This document provides an introduction to virtual private networks (VPNs). It defines a VPN as an encrypted connection between private networks over a public network. The document outlines several key VPN services, including confidentiality, integrity, authentication, availability, and anti-replay. It also discusses VPN advantages such as data security, private network access, bandwidth, cost reduction, and deployment flexibility. Finally, it introduces different VPN types, protocols, and supported devices.
Specifying, choosing and implementing computer systemsDavid Griffiths
This e-book looks at the how to specify the requirements for a proposed computer system, how to choose the best system and how to implement it. A practical example is provided.
Specifying, choosing and implementing computer systemsDavid Griffiths
This e-book looks at the how to specify the requirements for a proposed computer system, how to choose the best system and how to implement it. A practical example is provided.
Here is the scope for my software project CallQ, that is designed specifically for Call Center Quality Assurance. Interested investors please contact me.
Here is the scope for my software project CallQ, that is designed specifically for Call Center Quality Assurance. Interested investors please contact me.
This is the printout version of my lecture slides for the network basic course. It includes more details (quotations from books, references, etc.) than the slides version.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
7. Page | ii
Acknowledgment
All books are the product of a team work and I thank all the members of the
Scholars Press publisher: including the project editor, friends, seniors,
colleagues, and my teachers.
I special acknowledge Dr. Muhammad Yousaf, Assistant Professor of
Riphah Institute of Systems Engineering, Islamabad. He guided, motivated,
and encouraged me in my research work.
I also acknowledge Miss Muntaha Sohail, Lecturer in English Department,
University of Sargodha, Sub-Campus Mandi Bahauddin. She minutely and
skillfully proof red this book.
14. Page | ix
Learning Outcomes
This book encompasses virtual private network technologies theoretical as
well as practical. In this study guide, it demonstrates how the VPNs actually
work and their practical implementation with different lab scenarios, step by
step. The objective of this book is to teach the students and professionals in
an easy way. In this book, a reader learns the theoretical knowledge of VPNs,
but the IOS based practical implementation of several types of VPNs in his
home and office.
There are several types of VPNs with different scenarios. After a study of
this book, the reader will familiar with almost all type of VPN and can
perform all these types of VPNs with different scenarios in his office and
home.
16. Introduction
Page | 2
Introduction
5 %'( %)'
'*#%
Virtual Private Network (VPN) is a secure, reliable and logical connection
that is created over a public network (Internet). CISCO defines a VPN as an
encrypted connection between private networks over a public network [1]. It
is a virtual connection but not a physical. It extends the private network
across shared or public network. It enables a computer to send or receive data
safely through shared or public network, it does not matter if it is directly
connected to the private network. It is done by establishing a virtual
connection through the Internet.
5/5
%)
VPNs provide different types of security services through different security
protocols. These services are:
1. Confidentiality
2. Integrity
3. Authentication
4. Availability
5. Anti-replay
5/5/5 #' ',
Confidentiality means secrecy. It is a technique in which original data may
hide or replace with some other data. The concept behind is that the data is
not disclosed to anyone intentionally or unintentionally during transmission.
In network security, it is also called encryption. It is the process in which the
plaintext (original text) is replaced or substituted with the help of certain
encryption algorithm, key, and the mechanism. After this process, the plain
text is converted into encrypted text (ciphertext). Encrypted text transmits
over an insecure network. If somebody catches the encrypted text, it is not
easy to understand it. On the receiving side, the reverse process of encryption
takes place, it is called decryption. The same algorithm, key, and mechanism
are used to decrypt the text and original text is extracted. There are several
encryption algorithms. Some of them work character by character and
remaining work block by block. There are two types of keys. Symmetric or
asymmetric. In symmetric, the same key is used to encrypt or decrypt while
in asymmetric, a pair of the key is used. One key is private key and the second
key is called public key. The public key is used to encrypt the data if its
private key is used to decrypt the data whereas the private key is used to
17. Introduction
Page | 3
Introduction
encrypt the data if its public key is used to decrypt data. The mechanism
means, the way or method defines how to drive the algorithm and key.
Modern encryption algorithms are:
1. DES (Data Encryption Standard)
2. 3DES (Triple Data Encryption Standard)
3. AES (Advanced Encryption Standard)
5/5/6
'%',
Integrity means originality. It is a technique to ensure that data is not
modified or altered by an unauthorized person during the transmission. The
data remains consistent, both internally and externally. It is guaranteed that
data is received by the receiver in original and there is no any change in data
during transmission. In network security, it is also called hashing. Hashing
is one-way process in which a 32-bit long hash value is calculated from the
data with a specific algorithm. This hash value also transmits while
transmitting the data. On the receiver side, the receiver once again calculates
the hash value of the received data with the same algorithm and compares
this hash value with that value which came with data. If the value is same
then its integrity is not compromised on the other hand, the hash value is
different even one character then it indicates that its integrity is
compromised. The receiver will discard his receiving data. Modern hashing
algorithms are:
1. MD-5 (Message Digest)
2. SHA-1 (Secure Hash Algorithm)
5/5/7 ('''#
Authentication is a technique which verifies the identity of a user or a
process. It restricts unauthorized users to access data or service. In this
process, the credentials provided by the user are compared to those which
are already saved in the database file. Moreover, the user is granted
authorization for access if credentials match and the process is completed. If
the credentials mismatch, the user is not granted access. Authentication is
may be local or remote. In local authentication, the credentials are saved on
the same machine while in remote authentication, user credentials are saved
on another server. The receiver machine sends user credentials for checking
either it is true or false to authentication server and responds. If the machine
receives true by authentication server then it grants access and if it receives
false then it denies access. For security purpose, Challenge Handshake
18. Introduction
Page | 4
Introduction
Authentication Protocol (CHAP) is used between machine and
authentication server. Modern remote authentication servers are:
1. TACACS (Terminal Access Controller Access Control System)
2. RADIUS (Remote Authentication Dial-In User Service)
5/5/8 ) ',
Availability provides reliable and timely access to data and resources. Once
a VPN is connected, its time period is 24 hours by default. It means that user
can access data or services at any time during the VPN connection.
5/5/9 '0$ ,
It is a technique in which the receiver verifies that each packet is unique and
is not duplicate. In this process, sequence numbers are used with the packet
and arranged all these packets on receiver side accordingly sequence
numbers. If any duplicate packet is received then the receiver will discard.
5/6
)'
VPN technology is heavily influenced the corporate sector by its many
advantages. Due to these advantages, it is more popular and deployable
technology in the industry. These advantages are:
5/6/5 '(%',
Public network (Internet) is not a secure network and it is not possible to
secure it, as complete. It is very risky and easy to access or alter data by a
third person (Intruder) when data moves across the public network. So, it is
needed to secure data before transferring it over a public network. VPN
allows data to encapsulate it into security header before transmitting transfer
to its destination. When data is encapsulated in security header then it is not
easy to access or alter data. On the receiving side, it is decapsulated.
5/6/6 %)'
'*#%
VPNs allow employees to securely access their company's private network
or data while travelling outside the office or at home. Most of the employees
work in branch offices and others employees work as teleworker in the
market. They are away from the central sites and if they are needed to access
FRPSDQ¶V GDWDRU VHUYLces for business operations so they can access it
securely through VPN connection.
19. Introduction
Page | 5
Introduction
5/6/7 *'
Users or branch offices use leased lines such as E1, T1, Frame Relay or
Asynchronous Transfer Mode (ATM) to access compan¶VGDWDRUVHUYLFHV
securely. These leased lines provide typically 128 Kbps, 256 Kbps, and 512
Kbps connection speeds. These leased lines are expensive. Users and branch
offices require more bandwidth for their services or advance applications and
its speed. The Internet Service Providers (ISPs) are providing relatively high-
bandwidth IP connections, such as broadband Digital Subscriber Line (DSL)
or cable access for VPN on shared bases.
5/6/8 #'('#
ISPs are providing relatively high-bandwidth IP connections, such as
broadband DSL or cable service on shared bases. As a result, many
customers are migrating their primary WAN connectivity to these services
or deploying such WAN alternatives as a secondary high-speed WAN circuit
to augment their existing private network. These high-bandwidth and share
bases IP connections are relatively lower cost as compared to leased lines.
5/6/9 $ #,!' + ',
VPNs can be quickly established wherever an Internet access connection is
available. They offer a great degree of flexibility in connecting branch
offices or even while traveling outside the office or at home.
5/7
,$
VPN can be connected in different forms. A secure connection is created
over a public network. Sometimes it is called as a tunnel. All traffic is passed
through this tunnel. There are two basic types of VPN and they are:
1. Remote Access VPN
2. Site-to-Site VPN
5/7/5 !#'
In remote access VPN type, a single user is connected to a private network
and access its services and resources remotely. The connection between the
user and the private network happens through the Internet, this connection is
secure and private. Usually, home users or teleworkers use this type of VPN.
The teleworkers or employees use a remote access VPN to connect to his/her
compan¶VSULYDWHQHWZRUNDQGUHPRWHODFFHVVILOHVDQGUHVRXUFHVRQWKH
private network while traveling.
5/7/6 '0'#0'
Site-to-Site VPN type is mostly used in the corporate network. In this type
RI931FRPSDQ¶Voffices in different geographical locations, use Site-to-
20. Introduction
Page | 6
Introduction
site VPN to connect the network with head office or another branch office.
In this VPN type, a device acts as a gateway in one branch office and
similarly in another branch office. The connection is established between the
both. When the connection is established, then multiple users can use this
connection in their branch offices.
5/8
%#'##
As we know, communication is between two devices based upon Open
Systems Interconnection (OSI model) reference model. It is a universal
standard which is proposed by International Organization for
Standardization (ISO) in 1984. It consists of seven layers. Each layer of this
model performs specific tasks through several communication protocols.
These communication protocols are classified into different forms according
to these layers. These VPN protocols are also classified according to OSI
PRGHO¶VODHUV for security purposes. These VPN protocols are:
1. PPTP (Point-to-Point Tunneling Protocol)
2. L2TP (Layer 2 Tunneling Protocol)
3. IPsec (Internet Protocol Security)
4. L2TP over IPsec.
5. GRE (Generic Routing Encapsulation)
6. IPsec over GRE
7. TSL (Transport Layer Security)
8. SSL (Secure Sockets Layer)
5/9
($$#%')
A dedicated VPN support device is VPN Concentrator. A VPN concentrator
is a type of networking device that provides secure creation of VPN
connections and delivery of messages between VPN nodes. However, some
other devices like (Routers, multi-layer switches, PIX, ASA, PCs,
smartphones and tablets) may also support VPN. These devices should have
VPN support operating systems. Multiple vendors have designed such types
of devices like CISCO, Juniper, Linksys, Microsoft, Linux, and Mac etc. The
VPN service provided by these devices is said to be IOS based VPN.
Moreover, in this guide, CISCO based devices (Router, PIX ASA) and
Window based PCs are used.
22. PPTP VPN
Page | 8
PPTP VPN
6
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN
technique in network security. It was introduced by ³Matthew Ramsay´ in
1999 with the support of Microsoft. Its specification was described in RFC
2637 [2]. It basically extends the Point-to-Point Protocol (PPP). The PPP
transfers multi-protocol datagrams over a point-to-point link. It uses dial-up
networking method which is called Virtual Private Dial-up Network
(VPDN). It is more suitable for remote access applications through VPN. It
also supports LAN internetworking. It operates at layer 2 of the OSI model.
It works as a client/server model which is simply configured. By default, the
client is a software based system which is normally available in all Microsoft
Windows, Linux and MAC operating systems. It remains most popular
technology, especially on Microsoft Windows computers. It is connection
oriented protocol and it uses TCP port 1723. In this tunneling technique,
tunnels are created by following two steps:
1. First of all, the clients connect to their ISPs through using any service
(dial-up, ISDN, DSL modem or LAN).
2. Secondly, PPTP creates a TCP session between client and server to
establish a secure tunnel.
Once the PPTP tunnel is established between client and server then two types
of information can be passed through a tunnel. Moreover, a unique Call ID
value is assigned to each session for its identification.
1. Control Messages: These messages directly pass through the tunnel
to the client and server and finally tearing down the connections. The
variety of these control messages are used to maintain the VPN
connections whereas, some of these messages are shown in the Fig.
2.1 below.
2. Data Packets: It passes through the tunnel to the client and the client
sends back.
6/5 (%',
PPTP supports authentication, encryption and packet filtering. In
authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-
TLS, and PAP are used. MS-CHAPv1 is insecure. EAP-TLS is a superior
choice. However, it requires a Public Key Infrastructure implementation for
both client and server certificates. When MS-CHAPv1/v2 is used in PPTP
23. PPTP VPN
Page | 9
PPTP VPN
then the payloads encrypt by using Microsoft Point-to-Point Encryption
(MPPE). The MPPE supported 40-bits, 56-bits 128-bits encryption. It
enhances the confidentiality of PPP-encapsulated packets [3]. Packet
filtering is implemented on VPN servers.
Figure 2.1 PPTP Control Messages
6/6 $( '#
PPTP encapsulates the PPP frames in IP packet. It uses TCP connection for
tunnel management. The encapsulated PPP frames may encrypt, compress
or the both as it is highlighted in the Fig. 2.2.
Figure 2.2 PPTP Encapsulation
In Oct. 2012, security of PPTP is broken and its usage is no longer and also
not recommended by Microsoft [4].
24. PPTP VPN
Page | 10
PPTP VPN
6/7 #('%
%)%
6/7/5 ')
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure Router as a PPTP VPN Server
¾ Configure PC as a Microsoft PPTP VPN Client
¾ Try to Connect VPN Client
¾ Test VPN
6/7/6 #$# #,
Figure 2.3 PPTP VPN Setup
6/7/7 '$05
%
..$)
- .. . on router’s interface. ) . ( )/$*) *1 $)
/*+*'*$'$-(S;T;
)/ -! .(0./ )' $)J-0))$).// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$0- / -($)'
)/ -) /@*)!$AN %+)*++)%+?6?
)/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)
)/ -) /@*)!$$!AN 3$/
)/ -) /@*)!$AN %+)*++)%+?6@
)/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)
)/ -) /@*)!$$!ANG
)/ -) /N
45. L2TP VPN
Page | 25
L2TP VPN
7 6
Layer 2 Tunneling Protocol (L2TP) was introduced with the combination of
two tunneling protocols in 1999. Firstly, Layer 2 Forwarding (L2F) protocol
by CISCO Systems and second is Point-to-Point Tunneling Protocol (PPTP)
by Microsoft. It merges the best features of the both. In other words, it is an
extension of PPTP. It was specified in RFC 2661 [5]. The L2F is a tunneling
protocol and it was developed to establish VPN over the public network
(Internet). It does not provide encryption by itself. It was specially designed
to tunnel PPP traffic. In 2005, a new version of L2TP was introduced as
L2TPv3 with additional security features, improved encapsulation and the
ability to carry data links over the network. Its specification was described
in RFC 3931 [6].
The entire L2TP packet including (payload L2TP header) is sent within a
User Datagram Protocol (UDP) with port number 1701. It is common to
carry PPP session within an L2TP tunnel. It does not support strong
authentication and confidentiality by itself. The IPsec protocol is often used
with L2TP to provide strong confidentiality, authentication, and integrity.
The combination of these two protocols is generally known as L2TP/IPsec.
L2TP allows creating a VPDN to connect remote clients to its corporate
network by using different connecting services provided by ISPs. It operates
at layer 2 of the OSI model. It works as a client/server model.
Two endpoints of the L2TP tunnel are called LAC (L2TP Access
Concentrator) and LNS (L2TP Network Server). The LNS waits for new
tunnels. The LAC remains between an LNS and a remote system and
forwards packets to the server. Once the tunnel is established between peer
then, the network traffic moves in bidirectional. The packets exchanged
within the tunnel characterized as either it is controlled packet or it is a data
packet, it is reliable for control packets and not reliable for data packets. If
the reliability is desired for data packets then it is provided by another
protocol running within the session of the tunnel.
In this tunneling technique as the tunnels are created by following two steps:
1. A control connection is established for a tunnel between LAC and
LNS.
2. Secondly, a session is established between client and server.
46. L2TP VPN
Page | 26
L2TP VPN
During the setup of the L2TP tunnel, different types of control messages and
data messages are exchanged between LAC and LNS. It is highlighted in the
Fig. 3.1 below. The traffic of each session is secluded by L2TP. So, it is
possible to setup multiple virtual networks against a single tunnel. The
Maximum Transmission Unit (MTU) remains same. The Hello messages are
sent to peer as control messages for keep alive after every 60 seconds.
Figure 3.1 Tunnel Setup
Once the tunnel is established, PPP frames from the remote systems are
received at LAC. It encapsulates in L2TP and forwards to LNS over the
appropriate tunnel.
7/5 6(%',
L2TP supports authentication and encryption. In authentication, PPP based
protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used.
When MS-CHAPv1/v2 is used then the payloads encrypt by using MPPE. It
also supports Triple Data Encryption Standard (3DES) and Advanced
47. L2TP VPN
Page | 27
L2TP VPN
Encryption Standard (AES-256 bits). It enhances the confidentiality of PPP-
encapsulated packets.
7/6 $( '#
Data messages are used to encapsulate the PPP frames. These frames are
passed over unreliable data channels. Data is not retransmitted when a packet
loss occurs. The entire PPP frame is encapsulated in L2TP header first and
then L2TP frame is encapsulated in UDP header as it is shown in the Fig. 3.2
below.
Figure 3.2 L2TP Encapsulation
48. L2TP VPN
Page | 28
L2TP VPN
7/7 #('%6
%)%
7/7/5 ')
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Configure Router as a DNS Server
¾ Test Connectivity
¾ Configure Router as a L2TP VPN Server
¾ Configure PC as a Microsoft L2TP VPN Client
¾ Try to Connect VPN Client by Domain Name
¾ Test VPN
7/7/6 #$# #,
Figure 3.3 L2TP VPN Setup
7/7/7 '$05
%
Assign IP addresses on router’s interfaces and PC as mentioned above in
/*+*'*$'$-(T;T;
)/ -! .(0./ )' $)J-0))$).// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$0- / -($)'
)/ -) /@*)!$AN %+)*++)%+?6?
)/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)
)/ -) /@*)!$$!AN 3$/
)/ -) /@*)!$AN %+)*++)%+?6@
)/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)
)/ -) /@*)!$$!ANG
)/ -) /N
68. L2TP over IPsec VPN
Page | 42
L2TP over IPsec VPN
8 6#)%
L2TP does not provide strong authentication and confidentiality by itself. It
is often used with IPsec protocol to provide strong confidentiality,
authentication, and integrity. The combination of these two protocols is
generally known as L2TP/IPsec. The IPsec is a protocol suite which is used
at upper layer (network layer) to provide secure communication between two
peers [7]. This protocol provides IP Security Architecture, Internet Key
Exchange (IKE), IPsec Authentication Header (AH) and IPsec
Encapsulation Security Payload (ESP). The IKE is the key management
protocol while AH and ESP are used to protect IP traffic. It would be
discussed in detail in the next part.
8/5 6#)%
(%',
L2TP is used over IPsec then its security is high. The client negotiates the
IPsec Security Association (SA) usually through IKE. It is carried out over
UDP with port 500. It uses a pre-shared key, public key or certificates for
authentication. Transport mode of IPsec is used in this security mechanism.
IPsec supports a variety of encryption standards like (DES, 3DES AES)
for data confidentiality. It also supports a range of data integrity protocols
like (MD-5 SHA).
8/6 $( '#
The connection is established between two endpoints. Here, L2TP packets
are encapsulated by IPsec header as it is displayed in the Fig. 4.1 below.
Figure 4.1 L2TP over IPsec Encapsulation
Since L2TP packet is wrapped within the IPsec header and it does not gather
any information about the internal L2TP packet. So, it is not necessary to
open UDP port 1701 on firewalls between the endpoints. The inner packet is
69. L2TP over IPsec VPN
Page | 43
L2TP over IPsec VPN
not acted upon until after IPsec data has been decrypted and stripped which
only takes place at the endpoints.
70. L2TP over IPsec VPN
Page | 44
L2TP over IPsec VPN
8/7 #('%6#)%
%)%
8/7/5 ')
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure Router as an L2TP over IPsec VPN Server
¾ Configure PC as a Microsoft L2TP over IPsec VPN Client
¾ Try to Connect VPN Client
¾ Test VPN
8/7/6 #$# #,
Figure 4.2 L2TP over IPsec VPN Setup
8/7/7 '$05
%
Assign IP addresses on router’s interfaces and PC as mentioned above in
/*+*'*$'$-(U;S;
)/ -! .(0./ )' $)J-0))$).// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$0- / -($)'
)/ -) /@*)!$AN %+)*++)%+?6?
)/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)
)/ -) /@*)!$$!AN 3$/
)/ -) /@*)!$AN %+)*++)%+?6@
)/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)
)/ -) /@*)!$$!ANG
)/ -) /N
85. L2TP over IPsec VPN
Page | 53
L2TP over IPsec VPN
RQ;# )/# ,) +0# 0 1)++ -.8+' . '$
/+5
Figure 4.12 IP Security Policy Wizard
RR;Type a suitable name in the name field, such as “A-) *”)'$
/+;
Figure 4.13 IP Security Policy Name
86. L2TP over IPsec VPN
Page | 54
L2TP over IPsec VPN
RS;)# + -++,#+)*'%*),#)'$
/+;
Figure 4.14 Request for Secure Communication
RT;# ) /# !*''*2$) 2$)*2 ++ -.8 +' . # + ')')+ * ) '$
% *;
Figure 4.15 Completing IP Security Policy
87. L2TP over IPsec VPN
Page | 55
L2TP over IPsec VPN
RU;+ ) *)')+ *window, there is a default rule “K0%$ L”. Please click
;
Figure 4.16 Filter Rules
RV;# )/# ,) +0,# 1)++ -.8+' . '$
/+5
Figure 4.17 Creating New Security Rule
89. L2TP over IPsec VPN
Page | 57
L2TP over IPsec VPN
RY;)
$'/ -'$.//*/#$.-0' 4'$$);
Figure 4.20 Add New Filter List
RZ;4+ *,+./# )( )'$;
Figure 4.21 IP Filter List for Outside
90. L2TP over IPsec VPN
Page | 58
L2TP over IPsec VPN
SQ;# )/# #+) 1)++ -.8+' . '$
/+5
Figure 4.22 New IP Filter Wizard
SR;4+ $'/ - .-$+/$*))'$
/+;
Figure 4.23 IP Filter Description
91. L2TP over IPsec VPN
Page | 59
L2TP over IPsec VPN
SS;#**. *' )**J/4+ /#
- ...@*0- A)'$
/+;
Figure 4.24 IP Traffic Source
ST;#**. *' )**J/4+ /#
- ...@ ./$)/$*)A)'$
/+;
Figure 4.25 IP Traffic Destination
92. L2TP over IPsec VPN
Page | 60
L2TP over IPsec VPN
SU;#**. ./# +-*/**'/4+ ;'$
/+;
Figure 4.26 IP Protocol Types
SV; //# ')+%5.@F?@)'$
/+;
Figure 4.27 IP Protocol Ports
93. L2TP over IPsec VPN
Page | 61
L2TP over IPsec VPN
SW;# *3 +')')+ *)'$ % */**(+' /$)/#
!$'/ -2$5-;
Figure 4.28 Completing IP Filter Wizard
SX;'$
/*!$)$.#/# . //$).;
Figure 4.29 IP Filter Properties
94. L2TP over IPsec VPN
Page | 62
L2TP over IPsec VPN
SY;'$
/*!$)$.#/# . //$).;
Figure 4.30 IP Filter List
SZ;#**. *,+$)/#
$'/ -'$./)'$
/+;
Figure 4.31 IPsec Filter List
95. L2TP over IPsec VPN
Page | 63
L2TP over IPsec VPN
TQ;'$/*. /0+/$*)!*-/#$.-0' ;
Figure 4.32 New Filter Rule
TR;# #+)+ % 1)2$''++ -8/# );' . '$
//;
Figure 4.33 New IP Security Filter Wizard
96. L2TP over IPsec VPN
Page | 64
L2TP over IPsec VPN
TS;4+ *,+./# )( )'$
/+;
Figure 4.34 Filter Action Name
TT;#**.
+ +*,) +0)'$
/+;
Figure 4.35 General Options
97. L2TP over IPsec VPN
Page | 65
L2TP over IPsec VPN
TU;#**. Do not communicate…. )'$
/+;
Figure 4.36 Communicating with Computers
TV;#**. %)0'+ %% %+) +0)'$
/+;
Figure 4.37 IP Traffic Security Policies
127. IPsec VPN
Page | 79
IPsec VPN
9
Internet Protocol Security (IPsec) is a network security protocol suite. It
provides strong authentication, data encryption, data origin authentication
and data integrity features. It can use as network-to-network, host-to-host,
and host-to-network over the public network (Internet). It works at the
network layer of the OSI model to provide end-to-end security. In 1992,
IETF started to create an open and freely available security protocol for
Internet Protocol (IP). It is officially standardized by IETF. It was specified
in RFC 1825 [8]. The IP is used at the network layer of the OSI model to
deliver datagrams over the public network. There are two versions of IP:
IPv4 and IPv6. IPv4 is a 32-bits while IPv6 is a 128-bits IP addressing
protocol. The Network Address Translation (NAT) is used with IPv4 in
private networks to save the public IP addresses as well as to provide security
in a way that it hides the public addresses during communication. Today,
NAT is widely deployed in home gateways, as well as in other locations
likely to be used by telecommuters, such as hotels [9].
The fast growth of the Internet has shattered the IPv4 addresses. In 1990, the
IETF has introduced IPv6 protocol with new features in terms of simple
header format, larger address space, built-in security, efficient routing and
better QoS [10]. The Internet Service Providers (ISPs) are trying to replace
their IPv4 networks with IPv6 gradually. This transition is very slow because
there are millions of devices in around the world. IPv6 is a next-generation
IP network. IPsec provides security to both versions of IP. In this project, the
focus is on IPv4.
9/5
(%',%''(%
IPsec is an open standard protocol suite. It uses different types of protocols
to provide security. These protocols are: Authentication Header (AH),
Encapsulating Security Payloads (ESP), Security Associations (SA), Internet
Security Association and Key Management Protocol (ISAKMP) and Internet
Key Exchange (IKE IKEv2).
The AH provides the connectionless data integrity, data origin authentication
for IP datagrams and protection against replays [11]. It does not encrypt data
packets. The text is transported in clear text. Data integrity means, it assures
that the data will not alter during the transmission over the network. Before
sending the data, it calculates 32-bits numeric and unique hash value of data
128. IPsec VPN
Page | 80
IPsec VPN
by using different hashing algorithms like (MD5, SHA-1) and sends this hash
value along with data. Hashing is a one-way process [12]. On the receiving
side, it verifies the hash value by re-calculating the hash value of the received
data. If both hash values are equal then it means that the integrity of the data
is maintained and there is no any tampering with data during transmission
over the network while if the hash value does not same then it means that the
integrity has intercepted and the receiver will discard the data. The anti-
replay protection ensures that each packet must be unique and no duplication
by using sequence numbers. The origin authentication means that to know
who is on another side. The device on the other side of the tunnel must be
verified before the path is considered secure. The sender sends data
(certificate) after encryption with its private key and that data is verified at
receiver end by decrypt with VHQGHU¶VSXEOLFNHIRUDXWKHQWLFDWLRQ There
are three authentication methods:
1. Pre-shared Key
2. RSA Signature
3. RSA Encryption Nonce
In pre-shared key authentication, the same key is used to configure each peer
in IPsec. In RSA signature authentication, different keys (private key
public key) are used to encrypt or decrypt digitally. It is also called digital
certificates. These digital signature and digital certificates are forwarded to
the other side. Finally, RSA encryption nonce authentication, nonce (a
random number generated by the peer) is encrypted and exchanged between
peers, this nonce is used during the authentication peer process.
The ESP provides confidentiality, data origin authentication, connectionless
integrity, an anti-replay service and limited traffic flow confidentiality [13].
The set of services, is provided, depends on options selected at the time of
Security Association (SA) establishment. It encrypts the payload to provide
confidentiality. It supports several encryption algorithms. Most of the
algorithms are symmetric. The DES (56-bits) is a basic and symmetric
encryption algorithm, however, it also supports 3DES and AES for stronger
encryption. The ESP can be used alone or with the combination of AH.
The SA is a logical group of security parameters. It is used to establish and
share security attributes between two entities to provide secure
communication. These attributes are cryptographic algorithm, mode and
encryption key. The SA is established by using ISAKMP.
129. IPsec VPN
Page | 81
IPsec VPN
The ISAKMP defines procedures and packet formats to establish, negotiate,
modify and delete Security Associations [14]. It only provides a framework
for authentication and key exchange. It is implemented by manual
configuration with pre-shared key or IKE.
During the establishment of a secure connection between two nodes, it is
needed to share some security parameters such as keys over the network.
Two methods are used for key exchange: manual and automatic. Manual
method does not secure nor scales well [15]. Therefore, a protocol is needed
to exchange or establish security parameters dynamically. The IKE is the
protocol used to set up a security association dynamically. It uses X.509
certificates for authentication either pre-shared or distributed and a ³Diffie±
Hellman´ key exchange algorithm to share a secret key between nodes over
the public network.
9/6 $( '#
IPsec can be configured in two different modes and they are:
1. Transport Mode
2. Tunnel Mode
The transport mode is used to provide end-to-end security. The
communication between a client and a server is the best example of end-to-
end. In this mode, only the payload of the IP packet is usually encrypted or
authenticated. The original IP header is not encrypted nor modified except
that the IP protocol field is changed to ESP (50) or AH (51). The payload is
encapsulated by the IPsec ESP headers trailers as it is displayed in the
Fig.5.1. It is usually used when another tunneling protocol (like GRE, L2TP)
is used to first encapsulate the IP data packet, then IPsec is used to protect
the other tunnel packets. The IPsec protects the GRE or L2TP tunnel traffic
in transport mode. The ESP is identified in the original IP header with an IP
protocol ID of 50.
Figure 5.1 Transport Mode IPsec Encapsulation
130. IPsec VPN
Page | 82
IPsec VPN
The tunnel mode is the default mode. It is used to provide security between
gateways (Router, PIX or ASA). In this mode, the entire original IP packet
is protected. The entire IP packet is encapsulated with IPsec ESP headers
trailers, adds a new IP header and sends it to the other side of the tunnel as it
is shown in the Fig. 5.2. The ESP is identified in the New IP header with an
IP protocol ID of 50. The tunnel mode supports NAT traversal.
Figure 5.2 Tunnel Mode IPsec Encapsulation
131. IPsec VPN
Page | 83
IPsec VPN
9/7 '0'#0'
1*#('%
9/7/5 ')
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Configure NAT
¾ Test Connectivity
¾ Configure IPsec VPN Tunnel on both sides
¾ Test VPN
9/7/6 #$# #,
Figure 5.3 Site-to-Site IPsec VPN Setup
9/7/7 '$05
%
Assign IP addresses on router’s interfaces and PC. . ( )/$*) *1 $)
/*+*'*$'$-(V;T;
)/ -! .(0./ )' $)J-0))$).// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$0- / -($)'
)/ -) /@*)!$AN %+)*++)%+?6?
)/ -) /@*)!$$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)
)/ -) /@*)!$$!AN 3$/
)/ -) /@*)!$AN %+)*++)%+?6@
)/ -) /@*)!$$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$$!AN)*.#0/*2)