end-to-end security. In 1992, IETF started to create an open and freely available security protocol for Internet Protocol (IP). It is officially standardized by IETF. It was specified in RFC 1825 [8]. The IP is used at the network layer of the OSI model to deliver datagrams over the public network. There are two versions of IP: IPv4 and IPv6. IPv4 is a 32-bits while IPv6 is a 128-bits IP addressing protocol. The Network Address Translation (NAT) is used with IPv4 in private networks to save the public IP addresses as well as to provide security in a way that it hides the public addresses during communication. Today, NAT is widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels [9]. The fast growth of the Internet has shattered the IPv4 addresses. In 1990, the IETF has introduced IPv6 protocol with new features in terms of simple header format, larger address space, built-in security, efficient routing and better QoS [10]. The Internet Service Providers (ISPs) are trying to replace their IPv4 networks with IPv6 gradually. This transition is very slow because there are millions of devices in around the world. IPv6 is a next-generation IP network. IPsec provides security to both versions of IP. In this project, the focus is on IPv4. 9/5 (%',%''(% IPsec is an open standard protocol suite. It uses different types of protocols to provide security. These protocols are: Authentication Header (AH), Encapsulating Security Payloads (ESP), Security Associations (SA), Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE IKEv2). The AH provides the connectionless data integrity, data origin authentication for IP datagrams and protection against replays [11]. It does not encrypt data packets. The text is transported in clear text. Data integrity means, it assures that the data will not alter during the transmission over the network. Before sending the data, it calculates 32-bits numeric and unique hash value of data
  • 128. IPsec VPN Page | 80 IPsec VPN by using different hashing algorithms like (MD5, SHA-1) and sends this hash value along with data. Hashing is a one-way process [12]. On the receiving side, it verifies the hash value by re-calculating the hash value of the received data. If both hash values are equal then it means that the integrity of the data is maintained and there is no any tampering with data during transmission over the network while if the hash value does not same then it means that the integrity has intercepted and the receiver will discard the data. The anti- replay protection ensures that each packet must be unique and no duplication by using sequence numbers. The origin authentication means that to know who is on another side. The device on the other side of the tunnel must be verified before the path is considered secure. The sender sends data (certificate) after encryption with its private key and that data is verified at receiver end by decrypt with VHQGHU¶VSXEOLFNHIRUDXWKHQWLFDWLRQ There are three authentication methods: 1. Pre-shared Key 2. RSA Signature 3. RSA Encryption Nonce In pre-shared key authentication, the same key is used to configure each peer in IPsec. In RSA signature authentication, different keys (private key public key) are used to encrypt or decrypt digitally. It is also called digital certificates. These digital signature and digital certificates are forwarded to the other side. Finally, RSA encryption nonce authentication, nonce (a random number generated by the peer) is encrypted and exchanged between peers, this nonce is used during the authentication peer process. The ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service and limited traffic flow confidentiality [13]. The set of services, is provided, depends on options selected at the time of Security Association (SA) establishment. It encrypts the payload to provide confidentiality. It supports several encryption algorithms. Most of the algorithms are symmetric. The DES (56-bits) is a basic and symmetric encryption algorithm, however, it also supports 3DES and AES for stronger encryption. The ESP can be used alone or with the combination of AH. The SA is a logical group of security parameters. It is used to establish and share security attributes between two entities to provide secure communication. These attributes are cryptographic algorithm, mode and encryption key. The SA is established by using ISAKMP.
  • 129. IPsec VPN Page | 81 IPsec VPN The ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations [14]. It only provides a framework for authentication and key exchange. It is implemented by manual configuration with pre-shared key or IKE. During the establishment of a secure connection between two nodes, it is needed to share some security parameters such as keys over the network. Two methods are used for key exchange: manual and automatic. Manual method does not secure nor scales well [15]. Therefore, a protocol is needed to exchange or establish security parameters dynamically. The IKE is the protocol used to set up a security association dynamically. It uses X.509 certificates for authentication either pre-shared or distributed and a ³Diffie± Hellman´ key exchange algorithm to share a secret key between nodes over the public network. 9/6 $( '# IPsec can be configured in two different modes and they are: 1. Transport Mode 2. Tunnel Mode The transport mode is used to provide end-to-end security. The communication between a client and a server is the best example of end-to- end. In this mode, only the payload of the IP packet is usually encrypted or authenticated. The original IP header is not encrypted nor modified except that the IP protocol field is changed to ESP (50) or AH (51). The payload is encapsulated by the IPsec ESP headers trailers as it is displayed in the Fig.5.1. It is usually used when another tunneling protocol (like GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the other tunnel packets. The IPsec protects the GRE or L2TP tunnel traffic in transport mode. The ESP is identified in the original IP header with an IP protocol ID of 50. Figure 5.1 Transport Mode IPsec Encapsulation
  • 130. IPsec VPN Page | 82 IPsec VPN The tunnel mode is the default mode. It is used to provide security between gateways (Router, PIX or ASA). In this mode, the entire original IP packet is protected. The entire IP packet is encapsulated with IPsec ESP headers trailers, adds a new IP header and sends it to the other side of the tunnel as it is shown in the Fig. 5.2. The ESP is identified in the New IP header with an IP protocol ID of 50. The tunnel mode supports NAT traversal. Figure 5.2 Tunnel Mode IPsec Encapsulation
  • 131. IPsec VPN Page | 83 IPsec VPN 9/7 '0'#0' 1*#('% 9/7/5 ') ¾ Assign IP addresses according to the topology ¾ Configure IP Routing ¾ Configure NAT ¾ Test Connectivity ¾ Configure IPsec VPN Tunnel on both sides ¾ Test VPN 9/7/6 #$# #, Figure 5.3 Site-to-Site IPsec VPN Setup 9/7/7 '$05 % Assign IP addresses on router’s interfaces and PC. . ( )/$*) *1 $) /*+*'*$'$-(V;T; )/ -! .(0./ )' $)J-0))$).// ; %+)%+4 )/ -) /a )' )/ -) /N*)!$0- / -($)' )/ -) /@*)!$AN %+)*++)%+?6? )/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2) )/ -) /@*)!$$!AN 3$/ )/ -) /@*)!$AN %+)*++)%+?6@ )/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC? )/ -) /@*)!$$!AN)*.#0/*2)
  • 132. IPsec VPN Page | 84 IPsec VPN )/ -) /@*)!$$!ANG )/ -) /N )/ -) /N*. ' %+)) )/ -! - ..
  • 133. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;TT()0' 0+0+ .//# -) /QRSQT;Q;RRT;RY()0' 0+0+ )/ -) /N )/ -) /N*. '),+ * .: '*'8*)) / 8.//$8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S $ 8.0 .0((-48 R ' 1 'R8 S ' 1 'S $ $)/ -- 8F)$/ !0'/8+ -0. -.//$-*0/ *8+ -$*$*2)'* .//$-*0/ 8^- +'$/ -*0/ / 24*!'./- .*-/$.)*/. / SQT;Q;RRT;TSSY$.$- /'4*)) / 8.//# -) /QQ SQT;Q;RRT;RWSY$.$- /'4*)) / 8.//# -) /QR )%7@4 -)#Ra )' -)#RN*)!$0- / -($)' -)#R@*)!$AN %+)*++)%+?6? -)#R@*)!$$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC? -)#R@*)!$$!AN)*.#0/*2) -)#R@*)!$$!AN 3$/ -)#R@*)!$AN %+)*++)%+?6@ -)#R@*)!$$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5? -)#R@*)!$$!AN)*.#0/*2) -)#R@*)!$$!ANG -)#RN -)#RN*. ' %+)) )/ -! - ..
  • 134. 7 /#* //0.-*/**' .//# -) /QQSQT;Q;RRT;RX ()0' 0+0+ .//# -) /QRRZS;RWY;R;R ()0' 0+0+ -)#RN
  • 135. IPsec VPN Page | 85 IPsec VPN )%7A4 -)#Sa )' -)#SN*)!$0- / -($)' -)#S@*)!$AN %+)*++)%+?6@ -)#S@*)!$$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC? -)#S@*)!$$!AN)*.#0/*2) -)#S@*)!$$!AN 3$/ -)#S@*)!$AN %+)*++)%+?6? -)#S@*)!$$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5? -)#S@*)!$$!AN)*.#0/*2) -)#S@*)!$$!ANG -)#SN -)#SN*. ' %+)) )/ -! - ..
  • 136. 7 /#* //0.-*/**' .//# -) /QQRZS;RWY;S;R ()0' 0+0+ .//# -) /QRSQT;Q;RRT;TU ()0' 0+0+ -)#SN 7@4 Figure 5.4 PC-1 IP Addressing
  • 137. IPsec VPN Page | 86 IPsec VPN 7A4 Figure 5.5 PC-2 IP Addressing 9/7/8 '$06 #(%'' #(' )%7@4 -)#RN' %A?B5?5@@B5BC 4+ .+ . ,0 ) /**-/; )$)V8RQQ4/ #*./*SQT;Q;RRT;TU8/$( *0/$.S. *).: ;;;;; 0 ..-/ $.Q+ - )/@QVA -)#RN -)#R@*)!$AN '),+A?B5?5@@B5BAADD5ADD5ADD5AC?A?B5?5@@B5@G -)#R@*)!$AN 3$/ -)#RN -)#RN*. '),+ * .:*)) / 8.//$8 8 8(*$' 8 8 3/ -)'88 $)/ -- R 3/ -)'/4+ R8S 3/ -)'/4+ S R 3/ -)'/4+ R8S 3/ -)'/4+ S8