Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

BAI 3 : VPN (VIRTUAL PRIVATE NETWORK)

I. L thuyt chung cho VPN VPN cung cp kt ni mng vi khong cch di. V mt kha cnh no c th hiu VPN nh l WAN. Tuy nhin c im quan trng ca VPN l kh nng s dng mng c sn nh l Internet thay v l cc ng truyn thu ring. K thut VPN thc hin mng truy nhp hn ch nhng vn s dng cp v router ca mng cng cng iu ny c xem nh bo mt c bn. VPN c th h tr s dng 3 m hnh khc nhau: Kt ni client truy xut t xa: VPN c th c thit k vi h tr truy xut c bo v t xa ti mng cng ty qua Internet. S dng m hnh client/server nh sau: o My client mun truy cp vo mng cng ty th trc tin phi kt ni n bt k ISP no cung cp dch v Internet. o Tip theo Client phi khi to kt ni n server VPN ca cng ty. Kt ni ny c thc hin bng phn mm VPN client c ci t trn my host xa. o Ngay khi kt ni c thit lp my client c th ln lc vi h thng trong cng ty (cc my khc trong cng ty) qua Internet nh l my trong ni b cng ty.

LAN to LAN Internetworking (site to site): Ngoi kh nng truy xut t xa, VPN c th lm cu ni cho 2 mng LAN vi nhau hnh thnh mt Intranet m rng. Gii php ny cn kt ni VPN server vi VPN server.

Trang 49

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

Controlled access within Intranet: Mng Intrenet cng c th s dng k thut VPN thc hin vic truy xut c iu khin n cc lp mng con ring. ch ny VPN server ng vai tr nh gateway ca mng. Phng php ny c bit thch hp bo mt cho cc WIFI ca mng. u im ni bt ca VPN l gi c v kh nng bo mt nu dng trong cc mng c kt ni WIFI. Nhc im:

VPN yu cu hiu bit v kh nng bo mt ci t v cu hnh bo v i vi mng cng cng hay Internet. Cht lng v tin cy khng ch ph thuc vo s iu khin ca cng ty m cn b nh hng bi cc ISP. Khng tng thch gia cc nh sn xut cung cp thit b. Nh vy gi c cng l mt vn .

II. Cc giao thc ca VPN: - K thut VPN da vo tng ng hm (tunneling). K thut VPN tunneling cp n vic thit lp, duy tr kt ni mng logic (c th c cc chng trung gian). Vi kt ni ny cc gi c xy dng da vo nh dng ca cc giao thc VPN v c ng gi vo cc giao thc khc (chng hn nh gi TCP/IP) sau uc truyn i n client hay server v c khi phc t u thu. C rt nhiu giao thc VPN ng gi vo gi IP. Cc giao thc ca VPN cng h tr vic nhn dng v m ha bo mt ng hm. - Cc dng ng hm ca VPN: VPN h tr hai dng ng hm l t nguyn v bt buc. i vi ng hm t nguyn: VPN client qun l vic thit lp kt ni. Trc tin client thc hin vic kt ni n ISP, sau VPN ng dng to ra ng hm n VPN server qua ng hm kt ni trc tip ny. i vi ng hm bt buc nh cung cp mng (ISP) qun l vic thit lp kt ni VPN. Trc tin VPN client kt ni n ISP v ISP thc hin kt ni gia client v VPN server. Nu ng VPN client th vic kt ni ch thc hin 1 bc (so vi 2 bc nu s dng tunneling t nguyn). VPN tunneling bt buc s nhn dng client v kt hp chng vi VPN server ch nh bng cc kt ni logic c xy dng sn trong cc thit b kt ni gi l VPN FEP (Front End Processor), hay NAS, POS. Cc giao thc ca VPN Tunneling: C rt nhiu giao thc mng my tnh c s dng cho VPN tunneling. Tuy nhin, 3 giao thc di y l ph bin nht v chng khng tng thch ln nhau. PPTP (Point-to-Point Tunneling Protocol) l nghi thc bin th ca Point to Point Protocol dng truyn qua mng dial up. PPTP thch hp cho ng dng truy cp t xa ca VPN nhng cng h tr trong LAN Internetworking. PPTP hot ng lp 2 ca m hnh OSI. S dng PPTP: PPTP ng gi d liu trong gi PPP v sau tch hp trong gi IP v truyn qua ng hm VPN. PPTP h tr vic m ha d liu v nn cc gi d liu ny. PPTP cng s dng dng GRE (Generic Routing Encapsulation) ly d liu v a n ch cui cng. Trong PPTP th VPN tunnel c to ra qua 2 qu trnh: - PPTP client kt ni n ISP qua ng dial up hoc ISDN.

Trang 50

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

Qua thit b kt ni PPTP to ra kt ni iu khin TCP gia VPN client v VPN server thit lp tunnel. PPTP s dng TCP port 1723 cho cc kt ni ny. PPTP cng h tr kt ni VPN qua LAN. Cc kt ni ISP l khng cn thit trong trng hp ny v th ng hm c th to trc tip. Cc thng ip iu khin qun l v nh gi kt ni VPN. Thng ip iu khin c th truyn trc tip gia VPN client v Server. Cc gi d liu i qua ng hm n VPN client hoc t VPN client i

Ngay khi ng hm VPN c thit lp PPTP h tr hai loi thng tin nh sau: -

Kt ni iu khin PPTP: ngay khi kt ni TCP c thit lp PPTP s dng chui cc thng ip iu khin duy tr kt ni VPN. Cc thng ip c trong bng di y. PPTP bo mt: PPTP cng h tr nhn dng, m ha v lc gi d liu. Nhn dng ca PPTP cng s dng EAP (Extensible Authentication Protocol), CHAP (Challenge Hanhdshake Authentication), PAP (Password Authentication Protocol). PPTP cng h tr lc gi d liu trn VPN server.

Layer 2 Forwarding (L2F). Layer 2 Forwarding (L2F) l giao thc c pht trin bi Cisco System cng lc vi s pht trin PPTP ca Microsoft. y l mt giao thc cho php cc remote host c th truy xut n mng Intranet ca mt t chc thng qua c s h tng mng cng cng vi tnh bo mt v kh nng qun l cht ch. Cng nh vi PPTP, L2F cho php bo mt mng truy xut c nhn thng qua h tng mng cng cng bng vic xy dng mt tunnel thng qua mng cng cng gia client v host. Bi v l mt giao thc lp 2, L2F c th c dng cho cc giao thc khc ngoi IP nh IPX, NetBEUI. Layer 2 Tunneling Protocol (L2TP) L2TP l s kt hp ca PPTP v L2F. Giao thc ny so vi PPTP c nhiu c tnh v an ton hn. L2TP s dng UDP nh l mt phng thc ng gi cho c s duy tr tunnel cng nh d liu ngi dng. Trong khi PPTP dng MPPE (Microsoft Point-to-Point Encryption) cho vic m ha, L2TP li da vo mt gii php bo mt hn, l cc gi L2TP c bo v bi IPsecs ESP s dng transport mode. L2TP c th c t vo trong mt gi IPsec, y l vic kt hp cc u im bo mt ca IPsec v cc li ch ca s chng thc user, vic gn a ch tunnel v cu hnh, h tr a giao thc vi PPP. L2TP cung cp s linh hot, mm do, v gii php kinh t ca remote access cng nh d kt ni nhanh chng point-to-point ca PPTP. IP security (IPsec) Cu trc IPsec cung cp mt framework cho vic bo mt ti lp IP cho c IPv4 v IPv6. Bng vic cung cp s bo mt ti lp ny, cc giao thc thuc cc lp cao hn nh transport, application c th s dng s bo mt IPsec m khng cn thm bt c s thay i no. Trong qu trnh m ha v chng thc d liu, IPsec s dng mt trong hai hoc c hai giao thc sau bo mt thng tin: Authentication header (AH): header ca gi tin c m ha v bo v phng chng cc trng hp IP spoofing (s gi mo IP) hay man in the midle

Trang 51

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

attack. Tuy nhin, trong trng hp ny ch c phn header ca gi tin uc bo v cn phn ni dung thng tin chnh th khng. - Encapsulation Security Payload (ESP): ni dung thng tin s c m ha, ngn chn cc hacker t chng trnh nghe ln v chn bt d liu. Thng thng, khi mun bo v thng tin truyn trong mng cng cng, ngi ta phi kt hp c hai giao thc AH v ESP. III. Bo mt trong VPN Tng la (firewall) l ro chn vng chc gia mng ring v Internet. Bn c th thit lp cc tng la hn ch s lng cng m, loi gi tin v giao thc c chuyn qua. Mt s sn phm dng cho VPN nh router 1700 ca Cisco c th nng cp gp nhng tnh nng ca tng la bng cch chy h iu hnh Internet Cisco IOS thch hp. Tt nht l hy ci tng la tht tt trc khi thit lp VPN. Mt m truy cp l khi mt my tnh m ha d liu v gi n ti mt my tnh khc th ch c my mi gii m c. C hai loi l mt m ring v mt m chung. Mt m ring (Symmetric-Key Encryption): Mi my tnh u c mt m b mt m ha gi tin trc khi gi ti my tnh khc trong mng. M ring yu cu bn phi bit mnh ang lin h vi nhng my tnh no c th ci m ln , my tnh ca ngi nhn c th gii m c. Mt m chung (Public-Key Encryption) kt hp m ring v mt m cng cng. M ring ny ch c my ca bn nhn bit, cn m chung th do my ca bn cp cho bt k my no mun lin h (mt cch an ton) vi n. gii m mt message, my tnh phi dng m chung c my tnh ngun cung cp, ng thi cn n m ring ca n na. C mt ng dng loi ny c dng rt ph bin l Pretty Good Privacy (PGP), cho php bn m ha hu nh bt c th g. Giao thc bo mt giao thc Internet (IPSec) cung cp nhng tnh nng an ninh cao cp nh cc thut ton m ha tt hn, qu trnh thm nh quyn ng nhp ton din hn. IPSec c hai c ch m ha l Tunnel v Transport. Tunnel m ha tiu (header) v kch thc ca mi gi tin cn Transport ch m ha kch thc. Ch nhng h thng no h tr IPSec mi c th tn dng c giao thc ny. Ngoi ra, tt c cc thit b phi s dng mt m kha chung v cc tng la trn mi h thng phi c cc thit lp bo mt ging nhau. IPSec c th m ha d liu gia nhiu thit b khc nhau nh router vi router, firewall vi router, PC vi router, PC vi my ch. My ch AAA AAA l vit tt ca ba ch Authentication (thm nh quyn truy cp), Authorization (cho php) v Accounting (kim sot). Cc server ny c dng m bo truy cp an ton hn. Khi yu cu thit lp mt kt ni c gi ti t my khch, n s phi qua my ch AAA kim tra. Cc thng tin v nhng hot ng ca ngi s dng l ht sc cn thit theo di v mc ch an ton.

Trang 52

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

IV. Thit lp VPN client remote access Xt m hnh di y: Gm 5 my ng vai tr khc nhau trong mng ring o

My tnh chy Windows Server 2003, phin bn Enterprise Edition, t tn l DC1, hot ng nh mt trung tm iu khin domain (domain controller), mt my ch DNS (Domain Name System), mt my ch DHCP (Dynamic Host Configuration Protocol) v mt trung tm chng thc CA (certification authority). My tnh chy Windows Server 2003, bn Standard Edition, mang tn VPN1, hot ng nh mt my ch VPN. VPN1 c lp t 2 adapter mng. My tnh chy Windows Server 2003, bn Standard Edition, mang tn IAS1, hot ng nh mt my ch qun l ngi s dng truy cp t xa RADIUS (Remote Authentication Dial-in User Service). My tnh chy Windows Server 2003, bn Standard Edition, mang tn IIS1, hot ng nh mt my ch v web v file. Mt my tnh chy Windows XP Professional, mang tn CLIENT1, hot ng nh mt my khch truy cp t xa.

Tuy nhin tit kim ta kt hp my DC1,IAS1 v IIS1 s dng chung server. Ring my ch VPN c 2 card mng c ci t nh sau: SIM01 l my tnh chy Windows Server 2003, Standard Edition cung cp cc dch v my ch VPN cho cc my client VPN. nh cu hnh cho SIM01 lm my ch VPN, thc hin cc bc sau: 1. Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn SIM01 trong domain DET1. 2. M th mc Network Connections. 3. i vi kt ni ni b Intranet, t li tn kt ni thnh "Mang Cong ty". i vi kt ni ni b Internet, t li tn kt ni thnh "Internet". 4. nh cu hnh giao thc TCP/IP cho kt ni Mang Cong ty vi a ch IP l 192.167.6.2, mng cp di (subnet mask) l 255.255.255.0 v a ch IP cho my ch DNS l 192.167.6.1. 5. nh cu hnh giao thc TCP/IP cho kt ni Internet vi a ch IP l 192.167.5.2 v mng cp di l 255.255.255.0. 6. Chy trnh Routing v Remote Access t th mc Administrative Tools.
Trang 53

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

7. Trong cy chng trnh, nhn chut phi vo SIM01 v chn Configure and Enable Routing and Remote Access. 8. Trn trang Welcome to the Routing and Remote Access Server Setup Wizard, nhn Next. 9. Trn trang Configuration, Remote access (dial-up or VPN) c la chn mc nh. 10. Nhn Next. Trn trang Remote Access, chn VPN. 11. Nhn Next. Trn trang VPN Connection, nhn vo giao din Internet trong Network interfaces. 12. Nhn Next. Trn trang IP Address Assignment , ch Automatically c chn mc nh. 13. Nhn Next. Trn trang Managing Multiple Remote Access Servers, nhn vo Yes, set up this server to work with a RADIUS server. 14. Nhn Next. Trn trang RADIUS Server Selection, g 192.167.6.1 trong Primary RADIUS server v m b mt chung trong Shared secret. 15. Nhn Next. Trn trang Completing the Routing and Remote Access Server Setup Wizard, nhn Finish. 16. Bn s nhn c message nhc phi nh cu hnh DHCP Relay Agent. 17. Nhn OK. 18. Trong cy chng trnh, m SIM01 (local), sau l IP Routing v k tip l DHCP Relay Agent. Nhn chut phi vo DHCP Relay Agent ri chn Properties. 19. Trong hp thoi DHCP Relay Agent Properties, g 192.167.6.1 trong Server address. 20. Nhn Add ri OK. Ci t cho Client CLIENT1 l my tnh chy Windows XP Professional, hot ng nh mt my khch VPN v truy cp t xa n cc ti nguyn trong Intranet thng qua mng Internet. nh cu hnh cho CLIENT1 lm my khch, bn thc hin cc bc sau: 1. Trn my CLIENT1, ci t Windows XP Professional dng account administrator thay i a ch IP ca my thnh 192.167.5. x+50 (x l s th t ca my chng hn my 22 th IP l 192.167.5.72) 2. Ti Subnet mask, g 255.255.255.0. 3. Nhn OK lu cc thay i i vi giao thc TCP/IP. Nhn OK lu cc thay i i vi kt ni Local Area Network. 4. Khi ng li my CLIENT1 v log on bng ti khon student. 5. Trn my CLIENT1, m th mc Network Connections t Control Panel. 6. Trong Network Tasks, chn Create a new connection. 7. Trn trang Welcome to the New Connection Wizard ca New Connection Wizard, nhn Next. 8. Trn trang Network Connection Type, Chn Connect to the network at my workplace.

Trang 54

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

9. Nhn Next. Trn trang Network Connection, chn Virtual Private Network connection. 10. Nhn Next. Trn trang Connection Name, g VPN Client trong Company Name.

11. Nhn Next. Trn trang VPN Server Selection , g 192.167.6.2 ti Host name or IP address.

Trang 55

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

12. Nhn Next. Trn trang Completing the New Connection Wizard, nhn Finish. Hp thoi Connect VPN Client hin ra.

13. Nhn vo mc Properties ri nhn vo th Networking. 14. Trn th Networking, Type of VPN, nhn PPTP VPN.

Trang 56

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

15. Nhn OK lu cc thay i i vi kt ni VPN Client. Hp thoi VPN Client hin ra. 16. Trong User name, g DET1/vpnuser. Ti Password, g mt khu ca bn cho ti khon vpnuser. 17. Nhn Connect. 18. Khi kt ni hon tt, chy Internet Explorer. 19. Dng ipconfig /all xc nh a ch IP ca kt ni VPN Client c nm trong khong a ch xc nh khng? 20. Dng lnh ping kim tra kt qu. 21. Dng lnh tracert 192.167.5.1 kim tra kt qu 22. Trong ca s RUN g lnh //192.167.5.1/ROOT xem cc th mc c share 23. Nhn chut phi vo kt ni VPN client ri nhn vo Disconnect. V. Thit lp site to site Trong phn ny chng ta s dng hai m hnh mng LAN kt ni vi nhau dng VPN im ni im (PPTP). Tuy nhin trn thc t tng tnh bo mt th nn dng L2TP over IPSec hoc IPSec. M hnh bao gm 5 my tnh ng cc vai tr khc nhau nhng cng c th gim bt mt s my nh trong bi di y ta s dng 3 hoc 4 my. Gi s trong m hnh mt cng ty c vn phng t ti H Ni v chi nhnh t ti TpHCM. Nh vy cn c hai my ng vai tr client ti hai mng LAN. Hai my trong mi my c hai card mng ng vai tr ROUTER1 v ROUTER2 v mt my ng vai tr ROUTER trong Internet (C th lc b my ny bng cch ch nh IP trc tip v ROUTER1,2 c cng lp mng)

Trang 57

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

Xem hnh:

y ngi ta s dng n 4 hub tuy nhin tit kim ta dng 2 hub nhng hai mng LAN xi chung 1 hub c nh a chi IP khc nhau. CLIENT1: c IP 192.167.6.5 subnet mask: 255.255.255.0 l mng LAN H Ni ROUTER1: C hai card mng o Card Internal: C IP 192.167.6.4 v subnet mask 255.255.255.0 o Card External: C IP 20.0.0.1 v subnet mask 255.0.0.0 ROUTER2: C hai card mng o Card Internal: C IP 192.167.5.2 v subnet mask 255.255.255.0 o Card External: C IP 20.0.0.2 v subnet mask 255.0.0.0 CLIENT2: Thc cht li l Server ng vai tr Domain Controller, Web server, File Server, DNS c IP: 192.167.5.1 v subnetmask: 255.255.25.0 Thc hin: CLIENT1 ping CLIENT2 (192.167.5.1). Gii thch Cu hnh cho ROUTER2: 1. Trn ROUTER1 (My c tn SIM01) nhn vo Administrative Tools chn Routing and Remote Access 2. Nhn chut phi vo SIM01(Local) trong cy chng trnh v chn Configure and Enable Routing and Remote Access 3. Nhn Next trn trang Routing and Remote Access Server Setup Wizard 4. Trn trang Configuration chn Remote Access (Dial-up or VPN)

Trang 58

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

5. Nhn Next. Trn trang Remote Access chn VPN v nhn Next

6. Trn Trang VPN Connection chn card ni ra Internet (LAN External) v check vo Enable Security

7. Nhn Next. Trn trang IP Address Assignment chn From a specified range of addresses. Nhn Next

Trang 59

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

8. Trn trang Address Range Assignment chn New. G vo a ch u v a ch cui

y l dy a ch m VPN server s gn khi c kt ni mi (Network Interface trong Routing and Remote Access) 9. Nhn OK. Trn trang Address Range Assignment nhn Next

10. Trn trang Managing Multiple Remote Access Servers chn No, use Routing and Remote Access to authenticate connection requests

Trang 60

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

11. Trn trang Completing the Routing and Remote Access Server Setup nhn Finish

Tip theo ta cu hnh giao din quay s yu cu 1. Trn Routing and Remote Access chn SIM01 v nhn chut phi vo network Interface

2. Chn New Demand-dial Interface m Demand-Dial Interface Wizard v nhn Next 3. Trn trang Interface name g vo vpn_hanoi (Lu tn phi trng vi user c khai bo trc). Nhn Next

Trang 61

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

4. Trn trang Connection type chn Connect using virtual private networking (VPN).

5. Nhn Next. Trn trang VPN Type chn Point-to-Point Tunneling Protocol (PPTP). Nhn Next

Trang 62

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

6. Trn trang Destination Address g vo 20.0.0.1 (a ch ca Router1 hay l VPN server H Ni) Host name or IP address

7. Nhn Next. Trn trang Protocols and Security thc hin check c hai mc nh hnh

8. Nhn Next. Trn trang Static Routes for Remote Networks nhn Add 9. Trong hp thoi g vo a ch mng LAN H Ni v subnet mask

10. Nhn OK. Trn trang Address Range Assignment nhn Next
Trang 63

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

11. Trn trang Dial In Credentials g vo mt khu Mophong618 hai ln

12. Nhn Next. Trn trang Dial Out Credentials g vo user name vpn_hcm l account m dng quay s vo LAN ca H ni. Do LAN H ni khng dng domain active nn b trng mc Domain

13. Nhn Next. Trn trang Completing the Demand-Dial Interface Wizard chn Finish
Trang 64

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

Nu c thng bo user tn ti th nhn Yes

Cu hnh cho ROUTER1 (SIM02): Tng t nh cu hnh cho router2. Ch c vi thay i cn ch :

Thay bng a ch ca mng H Ni (192.167.6.100 n 110)

Trang 65

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

Thay bng vpn_hanoi bng vpn_hcm trong Interface name

Thay bng a ch 20.0.0.2 (a ch Internet ca mng HCM)

Thay bng a ch ca LAN HCM 192.167.5.0 v subnetmask vn l 255.255.255.0 Mt khu ca vpn_hcm vn l Mophong618

Thay vpn_hcm bng vpn_hanoi mt khu khng thay i

Trang 66

Phng th nghim M phng & Truyn s liu

Th nghim TTDL & Mng my tnh

Cu hnh chnh sch truy cp t xa Trn c ROUTER1 v 2 trong Routing and Remote Access nhn vo Remote Access Policies nhn chut phi vo Connections to Microsoft Routing and Remote Access server chn Properties. Trn th Setting chn Grant remote access permission. Xong nhn OK

Thc hin kt ni v kim tra: Click chut phi vo kt ni va to trong Network Interface v chn Connect

Sau khi kt ni thc hin: - Lnh Ipconfig /all. Xc nh IP ca cc Interface - Lnh Ping t Client1 n Client 2 - Lnh tracert 192.167.6.5. Gii thch ngha thng tin nhn c

Trang 67