Christian Tettamanti, ing.

HES

1

VPN - Virtual Private Network
Start date : Duration :
Christian Tettamanti, ing. HES

01.02.2002 1+1 years prof. HES ing. HES ing. HES prof. HES ing. HES ing. HES

Stefano Ventura Christian Tettamanti Pascal Gachet Gérald Litzistorf Philippe Logean Nicolas Sadeg

2

VPN - Goals Of The Project

VPN Project
Christian Tettamanti, ing. HES

rce penSou O

Phase I Protocols Phase II Authentication Phase III Deployment

3

VPN - Goals Of The Project
Phase I Protocols

Christian Tettamanti, ing. HES

• Phase I
– – – – – Research and study of remote access solutions Secure access on internal private network Interoperability tests Study of VPN protocols (L2TP, PPTP, IPSec) LAN-to-LAN and HOST-to-LAN scenarios

4

VPN - Goals Of The Project
• Phase I Protocols
– PPTP point-to-point tunneling protocol – L2TP layer 2 tunneling protocol – IPSEC IP security protocols • IKE authentication • AH integrity • ESP confidentiality, integrity

Christian Tettamanti, ing. HES 5

VPN - Goals Of The Project
Phase II Authentication

Christian Tettamanti, ing. HES

• Phase II
– Research and study of secure authentication mechanisms – Study of Public Key Infrastructure (PKI) – Interoperability tests

6

VPN - Goals Of The Project
Phase III Deployment

Christian Tettamanti, ing. HES

• Phase III
– Deployment • LAN-to-LAN between EIG and TCOM • HOST-to-LAN at EIVD

7

VPN – Open Source Software
Different solutions based on Open Source
Christian Tettamanti, ing. HES

• • • • •

Server OS: Firewall: Gateway VPN: PKI Authority: VPN Clients:

Slackware Linux Netfilter/iptables OpenSwan OpenCA Win2K: SSH Sentinel* Linux: OpenSwan

ce enSour Op

8

*Free License for universities

VPN – Scenario 1
EIG – Proprietary Solutions
Christian Tettamanti, ing. HES

EIVD – Open Source Solutions

VPN GW

VPN GW

internet VPN tunnel internet

10.5.0.0/16

10.4.1.0/24

9

VPN – Scenario 2
EIVD – Open Source Solutions
Christian Tettamanti, ing. HES

Remote Client
VPN GW

internet VPN tunnel internet
VPN Client 10.4.2.20

10.4.1.0/24

10

VPN – Scenario 3
EIG – Proprietary Solutions
Christian Tettamanti, ing. HES

EIVD – Open Source Solutions

VPN GW

VPN GW

VPN tunnel internet internet
tu nn el
10.5.0.0/16

VP N

10.4.1.0/24

VPN Client 10.4.2.20
11

VPN – Remote Client Authentication
Dynamic IP 193.x.x.x
Christian Tettamanti, ing. HES

Virtual IP 10.4.2.20 internettunnel IPSec internet

VPN GW

10.4.1.0/24

• • • •

The The The The

remote client authenticates himself on gw VPN authentication is based on X.509 certificates client acquire a private IP address with DCHP-over-IPSEC remote client is part of the internal private network

12

VPN – DHCP-over-IPSec
• Internet Draft: draft-ietf-ipsec-dhcp-13.txt
ISAKMP SA: Main Mode Auth.
Christian Tettamanti, ing. HES

DHCP Relay

10.4.1.0/16 10.4.1.0/16

DHCP Server

DHCP DISCOVER

DHCP SA: Life Time = 20 sec.

10.4.1.0/16 10.4.1.0/16 10.4.2.20
13

DHCP Server

ESP SA: 10.4.2.20

10.4.0.0/15

VPN – NAT-Traversal
• Internet Drafts: draft-ietf-ipsec-udp-encaps-03.txt draft-ietf-ipsec-nat-t-03.txt

intelligent NAT box
Christian Tettamanti, ing. HES

ESP and IKE with one client

ESP encapsulated in UDP (port 4500) NAT ESP and IKE with n clients

14

VPN – Encountered Problems
• PKI
– Token Integration
Christian Tettamanti, ing. HES

• Internet Service Provider (ISP)
– Firewalls – Routing

• NAT routers
– Intelligent Box – Stupid Box • NAT-Traversal • ESP UDP Encapsulation

15

VPN – Gateway VPN Capabilities
IKE:
Christian Tettamanti, ing. HES

Encryption algorithm: Integrity function: DF Group: PKI authentication

aes-256bit SHA-2 MODP 1536 (group 5) OK

IPSEC – ESP (AH):
Encryption algorithm: Integrity function: DF Group: aes-256bit HMAC-SHA-2 MODP 1536 (group 5)

Other:
DHCP over IPSEC NAT-Traversal OK OK

16

VPN – Final Architecture
EIG
NIDS Snort

Christian Tettamanti, ing. HES

EIG VPN area

PKI OpenCA
GW Clavister

FireWall IPtables

DC W2K

Internet

EIVD

PKI USB Key

GW VPN

OpenSwan
Protected Area

17

Remote client

EIVD VPN area

Christian Tettamanti, ing. HES

18

VPN – SSH Sentinell Configuration

Christian Tettamanti, ing. HES 19

VPN – PKI Certificate Configuration

Christian Tettamanti, ing. HES 20

VPN – SA Life & NAT Configuration

Christian Tettamanti, ing. HES 21

VPN – IKE & ESP Configuration

Christian Tettamanti, ing. HES 22

Christian Tettamanti, ing. HES

23

VPN – Connection example

VPN – Network Interfaces
Before VPN Connection
Christian Tettamanti, ing. HES

24

After VPN Connection

Christian Tettamanti, ing. HES

25

Sign up to vote on this title
UsefulNot useful