Virtual Private Networksin Theoryand Practice

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/330313436
Virtual Private Networks in Theory and Practice
Book · March 2018
CITATION READS
1 1,822
1 author:
Zeeshan Ashraf
University of Lahore
10 PUBLICATIONS 16 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Challenges and Mitigation Strategies for Transition from IPv4 Network to Virtualized Next Generation Network View project
Challanges and thier mitigation during co-existance of IPv4-IPv6 View project
All content following this page was uploaded by Zeeshan Ashraf on 11 January 2019.
The user has requested enhancement of the downloaded file.

!

"#

$#%#
&$' ()*+
,
(%% -./#0

(
(
#,
! ( 1 2

.## %

%#/&#

$3%

!

"
# $

%

&
'
()$

#
#)(*+,$

-.

- /+(0 "
# $

%

& '

#
#/+(0
Dedication
This book is dedicated to my parents and my family.
Page | i
Acknowledgment
All books are the product of a team work and I thank all the members of the
Scholars Press publisher: including the project editor, friends, seniors,
colleagues, and my teachers.
I special acknowledge Dr. Muhammad Yousaf, Assistant Professor of

Riphah Institute of Systems Engineering, Islamabad. He guided, motivated,
and encouraged me in my research work.
I also acknowledge Miss Muntaha Sohail, Lecturer in English Department,

University of Sargodha, Sub-Campus Mandi Bahauddin. She minutely and
skillfully proof red this book.
Page | ii
##"'"'&
Chapter 1 Introduction
1 Virtual Private Network ........................................................................ 2
1.1 VPN Services .................................................................................... 2
1.1.1 Confidentiality......................................................................... 2
1.1.2 Integrity ................................................................................... 3
1.1.3 Authentication ......................................................................... 3
1.1.4 Availability .............................................................................. 4
1.1.5 Anti-Replay ............................................................................. 4
1.2 VPN Advantages .............................................................................. 4
1.2.1 Data Security ........................................................................... 4
1.2.2 Private Network Access .......................................................... 4
1.2.3 Bandwidth ............................................................................... 5
1.2.4 Cost Reduction ........................................................................ 5
1.2.5 Deployment Flexibility ........................................................... 5
1.3 VPN Types........................................................................................ 5
1.3.1 Remote Access VPN ............................................................... 5
1.3.2 Site-to-Site VPN...................................................................... 5
1.4 VPN Protocols .................................................................................. 6
1.5 VPN Supported Devices ................................................................... 6
Chapter 2 PPTP VPN
2 PPTP VPN ............................................................................................. 8
2.1 PPTP Security ................................................................................... 8
2.2 Encapsulation .................................................................................... 9
2.3 Router as a PPTP VPN Server........................................................ 10
2.3.1 Lab Objectives ...................................................................... 10
2.3.2 Topology ............................................................................... 10
2.3.3 Step-1 IP Addressing............................................................. 10
2.3.4 Step-2 Configuring Static IP Routing ................................... 12
2.3.5 Step-3 Connectivity Testing.................................................. 13
Page | iii
2.3.6 Step-4 Configuring Router as a PPTP VPN Server .............. 14
2.3.7 Step-5 Configuring & Setting of PPTP VPN Client ............. 15
2.3.8 Step-6 Connecting VPN Client ............................................. 19
2.3.9 Step-7 Testing ....................................................................... 21
Chapter 3 L2TP VPN
3 L2TP VPN ........................................................................................... 25
3.1 L2TP Security ................................................................................. 26
3.2 Encapsulation .................................................................................. 27
3.3 Router as a L2TP VPN Server........................................................ 28
3.3.1 Lab Objectives ...................................................................... 28
3.3.2 Topology ............................................................................... 28
3.3.5 Step-3 Configuring Router as a DNS Server ........................ 31
3.3.6 Step-4 Testing Connectivity.................................................. 31
3.3.7 Step-5 Configuring Router as a L2TP VPN Server .............. 33
3.3.8 Step-6 Configuring & Setting L2TP VPN Client ................. 34
3.3.10 Step-8 Testing ....................................................................... 38
Chapter 4 L2TP over IPsec VPN
4 L2TP over IPsec VPN ......................................................................... 42
4.1 L2TP over IPsec Security ............................................................... 42
4.2 Encapsulation .................................................................................. 42
4.3 Router as an L2TP over IPsec VPN Server .................................... 44
4.3.1 Lab Objectives ...................................................................... 44
4.3.2 Topology ............................................................................... 44
4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN...... 48
Page | iv
4.3.7 Step-5 Configuring & Setting L2TP over IPsec VPN Client 49
4.3.9 Step-7 Testing ....................................................................... 72
Chapter 5 IPsec VPN
5 IPsec VPN ........................................................................................... 79
5.1 IPsec Security Architecture ............................................................ 79
5.2 Encapsulation .................................................................................. 81
5.3 Site-to-Site IPsec VPN b/w Routers ............................................... 83
5.3.1 Lab Objectives ...................................................................... 83
5.3.2 Topology ............................................................................... 83
5.3.5 Step-3 Configuring NAT ...................................................... 88
5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel ............. 90
5.3.8 Step-6 Testing ....................................................................... 92
5.4 Site-to-Site IPsec VPN b/w PIX & ASA........................................ 95
5.4.1 Lab Objectives ...................................................................... 95
5.4.2 Topology ............................................................................... 95
5.4.5 Step-3 Testing Connectivity................................................ 100
5.4.6 Step-4 Configuring IPsec Tunnel ........................................ 101
5.4.7 Step-5 Testing ..................................................................... 102
5.5 Remote Access IPsec VPN with Router (Easy VPN) .................. 104
5.5.1 Lab Objectives .................................................................... 104
5.5.2 Topology ............................................................................. 104
5.5.3 Step-1 IP Addressing........................................................... 104
5.5.4 Step-2 Configuring Static IP Routing ................................. 106
Page | v
5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel ..... 107
5.5.7 Step-5 Installing & Setting CISCO IPsec VPN Client ....... 109
5.5.8 Step-6 Connecting IPsec VPN Client ................................. 113
5.5.9 Step-7 Testing ..................................................................... 115
5.6 Remote Access IPsec VPN with ASA (Easy VPN) ..................... 116
5.6.1 Lab Objectives .................................................................... 116
5.6.2 Topology ............................................................................. 116
5.6.4 Step-2 Configuring NAT .................................................... 118
5.6.7 Step-5 Configuring ASA as IPsec VPN Server .................. 120
5.6.8 Step-6 Configuring VPN Client .......................................... 121
5.6.9 Step-7 Connecting VPN Client ........................................... 121
5.6.10 Step-8 Testing ..................................................................... 121
Chapter 6 GRE VPN
6 GRE VPN .......................................................................................... 124
6.1 GRE Security ................................................................................ 124
6.2 Encapsulation ................................................................................ 124
6.3 Site-to-Site IPsec over GRE VPN ................................................ 125
6.3.1 Lab Objectives .................................................................... 125
6.3.2 Topology ............................................................................. 125
6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel .. 130
6.3.8 Step-6 Testing ..................................................................... 132
6.4 Site-to-Site IPsec over GRE VPN (Behind ASA) ........................ 136
6.4.1 Lab Objectives .................................................................... 136
Page | vi
6.4.2 Topology ............................................................................. 136
6.4.7 Step-5 Configuring IPsec over GRE ................................... 142
6.4.8 Step-6 Testing ..................................................................... 145
Chapter 7 DMVPN
7 DMVPN............................................................................................. 147
7.1 DMVPN Security.......................................................................... 147
7.2 Encapsulation ................................................................................ 147
7.3 Dynamic Multipoint VPN (Hub & Spokes) ................................. 148
7.3.1 Lab Objectives .................................................................... 148
7.3.2 Topology ............................................................................. 148
7.3.6 Step-4 Configuring DMVPN Tunnel .................................. 153
7.3.7 Step-5 Testing ..................................................................... 155
Chapter 8 SSL VPN
8 SSL VPN ........................................................................................... 159
8.1 SSL Security ................................................................................. 159
8.2 SSL Encapsulation ........................................................................ 160
8.3 Router as an SSL VPN Gateway .................................................. 161
8.3.1 Lab Objectives .................................................................... 161
8.3.2 Topology ............................................................................. 161
8.3.5 Step-3 Configuring Router as a DNS Server ...................... 164
Page | vii
8.3.7 Step-5 Configuring Self-Signed Certificates ...................... 166
8.3.8 Step-6 Configuring SSL VPN Gateway ............................. 168
8.3.9 Step-7 Testing ..................................................................... 169
Chapter 9 High Availability VPN
9 High Availability VPN ...................................................................... 172
9.1 HSRP ............................................................................................ 172
9.2 VRRP ............................................................................................ 173
9.3 GLBP ............................................................................................ 173
9.4 Site-to-Site IPsec High Availability VPN with HSRP ................. 174
9.4.1 Lab Objectives .................................................................... 174
9.4.2 Topology ............................................................................. 174
9.4.6 Step-4 Configuring HSRP ................................................... 179
9.4.7 Step-5 Configuring IPsec VPN over HSRP ........................ 182
9.4.8 Step-6 Testing ..................................................................... 184
References: ................................................................................................ 186
Page | viii
Learning Outcomes
This book encompasses virtual private network technologies theoretical as
well as practical. In this study guide, it demonstrates how the VPNs actually
work and their practical implementation with different lab scenarios, step by
step. The objective of this book is to teach the students and professionals in
an easy way. In this book, a reader learns the theoretical knowledge of VPNs,
but the IOS based practical implementation of several types of VPNs in his
home and office.
There are several types of VPNs with different scenarios. After a study of
this book, the reader will familiar with almost all type of VPN and can
perform all these types of VPNs with different scenarios in his office and
home.
Page | ix
1

Introduction

Introduction
5 %'( %)' '*#%

Virtual Private Network (VPN) is a secure, reliable and logical connection
that is created over a public network (Internet). CISCO defines a VPN as an
encrypted connection between private networks over a public network [1]. It
is a virtual connection but not a physical. It extends the private network
across shared or public network. It enables a computer to send or receive data
safely through shared or public network, it does not matter if it is directly
connected to the private network. It is done by establishing a virtual
connection through the Internet.
5/5 %)&
VPNs provide different types of security services through different security
protocols. These services are:
1. Confidentiality
2. Integrity
3. Authentication
4. Availability
5. Anti-replay
5/5/5 #""' ',

Confidentiality means secrecy. It is a technique in which original data may
hide or replace with some other data. The concept behind is that the data is
not disclosed to anyone intentionally or unintentionally during transmission.
In network security, it is also called encryption. It is the process in which the
plaintext (original text) is replaced or substituted with the help of certain
encryption algorithm, key, and the mechanism. After this process, the plain
text is converted into encrypted text (ciphertext). Encrypted text transmits
over an insecure network. If somebody catches the encrypted text, it is not
easy to understand it. On the receiving side, the reverse process of encryption
takes place, it is called decryption. The same algorithm, key, and mechanism
are used to decrypt the text and original text is extracted. There are several
encryption algorithms. Some of them work character by character and
remaining work block by block. There are two types of keys. Symmetric or
asymmetric. In symmetric, the same key is used to encrypt or decrypt while
in asymmetric, a pair of the key is used. One key is private key and the second
key is called public key. The public key is used to encrypt the data if its
private key is used to decrypt the data whereas the private key is used to
Page | 2
Introduction
encrypt the data if its public key is used to decrypt data. The mechanism
means, the way or method defines how to drive the algorithm and key.
Modern encryption algorithms are:
1. DES (Data Encryption Standard)

2. 3DES (Triple Data Encryption Standard)
3. AES (Advanced Encryption Standard)
5/5/6
"'%',
Integrity means originality. It is a technique to ensure that data is not
modified or altered by an unauthorized person during the transmission. The
data remains consistent, both internally and externally. It is guaranteed that
data is received by the receiver in original and there is no any change in data
during transmission. In network security, it is also called hashing. Hashing
is one-way process in which a 32-bit long hash value is calculated from the
data with a specific algorithm. This hash value also transmits while
transmitting the data. On the receiver side, the receiver once again calculates
the hash value of the received data with the same algorithm and compares
this hash value with that value which came with data. If the value is same
then its integrity is not compromised on the other hand, the hash value is
different even one character then it indicates that its integrity is
compromised. The receiver will discard his receiving data. Modern hashing
algorithms are:
1. MD-5 (Message Digest)

2. SHA-1 (Secure Hash Algorithm)
5/5/7 ('"''#"
Authentication is a technique which verifies the identity of a user or a
process. It restricts unauthorized users to access data or service. In this
process, the credentials provided by the user are compared to those which
are already saved in the database file. Moreover, the user is granted
authorization for access if credentials match and the process is completed. If
the credentials mismatch, the user is not granted access. Authentication is
may be local or remote. In local authentication, the credentials are saved on
the same machine while in remote authentication, user credentials are saved
on another server. The receiver machine sends user credentials for checking
either it is true or false to authentication server and responds. If the machine
receives true by authentication server then it grants access and if it receives
false then it denies access. For security purpose, Challenge Handshake
Page | 3
Introduction
Authentication Protocol (CHAP) is used between machine and
authentication server. Modern remote authentication servers are:
1. TACACS (Terminal Access Controller Access Control System)

2. RADIUS (Remote Authentication Dial-In User Service)
5/5/8 ) ',

Availability provides reliable and timely access to data and resources. Once
a VPN is connected, its time period is 24 hours by default. It means that user
can access data or services at any time during the VPN connection.
5/5/9 "'0$ ,

It is a technique in which the receiver verifies that each packet is unique and
is not duplicate. In this process, sequence numbers are used with the packet
and arranged all these packets on receiver side accordingly sequence
numbers. If any duplicate packet is received then the receiver will discard.
5/6 )"'&
VPN technology is heavily influenced the corporate sector by its many
advantages. Due to these advantages, it is more popular and deployable
technology in the industry. These advantages are:
5/6/5 '(%',
Public network (Internet) is not a secure network and it is not possible to
secure it, as complete. It is very risky and easy to access or alter data by a
third person (Intruder) when data moves across the public network. So, it is
needed to secure data before transferring it over a public network. VPN
allows data to encapsulate it into security header before transmitting transfer
to its destination. When data is encapsulated in security header then it is not
easy to access or alter data. On the receiving side, it is decapsulated.
5/6/6 %)' '*#%&&

VPNs allow employees to securely access their company's private network
or data while travelling outside the office or at home. Most of the employees
work in branch offices and others employees work as teleworker in the
market. They are away from the central sites and if they are needed to access
FRPSDQ\¶V GDWD RU VHUYLces for business operations so they can access it
securely through VPN connection.
Page | 4
Introduction
5/6/7 "*'
Users or branch offices use leased lines such as E1, T1, Frame Relay or
Asynchronous Transfer Mode (ATM) to access compan\¶VGDWDRUVHUYLFHV
securely. These leased lines provide typically 128 Kbps, 256 Kbps, and 512
Kbps connection speeds. These leased lines are expensive. Users and branch
offices require more bandwidth for their services or advance applications and
its speed. The Internet Service Providers (ISPs) are providing relatively high-
bandwidth IP connections, such as broadband Digital Subscriber Line (DSL)
or cable access for VPN on shared bases.
5/6/8 #&'('#"
ISPs are providing relatively high-bandwidth IP connections, such as
broadband DSL or cable service on shared bases. As a result, many
customers are migrating their primary WAN connectivity to these services
or deploying such WAN alternatives as a secondary high-speed WAN circuit
to augment their existing private network. These high-bandwidth and share
bases IP connections are relatively lower cost as compared to leased lines.
5/6/9 $ #,!"' + ',
VPNs can be quickly established wherever an Internet access connection is
available. They offer a great degree of flexibility in connecting branch
offices or even while traveling outside the office or at home.
5/7 ,$&
VPN can be connected in different forms. A secure connection is created
over a public network. Sometimes it is called as a tunnel. All traffic is passed
through this tunnel. There are two basic types of VPN and they are:
1. Remote Access VPN

2. Site-to-Site VPN
5/7/5 !#'&&
In remote access VPN type, a single user is connected to a private network
and access its services and resources remotely. The connection between the
user and the private network happens through the Internet, this connection is
secure and private. Usually, home users or teleworkers use this type of VPN.
The teleworkers or employees use a remote access VPN to connect to his/her
compan\¶VSULYDWHQHWZRUNDQGUHPRWHO\DFFHVVILOHVDQGUHVRXUFHVRQWKH
private network while traveling.
5/7/6 '0'#0'
Site-to-Site VPN type is mostly used in the corporate network. In this type
RI931FRPSDQ\¶Voffices in different geographical locations, use Site-to-
Page | 5
Introduction
site VPN to connect the network with head office or another branch office.
In this VPN type, a device acts as a gateway in one branch office and
similarly in another branch office. The connection is established between the
both. When the connection is established, then multiple users can use this
connection in their branch offices.
5/8 %#'## &

As we know, communication is between two devices based upon Open
Systems Interconnection (OSI model) reference model. It is a universal
standard which is proposed by International Organization for
Standardization (ISO) in 1984. It consists of seven layers. Each layer of this
model performs specific tasks through several communication protocols.
These communication protocols are classified into different forms according
to these layers. These VPN protocols are also classified according to OSI
PRGHO¶VOD\HUV for security purposes. These VPN protocols are:
1. PPTP (Point-to-Point Tunneling Protocol)

2. L2TP (Layer 2 Tunneling Protocol)
3. IPsec (Internet Protocol Security)
4. L2TP over IPsec.
5. GRE (Generic Routing Encapsulation)
6. IPsec over GRE
7. TSL (Transport Layer Security)
8. SSL (Secure Sockets Layer)
5/9 ($$#%')&
A dedicated VPN support device is VPN Concentrator. A VPN concentrator
is a type of networking device that provides secure creation of VPN
connections and delivery of messages between VPN nodes. However, some
other devices like (Routers, multi-layer switches, PIX, ASA, PCs,
smartphones and tablets) may also support VPN. These devices should have
VPN support operating systems. Multiple vendors have designed such types
of devices like CISCO, Juniper, Linksys, Microsoft, Linux, and Mac etc. The
VPN service provided by these devices is said to be IOS based VPN.
Moreover, in this guide, CISCO based devices (Router, PIX & ASA) and
Window based PCs are used.
Page | 6
2
PPTP VPN

PPTP VPN
6
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN
technique in network security. It was introduced by ³Matthew Ramsay´ in
1999 with the support of Microsoft. Its specification was described in RFC
2637 [2]. It basically extends the Point-to-Point Protocol (PPP). The PPP
transfers multi-protocol datagrams over a point-to-point link. It uses dial-up
networking method which is called Virtual Private Dial-up Network
(VPDN). It is more suitable for remote access applications through VPN. It
also supports LAN internetworking. It operates at layer 2 of the OSI model.
It works as a client/server model which is simply configured. By default, the
client is a software based system which is normally available in all Microsoft
Windows, Linux and MAC operating systems. It remains most popular
technology, especially on Microsoft Windows computers. It is connection
oriented protocol and it uses TCP port 1723. In this tunneling technique,
tunnels are created by following two steps:
1. First of all, the clients connect to their ISPs through using any service
(dial-up, ISDN, DSL modem or LAN).
2. Secondly, PPTP creates a TCP session between client and server to
establish a secure tunnel.
Once the PPTP tunnel is established between client and server then two types
of information can be passed through a tunnel. Moreover, a unique Call ID
value is assigned to each session for its identification.
1. Control Messages: These messages directly pass through the tunnel

to the client and server and finally tearing down the connections. The
variety of these control messages are used to maintain the VPN
connections whereas, some of these messages are shown in the Fig.
2.1 below.
2. Data Packets: It passes through the tunnel to the client and the client
sends back.
6/5 (%',
PPTP supports authentication, encryption and packet filtering. In
authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-
TLS, and PAP are used. MS-CHAPv1 is insecure. EAP-TLS is a superior
choice. However, it requires a Public Key Infrastructure implementation for
both client and server certificates. When MS-CHAPv1/v2 is used in PPTP
Page | 8
PPTP VPN
then the payloads encrypt by using Microsoft Point-to-Point Encryption
(MPPE). The MPPE supported 40-bits, 56-bits & 128-bits encryption. It
enhances the confidentiality of PPP-encapsulated packets [3]. Packet
filtering is implemented on VPN servers.
Figure 2.1 PPTP Control Messages
6/6 "$&( '#"

PPTP encapsulates the PPP frames in IP packet. It uses TCP connection for
tunnel management. The encapsulated PPP frames may encrypt, compress
or the both as it is highlighted in the Fig. 2.2.
Figure 2.2 PPTP Encapsulation
In Oct. 2012, security of PPTP is broken and its usage is no longer and also
not recommended by Microsoft [4].

Page | 9
PPTP VPN
6/7 #('%& %)%
6/7/5 ')&
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure Router as a PPTP VPN Server
¾ Configure PC as a Microsoft PPTP VPN Client
¾ Try to Connect VPN Client
¾ Test VPN
6/7/6 #$# #,

Figure 2.3 PPTP VPN Setup
6/7/7 '$05
%&&"
..$")
- .. . on router’s interface. ) . ( )/$*) *1 $)
/*+*'*"$'$"-(S;T;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N

Page | 10
PPTP VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R

)%4

-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N

-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N

Page | 11
PPTP VPN
4

Figure 2.4 Client IP Address
6/7/8 '$06 #"(%"''

#('"

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

,0 .//$( *0/;
,0 .//$( *0/;
,0 .//$( *0/;
,0 .//$( *0/;

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _Q8 *./_U@RQQ]'*..A8
:=a

Page | 12
PPTP VPN
)%4

-)#@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5BB
-)#@*)!$"AN 3$/
-)#N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

FQ;Q;Q;Q<QBR<QC1$SQT;Q;RRT;TT
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
-)#N
6/7/9 '$07 #""')',&'"

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

,0 .//$( *0/;
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SVY(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RYV(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RYU(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _T8 *./_R@SV]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_RYU(.83$(0(_SVY(.81 -" _SQZ(.

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
Page | 13
PPTP VPN
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_Q(.83$(0(_Q(.81 -" _Q(.

)%4

-)#N' %A?B5?5@@B5@F

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;RX8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_RRS<RYT<SYU(.
-)#N
6/7/: '$08 #"(%"#('%& %)%

-)#@*)!$"AN-'%%#
-)#@*)!$"AN1+)>"-*0+++/+>1+)
-)#@*)!$">1+)AN +/>$'$)
-)#@*)!$">1+)>>$)AN')&+&&#''+'
-)#@*)!$">1+)>>$)AN1$-/0'>/ (+'/ R
-)#@*)!$">1+)>>$)AN 3$/
-)#@*)!$">1+)AN 3$/
-)#@*)!$"AN

-)#@*)!$"AN '#&#'&&#''+'7'&&#@FA5@E5@5@?@FA5@E5@5D?
-)#@*)!$"AN,*)%$+*+'**.&)?+*+

-)#@*)!$"AN %+)- )+,#7+$'#+@
-)#@*)!$">$!AN%'*,#+ &%'''
-)#@*)!$">$!AN'),#+ ')**'&&#''+'7'&&#
-)#@*)!$">$!AN ',%%,$)*++)%+?6@
-)#@*)!$">$!AN)*& +'$1
-)#@*)!$">$!AN+++ )-4+/(++ ,+&- ,0$-
-)#@*)!$">$!AN''',+%+ + &%$*7'$*7'7-A
-)#@*)!$">$!ANG
-)#N

Page | 14
PPTP VPN
-)#N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
$-/0'> ..R0)..$") 0). /*2)*2)
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)

-)#N*&.-'%)&,'

"-*0+R
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q
"-*0+++/+>1+)
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q

-)#N*&.-'%*** &%

]*/$1 /0)) '.
6/7/; '$09 #"(%"-''"# "'

R; #**. +)+L&%+)&#%#L +.&)"<) %%+)L+,' .
&%%+ &%

Figure 2.5 Set up a new Connection
Page | 15
PPTP VPN
S; !/ -/# /2*-&*)) /$*)$5-2$)*2++ -.8#**. &%%+
+&.&)"'#J'$& /+

Figure 2.6 Connect to a Workplace
T; #**. &2)+%.&%%+ &%J'$& /+

Figure 2.7 Create new Connection
Page | 16
PPTP VPN
U; ' /*$0 %+)%+&%%+ &%

Figure 2.8 New Connection Name & IP Address
V; #**. +)+ L &%+)&# %# L +.&)" < ) % %+) L %
'+) ++ %* ) . ' / /# ')&')+ * *! /# - )/'4 *)!$"0-
*)) /$*)

Figure 2.9 Properties
Page | 17
PPTP VPN
W; #*. ,) +0

Figure 2.10 Security
X; ) -4+ *!#**. 2#**. (, )%)0'+ &%!-*(

/)-4+/$*)8#+,+%+ + &%)&+&&#*)'$&

Figure 2.11 Select Properties
Page | 18
PPTP VPN
6/7/< '$0: #""'" "'
R; -4/**)) /

Figure 2.12 Username & Password
S; 4+ 0. -)( +*+J+..2*-+*+)'$&

Figure 2.13 Connecting
Page | 19
PPTP VPN
T; # 1 -$!4$)"0. -)( )+..2*-2$)*2++ -.

Figure 2.14 Verifying
U; # - "$./ -$)"4*0-*(+0/ -*)/# ) /2*-&2$)*2++ -.
Figure 2.15 Completing
Page | 20
PPTP VPN
V; # )*)) / /# )$/)# &/# .//0.*!/# *)) /$*)

Figure 2.16 Connection Status
6/7/= '$0; &'"

4

Figure 2.17 Connection Details
Page | 21
PPTP VPN
:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STS(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SSW(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TTY(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TVR(. _SVV

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_SSW(.83$(0(_TVR(.81 -" _SYW(.

)%4

-)#N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
$-/0'> ..RRZS;RWY;R;R0). /0+0+
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)

-)#N*&. %+)- )+,#7**@

$-/0'> ..R$.0+8'$) +-*/**'$.0+
-2- $.$-/0' ..$)/ -!

)/ -! $.0))0( - ;.$)"- ..*!.//# -) /Q<R@RZS;RWY;R;RA
RVQQ4/ .8RQQQQQ$/<. 8 RQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*)8 + )
+ ):
8
*1 ..8'*) !-*($-/0'> (+'/ R
...//0.Q3UU
-*/**'++/+8/0)) '$TWXXW8. ..$*)$SQWTS8'**+&)*/. /
+'$1 )*/. /
$.+0'. !*-V. *).*)- . /
./$)+0/QQ:QV:QX8*0/+0/) 1 -8*0/+0/#)") 1 -
./' -$)"*!I.#*2$)/ -! I*0)/ -.QQ:SS:VX

Page | 22
PPTP VPN
-)#N*&.,*)*

$) . - *./@.A
' */$*)
FQ*)Q$' QQ:QQ:QQ

)/ -! . -*
' -- ..
$T/ ./*QQ:QZ:VVRXS;RW;R;RR

-)#N*&.-'%*** &%

..$*)
)!*-(/$*)*/'/0)) '.R. ..$*).R

*
(
0)

)/!. -)( // ./#")$,

SQWTSSVWTWXXW$T/ ./ ./QQ:QQ:URS

-)#N*&.-'%+,%%#''+'

0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*
(;( // (*/ - ..*-/ ..$*).-*0+
TWXXW ./SQT;Q;RRT;RXUZZTRR

-)#N*&.-'%+,%%#''+'+)%*'&)+

0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*
4+ *'- ..*-/ (*/ - ..*-/
TWXXW
SQT;Q;RRT;TURXSTSQT;Q;RRT;RXUZZT

-)#N*&.-'%+,%%#'"+*

0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*
&/.>
)&/.>0/4/ .>
)4/ .>0/
TWXXWWRSRWWXZVSR
-)#N

Page | 23

3

L2TP VPN

L2TP VPN
7 6
Layer 2 Tunneling Protocol (L2TP) was introduced with the combination of
two tunneling protocols in 1999. Firstly, Layer 2 Forwarding (L2F) protocol
by CISCO Systems and second is Point-to-Point Tunneling Protocol (PPTP)
by Microsoft. It merges the best features of the both. In other words, it is an
extension of PPTP. It was specified in RFC 2661 [5]. The L2F is a tunneling
protocol and it was developed to establish VPN over the public network
(Internet). It does not provide encryption by itself. It was specially designed
to tunnel PPP traffic. In 2005, a new version of L2TP was introduced as
L2TPv3 with additional security features, improved encapsulation and the
ability to carry data links over the network. Its specification was described
in RFC 3931 [6].
The entire L2TP packet including (payload & L2TP header) is sent within a
User Datagram Protocol (UDP) with port number 1701. It is common to
carry PPP session within an L2TP tunnel. It does not support strong
authentication and confidentiality by itself. The IPsec protocol is often used
with L2TP to provide strong confidentiality, authentication, and integrity.
The combination of these two protocols is generally known as L2TP/IPsec.
L2TP allows creating a VPDN to connect remote clients to its corporate
network by using different connecting services provided by ISPs. It operates
at layer 2 of the OSI model. It works as a client/server model.
Two endpoints of the L2TP tunnel are called LAC (L2TP Access
Concentrator) and LNS (L2TP Network Server). The LNS waits for new
tunnels. The LAC remains between an LNS and a remote system and
forwards packets to the server. Once the tunnel is established between peer
then, the network traffic moves in bidirectional. The packets exchanged
within the tunnel characterized as either it is controlled packet or it is a data
packet, it is reliable for control packets and not reliable for data packets. If
the reliability is desired for data packets then it is provided by another
protocol running within the session of the tunnel.
In this tunneling technique as the tunnels are created by following two steps:
1. A control connection is established for a tunnel between LAC and

LNS.
2. Secondly, a session is established between client and server.
Page | 25
L2TP VPN
During the setup of the L2TP tunnel, different types of control messages and
data messages are exchanged between LAC and LNS. It is highlighted in the
Fig. 3.1 below. The traffic of each session is secluded by L2TP. So, it is
possible to setup multiple virtual networks against a single tunnel. The
Maximum Transmission Unit (MTU) remains same. The Hello messages are
sent to peer as control messages for keep alive after every 60 seconds.
Figure 3.1 Tunnel Setup
Once the tunnel is established, PPP frames from the remote systems are
received at LAC. It encapsulates in L2TP and forwards to LNS over the
appropriate tunnel.
7/5 6(%',
L2TP supports authentication and encryption. In authentication, PPP based
protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used.
When MS-CHAPv1/v2 is used then the payloads encrypt by using MPPE. It
also supports Triple Data Encryption Standard (3DES) and Advanced
Page | 26
L2TP VPN
Encryption Standard (AES-256 bits). It enhances the confidentiality of PPP-
encapsulated packets.
7/6 "$&( '#"

Data messages are used to encapsulate the PPP frames. These frames are
passed over unreliable data channels. Data is not retransmitted when a packet
loss occurs. The entire PPP frame is encapsulated in L2TP header first and
then L2TP frame is encapsulated in UDP header as it is shown in the Fig. 3.2
below.
Figure 3.2 L2TP Encapsulation
Page | 27
L2TP VPN
7/7 #('%&6 %)%
7/7/5 ')&
¾ Configure Router as a DNS Server
¾ Configure Router as a L2TP VPN Server
¾ Configure PC as a Microsoft L2TP VPN Client
¾ Try to Connect VPN Client by Domain Name
¾ Test VPN
7/7/6 #$# #,

Figure 3.3 L2TP VPN Setup
7/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PC as mentioned above in
/*+*'*"$'$"-(T;T;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N

Page | 28
L2TP VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R

)%4

-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N

-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N

Page | 29
L2TP VPN
4

Figure 3.4 Client IP Addressing
7/7/8 '$06 #"(%"''

#('"

)%4

-)#@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5BB
-)#@*)!$"AN 3$/
-)#N

-)#N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

Page | 30
L2TP VPN
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
-)#N
7/7/9 '$07 #"(%"#('%& %)%

%+)%+4
)/ -) /@*)!$"AN '%**)-)
)/ -) /@*)!$"AN '%$7*)-)A?B5?5@@B5@G
)/ -) /@*)!$"AN '&*+#A+'-'%5&$A?B5?5@@B5BC
)/ -) /@*)!$"AN)*$+*($)>'**&0+
)/ -) /@*)!$"AN 3$/
)/ -) /N
)/ -) /N*&. '%*- .

$ 2 !0'/+-( / -.:
*""$)"$.*!!
.*'1 -. //$)".:
*($)'**&0+$.$.'
!0'/*($))( :';'*'
*($). -#'$./:
**&0+/$( *0/:T. *).
**&0+- /-$ .:S
*($))( >. -1 -.:
SQT;Q;RRT;RY
-1 -. //$)".:
*-2-$)"*!,0 -$ .$.$.'
*-2- -/$( *0/:T. *).
*-2- -- /-$ .:S
*-2- -- .. .:
7/7/: '$08 &'"#""')',

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTT(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SUS(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TTY(. _SVU
Page | 31
L2TP VPN
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SWV(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_SUS(.83$(0(_TTY(.81 -" _SZU(.

:=a' %#A+'-'%5&$

$)"$)"'S/+1+);*(BSQT;Q;RRT;TUC2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUY(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SRT(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RZR(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SSQ(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_RUY(.83$(0(_SSQ(.81 -" _RZT(.

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_Q(.83$(0(_Q(.81 -" _Q(.

)%4

-)#N' %A?B5?5@@B5@F

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;RX8/$( *0/$.S. *).:
66666
-)#N

Page | 32
L2TP VPN
%+)%+4
)/ -) /N*&. '%**++ *+ *

- ,0 ./.- $1 _S@S^QA
- ,0 ./.-*++ _Q@Q^QA
- .+*). .- +'$ _S@S^QA

*-2- -,0 0 .//$./$.:
0-- )/.$5 _Q
3$(0(.$5 _V
-*+._Q
7/7/; '$09 #"(%"#('%&6 %)%

-)#@*)!$"AN-'%%#
-)#@*)!$"AN-'%7)&,'#A+'7-'%
-)#@*)!$">1+)AN +/>$'$)
-)#@*)!$">1+)>>$)AN')&+&&##A+'
-)#@*)!$">1+)>>$)AN1$-/0'>/ (+'/ R
-)#@*)!$">1+)>>$)AN 3$/
-)#@*)!$">1+)AN 3$/
-)#@*)!$"AN

-)#@*)!$"AN '#&#'&&##A+'7'&&#@FA5@E5@5@@FA5@E5@5D?
-)#@*)!$"AN,*)%$+*+'**.&)?+*+

-)#@*)!$"AN %+)- )+,#7+$'#+@
-)#@*)!$">$!AN%'*,#+ &%'''
-)#@*)!$">$!AN'),#+ ')**'&&##A+'7'&&#
-)#@*)!$">$!AN$+0))0( - !.//# -) /Q<R
-)#@*)!$">$!AN+++ )-4+/(++ ,+&- ,0$-
-)#@*)!$">$!AN''',+%+ + &%$*7'$*7'7-A
-)#@*)!$">$!ANG
-)#N

-)#N*&. ' %+))
)/ -!

>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
$-/0'> ..R0)..$") 0). /*2)*2)
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)
-)#N

Page | 33
L2TP VPN
-)#N*&.-'%)&,'

"-*0+'S/+>1+)
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q

-)#N*&.-'%+,%%##A+'

]*/$1 S/0)) '.
7/7/< '$0: #"(%"-''"6 "'

R; *''*2/ +>V$)
S; 4+ &*+%$@'S/+1+);*(A$)./ *!
- ..

Figure 3.5 Properties
Page | 34
L2TP VPN
T; #*. ,) +0
Figure 3.6 Security
U; ) -4+ *!#**. A 2#**. (, )%)0'+ &%!-*(

/)-4+/$*)8#+,+%+ + &%)&+&&#*

Figure 3.7 Select Protocol
Page | 35
L2TP VPN
V; '$&*)-%++ %*

Figure 3.8 Advance Setting
7/7/= '$0; #""'" "'

R; !/ -/4+ 0. -)( J+..2*-'$&&%%+

Page | 36
L2TP VPN
S; # -$!4$)"0. -)( )+..2*-2$)*2++ -.

T; # "$./ -$)"4*0-*(+0/ -*)/# ) /2*-&2$)*2++ -.

Page | 37
L2TP VPN
U; # *)) /$*)//0.2$)*2++ -.

7/7/54 '$0< &'"

4
Page | 38
L2TP VPN
:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _RWW(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SUW(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SYV(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SXX(. _SVV

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_RWW(.83$(0(_SYV(.81 -" _SUT(.

)%4

-)#N' %@FA5@E5@5C

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RXS;RW;R;U8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_RWU<SQU<TQQ(.

-)#N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
$-/0'> ..R0)..$") 0). /*2)*2)
$-/0'> ..S0)..$") 0). /0+0+
$-/0'> ..TRZS;RWY;R;R0). /0+0+
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)

-)#N*&. %+)*- )+,#7**B

$-/0'> ..T$.0+8'$) +-*/**'$.0+
-2- $.$-/0' ..$)/ -!

)/ -! $.0))0( - ;.$)"- ..*!.//# -) /Q<R@RZS;RWY;R;RA
RVQQ4/ .8RQQQQ$/<. 8 RQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*)8 + )
+ ):

*1 ..8'*) !-*($-/0'> (+'/ R
...//0.Q3Q
-*/**''S/+8/0)) '$TVZUZ8. ..$*)$SZYTZ
Page | 39
L2TP VPN
+'$1 . /@RQ. A
UQ+& /.$)+0/8UVSS4/ .
RV+& /.*0/+0/8STX4/ .
./' -$)"*!I.#*2$)/ -! I*0)/ -.) 1 -

-)#N*&.,*)*

$) . - *./@.A
' */$*)
FQ*)Q$' QQ:QQ:QQ

)/ -! . -*
' -- ..
$T/ ./*QQ:QZ:VVRXS;RW;R;U

-)#N*&.-'%)&,'

"-*0+'S/+>1+)
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R

-)#N*&.-'%+,%%##A+'

S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*0)
(0)
(*/ ( // (*/ - .. ..) S'..
TVZUZR5 .#) ./SQT;Q;RRT;RXR'S/+

-)#N*&.-'%*** &%#A+'*++

S ..$*)
)!*-(/$*)*/'/0)) '.R. ..$*).R

*
(
0)
. -)( 8
)/!<// ./#")$,
$
VWYZURTVZUZ/ ./8 $T ./QQ:RQ:SUW

-)#N*&.-'%+,%%##A+'+)%*'&)+

S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*0)
4+ -*/ *'- ..*-/ (*/ - ..*-/
TVZUZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR

-)#N*&.-'%+,%%##A+''"+*

S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*0)
&/.>
)&/.>0/4/ .>
)4/ .>0/
TVZUZRVURRUYTTSSUXX
Page | 40
4

L2TP over IPsec

L2TP over IPsec VPN
8 6#)%
&
L2TP does not provide strong authentication and confidentiality by itself. It
is often used with IPsec protocol to provide strong confidentiality,
authentication, and integrity. The combination of these two protocols is
generally known as L2TP/IPsec. The IPsec is a protocol suite which is used
at upper layer (network layer) to provide secure communication between two
peers [7]. This protocol provides IP Security Architecture, Internet Key
Exchange (IKE), IPsec Authentication Header (AH) and IPsec
Encapsulation Security Payload (ESP). The IKE is the key management
protocol while AH and ESP are used to protect IP traffic. It would be
discussed in detail in the next part.
8/5 6#)%
&(%',
L2TP is used over IPsec then its security is high. The client negotiates the
IPsec Security Association (SA) usually through IKE. It is carried out over
UDP with port 500. It uses a pre-shared key, public key or certificates for
authentication. Transport mode of IPsec is used in this security mechanism.
IPsec supports a variety of encryption standards like (DES, 3DES & AES)
for data confidentiality. It also supports a range of data integrity protocols
like (MD-5 & SHA).
8/6 "$&( '#"

The connection is established between two endpoints. Here, L2TP packets
are encapsulated by IPsec header as it is displayed in the Fig. 4.1 below.
Figure 4.1 L2TP over IPsec Encapsulation
Since L2TP packet is wrapped within the IPsec header and it does not gather
any information about the internal L2TP packet. So, it is not necessary to
open UDP port 1701 on firewalls between the endpoints. The inner packet is
Page | 42
L2TP over IPsec VPN
not acted upon until after IPsec data has been decrypted and stripped which
only takes place at the endpoints.
Page | 43
L2TP over IPsec VPN
8/7 #('%&"6#)%
& %)%
8/7/5 ')&
¾ Configure Router as an L2TP over IPsec VPN Server
¾ Configure PC as a Microsoft L2TP over IPsec VPN Client
¾ Try to Connect VPN Client
¾ Test VPN
8/7/6 #$# #,

Figure 4.2 L2TP over IPsec VPN Setup
8/7/7 '$05
%&&"
/*+*'*"$'$"-(U;S;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N

Page | 44
L2TP over IPsec VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R

)%4

-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N

-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N

Page | 45
L2TP over IPsec VPN
4

8/7/8 '$06 #"(%"''

#('"

)%4

-)#@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5BB
-)#@*)!$"AN 3$/
-)#N

-)#N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

Page | 46
L2TP over IPsec VPN
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
-)#N
8/7/9 '$07 &'"#""')',

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:


$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_SUS(.83$(0(_TTY(.81 -" _SZU(.

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_Q(.83$(0(_Q(.81 -" _Q(.

)%4

-)#N' %A?B5?5@@B5@F

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;RX8/$( *0/$.S. *).:
66666
Page | 47
L2TP over IPsec VPN
8/7/: '$08 #"(%"#('%&"6#)%
&

-)#@*)!$"AN-'%%#
-)#@*)!$"AN-'%7)&,'#A+'7-'%
-)#@*)!$">1+)AN +/>$'$)
-)#@*)!$">1+)>>$)AN')&+&&##A+'
-)#@*)!$">1+)>>$)AN1$-/0'>/ (+'/ R
-)#@*)!$">1+)>>$)AN 3$/
-)#@*)!$">1+)AN 3$/
-)#@*)!$"AN

-)#@*)!$"AN '#&#'&&##A+'7'&&#@FA5@E5@5@@FA5@E5@5D?
-)#@*)!$"AN,*)%$+*+'**.&)?+*+

-)#@*)!$"AN %+)- )+,#7+$'#+@
-)#@*)!$">$!AN%'*,#+ &%'''
-)#@*)!$">$!AN'),#+ ')**'&&##A+'7'&&#
-)#@*)!$">$!AN$+0))0( - !.//# -) /Q<R
-)#@*)!$">$!AN''',+%+ + &%$*7'$*7'7-A
-)#@*)!$">$!AN 3$/

-)#@*)!$"AN)0'+& *"$''&# 0D
-)#@*)!$">$.&(+AN%)0'+ &%B*
-)#@*)!$">$.&(+AN**
-)#@*)!$">$.&(+AN,+%+ + &%')7*)
-)#@*)!$">$.&(+AN)&,'A
-)#@*)!$">$.&(+AN 3$/
-)#@*)!$"AN

-)#@*)!$"AN)0'+& *"$'"0#A+' '*)**?5?5?5??5?5?5?

-)#@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7*7$
-)#@!">-4+/*>/-).AN$&+)%*'&)+
-)#@!">-4+/*>/-).AN 3$/

-)#@*)!$"AN)0'+&0%$ 7$'$'@?
-)#@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#@*)!$">-4+/*>(+AN 3$/
-)#@*)!$"AN)0'+&$'#A+'$'@? '*7 *"$'0%$ $'

-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN)0'+&$' #A+'$'
-)#@*)!$">$!ANG
-)#N
Page | 48
L2TP over IPsec VPN
8/7/; '$09 #"(%"-''"6#)%
& "'

R; *''*2/ +>W$) S ;
S; '$&*)-%++ %*) )/ -/# +- >.#- & 4

Figure 4.4 Advanced Properties
T; @+/$*)'8 $! /# *+ -/$)" .4./ ( $. *' '$& $)*2. <SQQQA;

3 0/ $$5/*(()$),%/*()"
. 0-$/4+*'$4;

Figure 4.5 Run
Page | 49
L2TP over IPsec VPN
U; ,) +0&# 0%$%+4#**.$)"6$&-%'7 %!-*( #;

Figure 4.6 Console
V; #**. ,) +0&# 0%$%+)'$&;

Figure 4.7 Add or Remove
Page | 50
L2TP over IPsec VPN
W; # )/# !*''*2$)".- )++ -.8+' . #**. &#&$',+))'$&
% *5

Figure 4.8 Select Domain
X; # ,) +0&# 0%$%+$. $)%'7 %'$&

;

Figure 4.9 Add IP Security Policies
Page | 51
L2TP over IPsec VPN
Y; # ,) +0&# 0%$%+$. '$&

Figure 4.10 IP Security Policy Management
Z; ' /)+ ,) +0&# 0/*- / +*'$4!*-

>!-*(+ &%;

Figure 4.11 Console
Page | 52
L2TP over IPsec VPN
RQ; # )/# ,) +0&# 0 1)++ -.8+' . '$& /+5

Figure 4.12 IP Security Policy Wizard
RR; Type a suitable name in the name field, such as “A&-) *”)'$& /+;

Figure 4.13 IP Security Policy Name
Page | 53
L2TP over IPsec VPN
RS; )# &+ -++,#+)*'&%*),#)'$& /+;

Figure 4.14 Request for Secure Communication
RT; # ) /# !*''*2$)" 2$)*2 ++ -.8 +' . # & + ')&')+ * ) '$&
% *;

Figure 4.15 Completing IP Security Policy
Page | 54
L2TP over IPsec VPN
RU; + ) *)&')+ *window, there is a default rule “K0%$ L”. Please click
;

Figure 4.16 Filter Rules
RV; # )/# ,) +0,# 1)++ -.8+' . '$& /+5

Figure 4.17 Creating New Security Rule
Page | 55
L2TP over IPsec VPN
RW; ' /+ *),#&*%&+*' 0+,%%#)'$& /+;

Figure 4.18 Tunnel Endpoint
RX; ' /##%+.&)"&%%+ &%*)'$& /+;

Figure 4.19 Network Type
Page | 56
L2TP over IPsec VPN
RY; )
$'/ -'$.//*/#$.-0' 4'$&$)";

Figure 4.20 Add New Filter List
RZ; 4+ *,+./# )( )'$&;

Figure 4.21 IP Filter List for Outside
Page | 57
L2TP over IPsec VPN
SQ; # )/# #+) 1)++ -.8+' . '$& /+5

Figure 4.22 New IP Filter Wizard
SR; 4+ $'/ - .-$+/$*))'$& /+;

Figure 4.23 IP Filter Description
Page | 58
L2TP over IPsec VPN
SS; #**. *' )**J/4+ /#
- ...@*0- A)'$& /+;

Figure 4.24 IP Traffic Source
ST; #**. *' )** J /4+ /#

- .. . @ ./$)/$*)A ) '$&
/+;

Figure 4.25 IP Traffic Destination
Page | 59
L2TP over IPsec VPN
SU; #**. ./# +-*/**'/4+ ;'$& /+;

Figure 4.26 IP Protocol Types
SV; //# '&)+%&5.@F?@)'$& /+;

Figure 4.27 IP Protocol Ports
Page | 60
L2TP over IPsec VPN
SW; # &*3 +')&')+ *)'$& % */**(+' /$)"/#
!$'/ -2$5-;

Figure 4.28 Completing IP Filter Wizard
SX; '$&
/*!$)$.#/# . //$)".;

Figure 4.29 IP Filter Properties
Page | 61
L2TP over IPsec VPN
SY; '$&
/*!$)$.#/# . //$)".;

Figure 4.30 IP Filter List
SZ; #**. *,+$)/#

$'/ -'$./)'$& /+;

Figure 4.31 IPsec Filter List
Page | 62
L2TP over IPsec VPN
TQ; '$&/*. /0+/$*)!*-/#$.-0' ;

Figure 4.32 New Filter Rule
TR; # #+)+ &% 1)2$''++ -8/# );' . '$& //;

Figure 4.33 New IP Security Filter Wizard
Page | 63
L2TP over IPsec VPN
TS; 4+ *,+./# )( )'$& /+;

Figure 4.34 Filter Action Name
TT; #**. &+ +*,) +0)'$& /+;

Figure 4.35 General Options
Page | 64
L2TP over IPsec VPN
TU; #**. Do not communicate…. )'$& /+;

Figure 4.36 Communicating with Computers
TV; #**. %)0'+ &%% %+) +0)'$& /+;

Figure 4.37 IP Traffic Security Policies
Page | 65
L2TP over IPsec VPN
TW; )# & +')&')+ *)'$& % *;

Figure 4.38 Completing IP Security Filter Wizard
TX; ' / *,+!-*( #+)# *+8)'$& /+;

Figure 4.39 Filter Action
Page | 66
L2TP over IPsec VPN
TY; 4+ & 4.),+%+ + &%+&@+- .#- & 4A)'$& /+;

Figure 4.40 Authentication Method
TZ; #**. *,+!*- #+)+ &%8)'$& /+;

Figure 4.41 Completing Security Rule
Page | 67
L2TP over IPsec VPN
UQ; *24*0). *,+-0' ;'$&
;

Figure 4.42 IPsec Rules
UR; '$&
0-$/4*'$$ .*) *'*(+0/ -

Figure 4.43 New Created Security Policy
Page | 68
L2TP over IPsec VPN
US; #**. A&-) *L** %!-*(/# *).*' .- );

Figure 4.44 Assigned Policy
UT; *24*0). /#//# +*'$4$./$1/ ;

Figure 4.45 Policy Activated
UU; 1 //$)";

Page | 69
L2TP over IPsec VPN
8/7/< '$0: #""'" "'

R; !/ -/4+ 0. -)( J+..2*-'$&&%%+

S; # -$!4$)"0. -)( )+..2*-2$)*2++ -.

Page | 70
L2TP over IPsec VPN
T; # "$./ -$)"4*0-*(+0/ -*)/# ) /2*-&2$)*2++ -.

U; # *)) /$*)//0.2$)*2

Page | 71
L2TP over IPsec VPN
8/7/= '$0; &'"

4

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(. _SVV

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_STX(.83$(0(_TWQ(.81 -" _TRS(.

Page | 72
L2TP over IPsec VPN
)%4

-)#N' %@FA5@E5@5@
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RXS;RW;R;R8/$( *0/$.S. *).:
6;666
0 ..-/ $.YQ+ - )/@U<VA8-*0)>/-$+($)<1"<(3_RYU<SRQ<SUY(.

-)#N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
$-/0'> ..R0)..$") 0). /*2)*2)
$-/0'> ..S0)..$") 0). /0+0+
$-/0'> ..S;RRZS;RWY;R;R0). /0+0+
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)

-)#N*&.-'%)&,'

"-*0+'S/+
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R

-)#N*&.-'%+,%%##A+'*++

S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*0)
(0)
*'( (*/ ( // ./>#"
UXVYZR-)#5 .#) ./QQ:RQ:VV

-)#N*&.-'%+,%%##A+'*,$$)0

S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*0)
(0)
(*/ ( // (*/ - .. ..) S'..
UXVYZR5 .#) ./SQT;Q;RRT;RXR'S/+

-)#N*&.-'%+,%%#+)%*'&)+

S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*0)
4+ -*/ *'- ..*-/ (*/ - ..*-/
UXVYZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR

Page | 73
L2TP over IPsec VPN
-)#N*&. %+)*- )+,#7**A5@

$-/0'> ..S;R$.0+8'$) +-*/**'$.0+
-2- $.$-/0' ..$)/ -!

)/ -! $.0))0( - ;.$)"- ..*!.//# -) /Q<R@RZS;RWY;R;RA
RVQQ4/ .8RQQQQ$/<. 8 RQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*)8 + )
+ ):

*1 ..8'*) !-*($-/0'> (+'/ R
...//0.Q3Q
-*/**''S/+8/0)) '$UXVYZ8. ..$*)$ZYR
+'$1 . /@RQ. A
RVR+& /.$)+0/8YQWW4/ .
RTS+& /.*0/+0/8TVXV4/ .
./' -$)"*!I.#*2$)/ -! I*0)/ -.) 1 -

-)#N*&.-'%+,%%#'"+*

S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R

*0)
&/.>
)&/.>0/4/ .>
)4/ .>0/
UXVYZSRVSRVRTQXUWXSX

-)#N*&.)0'+&*** &%

-4+/*. ..$*)0-- )/.//0.
)/ -! :.//# -) /Q<Q

..$*).//0.:>

-:SQT;Q;RRT;RX+*-/VQQ

:'*'SQT;Q;RRT;TU<VQQ- (*/ SQT;Q;RRT;RX<VQQ/$1

:+ -($/RX#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX+*-/RXQR
/$1 .:S8*-$"$):4)($-4+/*(+

-)#N*&.)0'+&*** &%)

//0.:>/$1 8>+8>*2)8
>
' 8>/)48> "*/$/$)"
>*

$1-!_@)*) A
-
<. -)( -*0+<#. R?$+/$( //0.
SQT;Q;RRT;RX Q<QSQT;Q;RRT;RX QQ:RS:QS

Page | 74
L2TP over IPsec VPN
-)#N*&.)0'+& *"$'"0

4-$)" *./)( <- ..- .#- 4

!0'/Q;Q;Q;QBQ;Q;Q;QC'S/+$+.

-)#N*&.)0'+& *"$'*&,%+

/$1
H.:R
/)4
H.:Q
0-- )/'4 $)") "*/$/
H.:Q

H.:Q

-)#N*&.)0'+& *"$'')*

-:SQT;Q;RRT;RX*-/:VQQ *':SQT;Q;RRT;TU
#. R$:SQT;Q;RRT;RX

-)#N*&.)0'+& *"$'*
1U-4+/*

./.-.// *))>$.//0.
SQT;Q;RRT;TUSQT;Q;RRT;RX?
RQQR

-)#N*&.)0'+& '*+)%*&)$7*+

-).!*-(. //. /:D .+>T . .+>.#>#(E
2$'') "*/$/ _D-).+*-/8E8

-).!*-(. /NM6 !0'/?/-).!*-(?. /?Q:D .+>T . .+>.#>#(E
2$'') "*/$/ _D-).+*-/8E8

-)#N*&.)0'+& *"$''&# 0

'*'
+*'$4
-*/ /$*).0$/ *!+-$*-$/4V
)-4+/$*)'"*-$/#(:#- & 4/-$+'
#.#'"*-$/#(: 0- .#/)-
0/# )/$/$*)( /#*:- >#- 4
$!!$ > ''()"-*0+:NS@RQSU$/A
'$! /$( :YWUQQ. *).8)*1*'0( '$($/

Page | 75
L2TP over IPsec VPN
-)#N*&.)0'+& '**

$)/ -! :.//# -) /Q<Q
-4+/*(+/":'S/+8'*'-SQT;Q;RRT;TU

+-*/ / 1-!:@)*) A
'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;TU<SVV;SVV;SVV;SVV<RX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:
@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<RX<RXQRA
0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ

8!'"._DE
N+&/. )+.:RZ8N+&/. )-4+/:RZ8N+&/.$" ./:RZ
N+&/. +.:RZ8N+&/. -4+/:RZ8N+&/.1 -$!4:RZ
'*'-4+/* )+/;:SQT;Q;RRT;TU8- (*/ -4+/* )+/;:SQT;Q;RRT;RX
+/#(/0RVQQ8$+(/0RVQQ8$+(/0$.//# -) /Q<Q
0-- )/*0/*0).+$:Q3UZVS@TQSZXSZSVQA
@<A:8 "-*0+:)*)
B0/+0/*($// C

4

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(. _SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(. _SVV

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_STX(.83$(0(_TWQ(.81 -" _TRS(.

-)#N*&.)0'+& '**

$)/ -! :.//# -) /Q<Q
-4+/*(+/":'S/+8'*'-SQT;Q;RRT;TU

+-*/ / 1-!:@)*) A
'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;TU<SVV;SVV;SVV;SVV<RX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:
@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<RX<RXQRA
0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ
Page | 76
L2TP over IPsec VPN

8!'"._DE
N+&/. )+.:UZ8N+&/. )-4+/:UZ8N+&/.$" ./:UZ
N+&/. +.:UZ8N+&/. -4+/:UZ8N+&/.1 -$!4:UZ
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q
N+&/.)*/ *(+- .. :Q8N+&/. *(+- ..!$' :Q
N. ) --*-.Q8N- 1 --*-.Q

-)#N*&.)0'+&$'

-4+/*+I'S/+(+IRQ$+. >$.&(+
4)($(+/ (+'/ /":(+

-4+/*+I'S/+(+IWVVTW$+. >$.&(+
-_SQT;Q;RRT;RX
3/ )
..'$./
..>'$./+ -($/0+#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX+*-/_RXQR
4)($@- / !-*(4)($(+(+<RQA
0-- )/+ -:SQT;Q;RRT;RX
0-$/4..*$/$*)'$! /$( :UWQYQQQ&$'*4/ .<TWQQ. *).
.+*) ->)'4@<A:
@<A:
-).!*-(. /._D
/. /:D .+>T . .+>.#>#(E8
E

)/ -! .0.$)"-4+/*(+'S/+(+:
.//# -) /Q<Q

Page | 77

5

IPsec VPN

IPsec VPN
9
&
Internet Protocol Security (IPsec) is a network security protocol suite. It
provides strong authentication, data encryption, data origin authentication
and data integrity features. It can use as network-to-network, host-to-host,
and host-to-network over the public network (Internet). It works at the
network layer of the OSI model to provide end-to-end security. In 1992,
IETF started to create an open and freely available security protocol for
Internet Protocol (IP). It is officially standardized by IETF. It was specified
in RFC 1825 [8]. The IP is used at the network layer of the OSI model to
deliver datagrams over the public network. There are two versions of IP:
IPv4 and IPv6. IPv4 is a 32-bits while IPv6 is a 128-bits IP addressing
protocol. The Network Address Translation (NAT) is used with IPv4 in
private networks to save the public IP addresses as well as to provide security
in a way that it hides the public addresses during communication. Today,
NAT is widely deployed in home gateways, as well as in other locations
likely to be used by telecommuters, such as hotels [9].
The fast growth of the Internet has shattered the IPv4 addresses. In 1990, the
IETF has introduced IPv6 protocol with new features in terms of simple
header format, larger address space, built-in security, efficient routing and
better QoS [10]. The Internet Service Providers (ISPs) are trying to replace
their IPv4 networks with IPv6 gradually. This transition is very slow because
there are millions of devices in around the world. IPv6 is a next-generation
IP network. IPsec provides security to both versions of IP. In this project, the
focus is on IPv4.
9/5
&(%',%''(%
IPsec is an open standard protocol suite. It uses different types of protocols
to provide security. These protocols are: Authentication Header (AH),
Encapsulating Security Payloads (ESP), Security Associations (SA), Internet
Security Association and Key Management Protocol (ISAKMP) and Internet
Key Exchange (IKE & IKEv2).
The AH provides the connectionless data integrity, data origin authentication

for IP datagrams and protection against replays [11]. It does not encrypt data
packets. The text is transported in clear text. Data integrity means, it assures
that the data will not alter during the transmission over the network. Before
sending the data, it calculates 32-bits numeric and unique hash value of data
Page | 79
IPsec VPN
by using different hashing algorithms like (MD5, SHA-1) and sends this hash
value along with data. Hashing is a one-way process [12]. On the receiving
side, it verifies the hash value by re-calculating the hash value of the received
data. If both hash values are equal then it means that the integrity of the data
is maintained and there is no any tampering with data during transmission
over the network while if the hash value does not same then it means that the
integrity has intercepted and the receiver will discard the data. The anti-
replay protection ensures that each packet must be unique and no duplication
by using sequence numbers. The origin authentication means that to know
who is on another side. The device on the other side of the tunnel must be
verified before the path is considered secure. The sender sends data
(certificate) after encryption with its private key and that data is verified at
receiver end by decrypt with VHQGHU¶VSXEOLFNH\IRUDXWKHQWLFDWLRQ There
are three authentication methods:
1. Pre-shared Key
2. RSA Signature
3. RSA Encryption Nonce
In pre-shared key authentication, the same key is used to configure each peer
in IPsec. In RSA signature authentication, different keys (private key &
public key) are used to encrypt or decrypt digitally. It is also called digital
certificates. These digital signature and digital certificates are forwarded to
the other side. Finally, RSA encryption nonce authentication, nonce (a
random number generated by the peer) is encrypted and exchanged between
peers, this nonce is used during the authentication peer process.
The ESP provides confidentiality, data origin authentication, connectionless

integrity, an anti-replay service and limited traffic flow confidentiality [13].
The set of services, is provided, depends on options selected at the time of
Security Association (SA) establishment. It encrypts the payload to provide
confidentiality. It supports several encryption algorithms. Most of the
algorithms are symmetric. The DES (56-bits) is a basic and symmetric
encryption algorithm, however, it also supports 3DES and AES for stronger
encryption. The ESP can be used alone or with the combination of AH.
The SA is a logical group of security parameters. It is used to establish and

share security attributes between two entities to provide secure
communication. These attributes are cryptographic algorithm, mode and
encryption key. The SA is established by using ISAKMP.
Page | 80
IPsec VPN
The ISAKMP defines procedures and packet formats to establish, negotiate,
modify and delete Security Associations [14]. It only provides a framework
for authentication and key exchange. It is implemented by manual
configuration with pre-shared key or IKE.
During the establishment of a secure connection between two nodes, it is

needed to share some security parameters such as keys over the network.
Two methods are used for key exchange: manual and automatic. Manual
method does not secure nor scales well [15]. Therefore, a protocol is needed
to exchange or establish security parameters dynamically. The IKE is the
protocol used to set up a security association dynamically. It uses X.509
certificates for authentication either pre-shared or distributed and a ³Diffie±
Hellman´ key exchange algorithm to share a secret key between nodes over
the public network.
9/6 "$&( '#"

IPsec can be configured in two different modes and they are:
1. Transport Mode
2. Tunnel Mode
The transport mode is used to provide end-to-end security. The

communication between a client and a server is the best example of end-to-
end. In this mode, only the payload of the IP packet is usually encrypted or
authenticated. The original IP header is not encrypted nor modified except
that the IP protocol field is changed to ESP (50) or AH (51). The payload is
encapsulated by the IPsec ESP headers & trailers as it is displayed in the
Fig.5.1. It is usually used when another tunneling protocol (like GRE, L2TP)
is used to first encapsulate the IP data packet, then IPsec is used to protect
the other tunnel packets. The IPsec protects the GRE or L2TP tunnel traffic
in transport mode. The ESP is identified in the original IP header with an IP
protocol ID of 50.
Figure 5.1 Transport Mode IPsec Encapsulation
Page | 81
IPsec VPN
The tunnel mode is the default mode. It is used to provide security between
gateways (Router, PIX or ASA). In this mode, the entire original IP packet
is protected. The entire IP packet is encapsulated with IPsec ESP headers &
trailers, adds a new IP header and sends it to the other side of the tunnel as it
is shown in the Fig. 5.2. The ESP is identified in the New IP header with an
IP protocol ID of 50. The tunnel mode supports NAT traversal.
Figure 5.2 Tunnel Mode IPsec Encapsulation

Page | 82
IPsec VPN
9/7 '0'#0'
& 1*#('%&
9/7/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure NAT
¾ Configure IPsec VPN Tunnel on both sides
¾ Test VPN
9/7/6 #$# #,

Figure 5.3 Site-to-Site IPsec VPN Setup
9/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PC. . ( )/$*) *1 $)
/*+*'*"$'$"-(V;T;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
Page | 83
IPsec VPN
)/ -) /@*)!$">$!ANG
)/ -) /N
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R

)%7@4

-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG
-)#>RN

-)#>RN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#>RN
Page | 84
IPsec VPN
)%7A4

-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG
-)#>SN

-)#>SN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;S;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+
-)#>SN

7@4

Figure 5.4 PC-1 IP Addressing
Page | 85
IPsec VPN
7A4
Figure 5.5 PC-2 IP Addressing
9/7/8 '$06 #"(%"''

#('"

)%7@4

-)#>RN' %A?B5?5@@B5BC

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
;;;;;
0 ..-/ $.Q+ - )/@Q<VA
-)#>RN

-)#>R@*)!$"AN ')&,+A?B5?5@@B5BAADD5ADD5ADD5AC?A?B5?5@@B5@G
-)#>R@*)!$"AN 3$/
-)#>RN

-)#>RN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
Page | 86
IPsec VPN
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;Q<SY$..0) // 8S.0) /.
SQT;Q;RRT;TSBR<QC1$SQT;Q;RRT;RY
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
-)#>RN

)%7A4

-)#>S@*)!$"AN ')&,+A?B5?5@@B5@EADD5ADD5ADD5AC?A?B5?5@@B5BB
-)#>S@*)!$"AN 3$/
-)#>SN

-)#>SN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;Q<SY$..0) // 8S.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;RWBR<QC1$SQT;Q;RRT;TT
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
-)#>SN

-)#>SN' %A?B5?5@@B5@F

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;RX8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_SQ<WT<RSU(.
-)#>SN
Page | 87
IPsec VPN
9/7/9 '$07 #"(%"

7@4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

,0 .//$( *0/;
,0 .//$( *0/;
,0 .//$( *0/;
,0 .//$( *0/;

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _Q8 *./_U@RQQ]'*..A8
:=a

)%7@4

-)#>R@*)!$"AN '%+ %* *&,)# *+@? %+)*++)%+?6?&-)#&
-)#>R@*)!$"AN**7# *+@?')$ +@HA5@EG5@5??5?5?5ADD

-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN '%+&,+*
-)#>R@*)!$">$!AN 3$/

-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN '%+ %*
-)#>R@*)!$">$!ANG
-)#>RN

)%7A4

-)#>S@*)!$"AN '%+ %* *&,)# *+A? %+)*++)%+?6@&-)#&
-)#>S@*)!$"AN**7# *+A?')$ +@HA5@EG5A5??5?5?5ADD

-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN '%+&,+*
-)#>S@*)!$">$!AN 3$/

-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN '%+ %*
-)#>S@*)!$">$!ANG
-)#>SN
Page | 88
IPsec VPN
7@

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TYX(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUX(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZR(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZY(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_ZR(.83$(0(_TYX(.81 -" _RYQ(.
:=a

)%7@4

-)#>RN*&. '%++)%*#+ &%*

-*
).$ "'*'
).$ '*'0/.$ '*'0/.$ "'*'
$(+SQT;Q;RRT;RX:RSYQRZS;RWY;R;S:RSYQSQT;Q;RRT;TU:RSYQSQT;Q;RRT;TU:RSYQ
-)#>RN*&. '%+*++ *+ *

*/'/$1 /-).'/$*).:R@Q.//$8R4)($9R 3/ ) A
0/.$ $)/ -! .:
.//# -) /Q<Q
).$ $)/ -! .:

.//# -) /Q<R
$/.:RZ$.. .:T
3+$- /-).'/$*).:S
4)($(++$)".:
>>
).$ *0-
B
:RC ..>'$./RQ$)/ -! .//# -) /Q<Q- !*0)/R
-)#>RN
9/7/: '$08 &'"#""')',

7@4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZR(. _SVU
Page | 89
IPsec VPN
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _YZ(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _XZ(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_XZ(.83$(0(_ZR(.81 -" _YX(.

:=a' %@HA5@EG5A5@

$)"$)"RZS;RWY;S;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;

$)".//$./$.!*-RZS;RWY;S;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_Q(.83$(0(_Q(.81 -" _Q(.
:=a
9/7/; '$09 #"(%"'0'#0'

& (""

)%7@4

-)#>R@*)!$"AN)0'+& *"$''&# 0@?
-)#>R@*)!$">$.&(+AN%)0'+ &%*
-)#>R@*)!$">$.&(+AN*$D
-)#>R@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>R@*)!$">$.&(+AN"-*0+S
-)#>R@*)!$">$.&(+AN 3$/

-)#>R@*)!$"AN)0'+& *"$'"0+*+ '*-'%)**A?B5?5@@B5BC
-)#>R@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
-)#>R@!">-4+/*>/-).AN 3$/

-)#>R@*)!$"AN)0'+&$'*$'@? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>R@*)!$">-4+/*>(+AN*+')A?B5?5@@B5BC
-)#>R@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>R@*)!$">-4+/*>(+AN$+)**@?@
Page | 90
IPsec VPN
-)#>R@*)!$">-4+/*>(+AN 3$/

-)#>R@*)!$"AN '**7# *+/+%@?@
-)#>R@*)!$"> 3/>)'AN')$ + '@HA5@EG5@5??5?5?5ADD%0
-)#>R@*)!$"> 3/>)'AN 3$/

-)#>R@*)!$"AN ')&,+@HA5@EG5A5?ADD5ADD5ADD5?A?B5?5@@B5@G

-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN)0'+&$'*$'
-)#>R@*)!$">$!ANG
-)#>RN

)%7A4

-)#>S@*)!$"AN)0'+& *"$''&# 0@?
-)#>S@*)!$">$.&(+AN%)0'+ &%*
-)#>S@*)!$">$.&(+AN*$D
-)#>S@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>S@*)!$">$.&(+AN"-*0+S
-)#>S@*)!$">$.&(+AN 3$/
-)#>S@*)!$"AN)0'+& *"$'"0+*+ '*-'%)**A?B5?5@@B5@F
-)#>S@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
-)#>S@!">-4+/*>/-).AN 3$/

-)#>S@*)!$"AN)0'+&$'*$'@? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>S@*)!$">-4+/*>(+AN*+')A?B5?5@@B5@F
-)#>S@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>S@*)!$">-4+/*>(+AN$+)**@?A
-)#>S@*)!$">-4+/*>(+AN 3$/

-)#>S@*)!$"AN '**7# *+/+%@?A
-)#>S@*)!$"> 3/>)'AN')$ + '@HA5@EG5A5??5?5?5ADD%0
-)#>S@*)!$"> 3/>)'AN 3$/

-)#>S@*)!$"AN ')&,+@HA5@EG5@5?ADD5ADD5ADD5?A?B5?5@@B5BB
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN)0'+&$'*$'
-)#>S@*)!$">$!ANG
-)#>SN
Page | 91
IPsec VPN
9/7/< '$0: &'"

7@4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RRS(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZY(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _XU(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_XU(.83$(0(_RRS(.81 -" _ZT(.

:=a' %@HA5@EG5A5@

$)"$)"RZS;RWY;S;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZQ(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RQV(. _SVU

$)".//$./$.!*-RZS;RWY;S;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_ZQ(.83$(0(_RQV(.81 -" _ZT(.
:=a

)%7@4

-)#>RN*&. '%++)%*#+ &%*

-*
).$ "'*'
).$ '*'0/.$ '*'0/.$ "'*'
$(+SQT;Q;RRT;RX:RSYQRZS;RWY;R;S:RSYQRZS;RWY;S;R:RSYQRZS;RWY;S;R:RSYQ
$(+SQT;Q;RRT;RX:RSYQRZS;RWY;R;S:RSYQSQT;Q;RRT;TU:RSYQSQT;Q;RRT;TU:RSYQ

Page | 92
IPsec VPN
-)#>RN*&.)0'+& *"$'*

./ .- .// *))>$.'*/
SQT;Q;RRT;TUSQT;Q;RRT;RX?
RQ

-)#>RN*&.)0'+& '**

$)/ -! :.//# -) /Q<Q
-4+/*(+/":.(+8'*'-;SQT;Q;RRT;RX

'*'$ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
0-- )/?+ -:SQT;Q;RRT;TU

8!'"._D*-$"$)?$.?'8E
N+&/. )+.:X8N+&/. )-4+/:X8N+&/.$" ./X
N+&/. +.:X8N+&/. -4+/:X8N+&/.1 -$!4X
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q8N+&/. *(+- ..!$' :Q
N. ) --*-.R8N- 1 --*-.Q
'*'-4+/* )+/;:SQT;Q;RRT;RX8- (*/ -4+/* )+/;:SQT;Q;RRT;TU
+/#(/0RVQQ8( $(/0RVQQ

B0/+0/*($// C

-)#>RN*&.)0'+& *"$''&# 0

-*/ /$*).0$/ *!+-$*-$/4RQ
)-4+/$*)'"*-$/#(:>/)-4+/$*)/)-@VW>$/& 4.A;
#.#'"*-$/#(: .." $" ./V
0/# )/$/$*)( /#*:- >#- 4
$!!$ > ''()"-*0+:NS@RQSU$/A
'$! /$( :YWUQQ. *).8)*1*'0( '$($/

-)#>RN*&.)0'+&$'

-4+/*+I.(+IRQ$+. >$.&(+
-_SQT;Q;RRT;TU
3/ )
..'$./RQR
..>'$./RQR+ -($/$+)4)4
0-- )/+ -:SQT;Q;RRT;TU
0-$/4..*$/$*)'$! /$( :UWQYQQQ&$'*4/ .<TWQQ. *).
@<A:
-).!*-(. /._D/. /8E

)/ -! .0.$)"-4+/*(+.(+:
.//# -) /Q<Q
Page | 93
IPsec VPN
-)#>RN*&.)0'+& '*+)%*&)$7*+

-).!*-(. //. /:D .+> . .+>(V>#(E
2$'') "*/$/ _D0)) '8E8

Page | 94
IPsec VPN
9/8 '0'#0'
& 1*
-
9/8/5 ')&
¾ Configure IPsec Tunnel on both Sides
¾ Test VPN
9/8/6 #$# #,

Figure 5.6 Site-to-Site IPsec VPN Setup
9/8/7 '$05
%&&"
..$")
- .. . . "$1 ) *1 $) /*+*'*"$' $"-( V;W on router’s
$)/ -! .8
);
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)+)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)+)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
Page | 95
IPsec VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;RY0+0+
/# -) /Q<RSQT;Q;RRT;TT0+0+
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;RW<SY$.$- /'4*)) / 8/# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8/# -) /Q<R
)/ -) /N

4

+$3!$- 2''a )'
+$3!$- 2''N*&.-)* &%

$.*
0-$/4++'$) *!/2- -.$*)Y;Q@SA

*(+$' *)-$RV>0)>QXRY:SV40$' -.
4./ ($(" !$' $.I)&)*2)8(*)$/*-(* **/ $(" I
*)!$"!$' /**/2.I./-/0+>*)!$"I

+$3!$- 2''0+X. .

-2- :
>VSV8RSY8 )/$0(
R 5
'.#SYRSYTKQ3!!!QQQQQ8RW

'.#SZUQQKQ3!!!YQQQ8TS

Q:3/:/# -) /Q:- ..$.QQ;RVY;QQQ8$-,Z
R:3/:/# -) /R:- ..$.QQQQ;R;TRQR8$-,RR
+$3!$- 2''N*)!$"0-/$*)/ -($)'
+$3!$- 2''@*)!$"AN %+)+)%+@
+$3!$- 2''@*)!$">$!AN%$ %*
: 0-$/4' 1 '!*-I$).$ I. //*RQQ4 !0'/;

Page | 96
IPsec VPN
+$3!$- 2''@*)!$">$!AN)*.#0/*2)
+$3!$- 2''@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
+$3!$- 2''@*)!$">$!AN 3$/

+$3!$- 2''@*)!$"AN %+)+)%+?
+$3!$- 2''@*)!$">$!AN%$ &,+*
: 0-$/4' 1 '!*-I*0/.$ I. //*Q4 !0'/;

+$3!$- 2''@*)!$">$!AN)*.#0/*2)
+$3!$- 2''@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
+$3!$- 2''@*)!$">$!AN 3$/
+$3!$- 2''@*)!$"AN 3$/
+$3!$- 2''N

+$3!$- 2''N*&.)&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.)*/. /

RZS;RWY;S;QSVV;SVV;SVV;Q$.$- /'4*)) / 8$).$
SQT;Q;RRT;TSSVV;SVV;SVV;SUQ$.$- /'4*)) / 8*0/.$

+$3!$- 2''N*&. %+) ')
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /QSQT;Q;RRT;TU()0'0+0+
/# -) /RRZS;RWY;S;R()0'0+0+
+$3!$- 2''N

4

$.*.a )'
$.*.N*&.-)* &%

$.*+/$1 0-$/4++'$) *!/2- -.$*)Y;Q@SA
*(+$' *)-$RV>0)>QXRZ:SZ40$' -.

4./ ($(" !$' $.I)&)*2)8(*)$/*-(* /!/+**/ $(" I
*)!$"!$' /**/2.I./-/0+>*)!$"I
Page | 97
IPsec VPN
$.*.0+Y. .

-2- :VVSQ8RSY8 )/$0(
SQQQ 5
)/ -)'*(+/'.#8SVW

'.#$-(2- 0KQ3!! QQQQQ8RQSU

Q:3/:/# -) /Q<Q:- ..$.QQ;UW; VQQ8$-,SVV
R:3/:/# -) /Q<R:- ..$.QQQQ;S;T!QR8$-,SVV

$.*.N*)!$"0- / -($)'
$.*.@*)!$"AN %+)+)%+?6?
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ &,+*
: 0-$/4' 1 '!*-I*0/.$ I. //*Q4 !0'/;

$.*.@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
$.*.@*)!$">$!AN 3$/

$.*.@*)!$"AN %+)+)%+?6@
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ %*
: 0-$/4' 1 '!*-I$).$ I. //*RQQ4 !0'/;

$.*.@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
$.*.@*)!$">$!AN 3$/
$.*.@*)!$"AN 3$/
$.*.N

$.*.N*&.)&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;RWSVV;SVV;SVV;SUQ$.$- /'4*)) / 8*0/.$
RZS;RWY;R;QSVV;SVV;SVV;Q$.$- /'4*)) / 8$).$

$.*.N*&. %+) ')
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;RX()0'0+0+
Page | 98
IPsec VPN
/# -) /Q<RRZS;RWY;R;R()0'0+0+
$.*.N
9/8/8 '$06 #"(%"''

#('"

4

+$3!$- 2''@*)!$"AN)&,+&,+* ?5?5?5??5?5?5?A?B5?5@@B5BB
+$3!$- 2''@*)!$"AN**7# *+@?@')$ + $'%0%0
+$3!$- 2''@*)!$"AN**7)&,'@?@ % %+)&,+*
+$3!$- 2''@*)!$"AN 3$/
+$3!$- 2''N

+$3!$- 2''N*&.)&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

FQ;Q;Q;QQ;Q;Q;QBR<QC1$SQT;Q;RRT;TT8*0/.$

4

$.*.@*)!$"AN)&,+&,+* ?5?5?5??5?5?5?A?B5?5@@B5@G
$.*.@*)!$"AN**7# *+@?@')$ + $'%0%0
$.*.@*)!$"AN**7)&,'@?@ % %+)&,+*
$.*.@*)!$"AN 3$/
$.*.N

$.*.N*&.)&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
Page | 99
IPsec VPN
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;RY/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;RWSVV;SVV;SVV;SUQ$.$- /'4*)) / 8*0/.$
RZS;RWY;R;QSVV;SVV;SVV;Q$.$- /'4*)) / 8$).$
FQ;Q;Q;QQ;Q;Q;QBR<QC1$SQT;Q;RRT;RY8*0/.$
9/8/9 '$07 &'"#""')',

4

$.*.N' %A?B5?5@@B5BC

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_TQ<UQ<VQ(.

$.*.N' %@HA5@EG5A5A

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;S8/$( *0/$.S. *).:
77777
0 ..-/ $.Q+ - )/@Q<VA
$.*.N

4

+$3!$- 2''N' %A?B5?5@@B5@F

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;RX8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WQ<XS<YQ(.

+$3!$- 2''N' %@HA5@EG5@5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;R;R8/$( *0/$.S. *).:
77777
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WQ<XS<YQ(.
$3!$- 2''N
Page | 100
IPsec VPN
9/8/: '$08 #"(%"
&(""

4

$.*.@*)!$"AN)0'+& *"$'%#&,+*

$.*.@*)!$"AN)0'+& *"$''&# 0@?
$.*.@*)!$">$.&(+>+*'$4AN0/# )/$/$*)+- >.#-
$.*.@*)!$">$.&(+>+*'$4AN )-4+/$*) .
$.*.@*)!$">$.&(+>+*'$4AN#.#(V
$.*.@*)!$">$.&(+>+*'$4AN"-*0+S
$.*.@*)!$">$.&(+>+*'$4AN 3$/

$.*.@*)!$"AN**7# *+*$'/+%')$ + '%0%0
$.*.@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
$.*.@*)!$"AN)0'+&$'*$'@$+)***$'
$.*.@*)!$"AN)0'+&$'*$'@*+')A?B5?5@@B5BC
$.*.@*)!$"AN)0'+&$'*$'@*++)%*&)$7*++*+
$.*.@*)!$"AN)0'+&$'*$' %+)&,+*

$.*.@*)!$"AN+,%%#7)&,'A?B5?5@@B5BC+0' '*7#A#
$.*.@*)!$"AN+,%%#7)&,'A?B5?5@@B5BC '*7++) ,+*
$.*.@*)!$">/0)) '>$+. AN')7*)7"0 *&
$.*.@*)!$">/0)) '>$+. AN 3$/
$.*.@*)!$"AN 3$/
$.*.N

4

+$3!$- 2''@*)!$"AN *"$'%#&,+*

+$3!$- 2''@*)!$"AN *"$''&# 0@?
+$3!$- 2''@*)!$">$.&(+>+*'$4AN0/# )/$/$*)+- >.#-
+$3!$- 2''@*)!$">$.&(+>+*'$4AN )-4+/$*) .
+$3!$- 2''@*)!$">$.&(+>+*'$4AN#.#(V
+$3!$- 2''@*)!$">$.&(+>+*'$4AN"-*0+S
+$3!$- 2''@*)!$">$.&(+>+*'$4AN 3$/

+$3!$- 2''@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
+$3!$- 2''@*)!$"AN**7# *+@?D')$ + '%0%0

+$3!$- 2''@*)!$"AN)0'+&$'*$'@$+)**@?D
+$3!$- 2''@*)!$"AN)0'+&$'*$'@*+')A?B5?5@@B5@F
+$3!$- 2''@*)!$"AN)0'+&$'*$'@*++)%*&)$7*++*+
Page | 101
IPsec VPN
+$3!$- 2''@*)!$"AN)0'+&$'*$' %+)&,+*

+$3!$- 2''@*)!$"AN *"$'"0 *&)**A?B5?5@@B5@F%+$*"ADD5ADD5ADD5ADD
+$3!$- 2''@*)!$"AN 3$/
+$3!$- 2''N
9/8/; '$09 &'"

4

$.*.N' %A?B5?5@@B5BC

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
76666
0 ..-/ $.YQ+ - )/@U<VA8-*0)>/-$+($)<1"<(3_TQ<VQ<YQ(.

$.*.N' %@HA5@EG5A5A

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;S8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_TQ<VS<YQ(.

$.*.N*&.)0'+& '**

$)/ -! :*0/.$
-4+/*(+/":.(+8. ,)0(:R8'*'-:SQT;Q;RRT;RX

..>'$./.(++ -($/$+)4)4
'*'$ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
0-- )/?+ -:SQT;Q;RRT;TU

N+&/. )+.:RU8N+&/. )-4+/:RU8N+&/.$" ./:RU
N+&/. +.:RQ8N+&/. -4+/:RQ8N+&/.1 -$!4:RQ
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :RU8N+&/.*(+!$' :Q8N+&/. *(+!$' :Q
N+- >!-".0 .. .:Q8N+- >!-"!$'0- .:Q8N!-"( )/.- / :Q
N.. )/:Q8N.-1:Q8N +.0'/ !-".) $)"- .. ('4:Q
N. ) --*-.:Q8N- 1 --*-.:Q

'*'-4+/* )+/;:SQT;Q;RRT;RX8- (*/ -4+/* )+/;:SQT;Q;RRT;TU
B0/+0/*(($// C

Page | 102
IPsec VPN
$.*.N*&.)0'+& *"$'*

/$1 :R
& 4:Q@/0)) '2$''- +*-/R/$1 )R & 40-$)"- & 4A
*/'
:R

R
-:SQT;Q;RRT;TU
4+ : S *' :$)$/$/*-
& 4:)*// :?

$.*.N

4

+$3!$- 2''N' %@HA5@EG5@5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;R;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_ZQ<RSW<RXQ(.
+$3!$- 2''N

Page | 103
IPsec VPN
9/9 !#'&&
& *'#('%2&, 3
9/9/5 ')&
¾ Configure Router as an IPsec VPN Server
¾ Install & Configure CISCO IPsec VPN Client
¾ Connect VPN Client
¾ Test VPN
9/9/6 #$# #,

Figure 5.7 Remote Access IPsec VPN Setup
9/9/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PCs as mentioned above in
/*+*'*"$'$"-(V;X;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N

Page | 104
IPsec VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R

5 4

;!!$ a )'
;!!$ N*)!$"0- / -($)'
;!!$ @*)!$"AN %+)*++)%+?6@
;!!$ @*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
;!!$ @*)!$">$!AN)*.#0/*2)
;!!$ @*)!$">$!AN 3$/
;!!$ @*)!$"AN %+)*++)%+?6?
;!!$ @*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
;!!$ @*)!$">$!AN)*.#0/*2)
;!!$ @*)!$">$!ANG
;!!$ N

;!!$ N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;R;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+
;!!$ N

Page | 105
IPsec VPN
4

9/9/8 '$06 #"(%"''

#('"

5 4

;!!$ @*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5BB
;!!$ @*)!$"AN 3$/
;!!$ N

;!!$ N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q
Page | 106
IPsec VPN
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
;!!$ N
9/9/9 '$07 &'"#""')',

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUZ(. _SVT
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _YT(. _SVT
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _XV(. _SVT
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _WW(. _SVT

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_WW(.83$(0(_RUZ(.81 -" _ZT(.

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_Q(.83$(0(_Q(.81 -" _Q(.
:=a
9/9/: '$08 #"(%"!#'&&

& (""

5 4

;!!$ @*)!$"AN,*)%$+*+'**.&)?+*+
;!!$ @*)!$"AN%.7$&#
;!!$ @*)!$"AN,+%+ + &%#& % 8 #&#
Page | 107
IPsec VPN
;!!$ @*)!$"AN,+&) 1+ &%%+.&)" 8 #&#

;!!$ @*)!$"AN '#&#'&&#-'%7'&&#@HA5@EG5@5@?@HA5@EG5@5D?
;!!$ @*)!$"AN$+-*0/ RZS;RWY;R;QSVV;SVV;SVV;Q!.//# -) /Q<R

;!!$ @*)!$"AN)0'+& *"$''&# 0@?
;!!$ @*)!$">$.&(+AN )-4+/$*) .
;!!$ @*)!$">$.&(+AN#.#(V
;!!$ @*)!$">$.&(+AN0/# )/$/$*)+- >.#-
;!!$ @*)!$">$.&(+AN"-*0+S
;!!$ @*)!$">$.&(+AN 3$/
;!!$ @*)!$"AN

;!!$ @*)!$"AN)0'+& *"$'# %+&% ,)+ &%)&,'+*+ '*
;!!$ @*)!$">$.&(+>"-*0+AN& 4
;!!$ @*)!$">$.&(+>"-*0+AN+**'1+)>+**'
;!!$ @*)!$">$.&(+>"-*0+AN) /(.&SVV;SVV;SVV;Q
;!!$ @*)!$">$.&(+>"-*0+AN 3$/
;!!$ @*)!$"AN

;!!$ @*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
;!!$ @!">-4+/*>/-).AN 3$/
;!!$ @*)!$"AN

;!!$ @*)!$"AN)0'+&0%$ 7$'$'@?
;!!$ @*)!$">-4+/*>(+AN*++)%*&)$7*++*+
;!!$ @*)!$">-4+/*>(+AN- 1 -. >-*0/
;!!$ @*)!$">-4+/*>(+AN 3$/
;!!$ @*)!$"AN

;!!$ @*)!$"AN)0'+&$'*$'@? '*7 *"$'0%$ $'
;!!$ @*)!$"AN)0'+&$'*$' *"$',+&) 1+ &%# *+ 8
;!!$ @*)!$"AN)0'+&$'*$'# %+,+%+ + &%# *+ 8
;!!$ @*)!$"AN)0'+&$'*$'# %+&% ,)+ &%)**)*'&%

;!!$ @*)!$"AN %+)*++)%+?6@
;!!$ @*)!$">$!AN)0'+&$'*$'
;!!$ @*)!$">$!ANG
;!!$ N

Page | 108
IPsec VPN
9/9/; '$09
"&' "-''"

& "'

R; *2)'*)-0) 3 0/' !$' *!'$ )/; %*+##+ &% 1)5

Figure 5.9 CISCO VPN Client Installing Wizard
S; '+ %*)$%+)'$& /+5

Figure 5.10 License Agreement
Page | 109
IPsec VPN
T; ' /*+ %+ &%&#))'$& /+

Figure 5.11 Folder Setting
U; '$& /+)/* % %*+##+ &%

Figure 5.12 Installing Application
Page | 110
IPsec VPN
V;
)./''/$*)$./-/$)"

Figure 5.13 Installing
W; # $)./''/$*)#. )*(+' / .0 ..!0''4

Figure 5.14 Completed
Page | 111
IPsec VPN
X; !/ -$)./''$)"8'% # %+

Figure 5.15 VPN Client Interface
Y; ' /&%%+ &%%+) *L .

Figure 5.16 New Setting
Page | 112
IPsec VPN
Z; $''$)/# /$'.*!4*0-) 2*)) /$*))-

Figure 5.17 Client Disconnect Status
9/9/< '$0: #""'"

& "'

R; ' //# ) 2'4- / *)) /$*))'$&&%%+

Page | 113
IPsec VPN
S; *)//$)"/# 0-$/4/ 248 &%%+2+%)(, ),+%+ + &%

Figure 5.19 Authentication
T; )/ -*)%$<**.&)82#$#4*0*)!$"0- *) -1 -

Figure 5.20 User Name & Password
U;
!. -)( J..2*-1 -$!$ 8//0.:&%%+

Figure 5.21 Connected Status
Page | 114
IPsec VPN
9/9/= '$0; &'"

R; ) /# *)) /$*)$..0 ..!0''4 ./'$.# . ' /++ *+ *!-*(/#
//0.( )0/*1 -$!4/# /$'.*!/# /0)) '

Figure 5.22 Tunnel Details
4

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _RUZ(. _SVT
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _YT(. _SVT
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _XV(. _SVT
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _WW(. _SVT

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_WW(.83$(0(_RUZ(.81 -" _ZT(.

Page | 115
IPsec VPN
9/: !#'&&
& *'2&, 3
9/:/5 ')&
¾ Configure NAT
¾ Configure ASA as an IPsec VPN Server
¾ Install & Configure CISCO IPsec VPN Client
¾ Connect VPN Client
¾ Test VPN
9/:/6 #$# #,

Figure 5.23 Remote Access IPsec VPN Setup
9/:/7 '$05
%&&"
Assign IP addresses on router’s interfaces, ASA8).( )/$*) *1 $)
/*+*'*"$'$"-(V;ST;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)+)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)+)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N

Page | 116
IPsec VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
/# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
/# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;TS<SY$.$- /'4*)) / 8/# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8/# -) /Q<R

4

$.*.a )'
$.*.N*)!$"0- / -($)'
$.*.@*)!$"AN %+)+)%+?6?
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ &,+*
: 0-$/4' 1 '!*-I*0/.$ I. //*Q4 !0'/;

$.*.@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
$.*.@*)!$">$!AN 3$/
$.*.@*)!$"AN %+)+)%+?6@
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ %*
: 0-$/4' 1 '!*-I$).$ I. //*RQQ4 !0'/;

$.*.@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
$.*.@*)!$">$!AN 3$/
$.*.@*)!$"AN 3$/
$.*.N

$.*.N*&.)&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
Page | 117
IPsec VPN
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.)*/. /


$.*.N*&. %+) ')
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;TU()0'0+0+
/# -) /Q<RRZS;RWY;S;R()0'0+0+
$.*.N
9/:/8 '$06 #"(%"

$.*.@*)!$"AN%+9 %* :@@HA5@EG5A5?ADD5ADD5ADD5?
$.*.@*)!$"AN#&#9&,+* :@ %+)
:*0/.$ $)/ -! - .. /*+**'

$.*.@*)!$"AN 3$/
$.*.N

$.*.N*&.%+

+*'$$ .*)
)/ -! $).$ :
(/#$+$).$ RZS;RWY;S;QSVV;SVV;SVV;Q*0/.$ )4
4)($/-).'/$*)/*+**'R@SQT;Q;RRT;TUB
)/ -! CA
/-).'/ ?#$/._Q80)/-).'/ ?#$/._Q
(/#$+$).$ RZS;RWY;S;QSVV;SVV;SVV;Q$).$ )4
4)($/-).'/$*)/*+**'R@*(/#$)""'*'A
/-).'/ ?#$/._Q80)/-).'/ ?#$/._Q
$.*.N
9/:/9 '$07 #"(%"''

#('"

$.*.@*)!$"AN)&,+&,+* ?5?5?5??5?5?5?A?B5?5@@B5BB

$.*.@*)!$"AN**7# *+@?@')$ + $'%0%0
$.*.@*)!$"AN**7)&,'@?@ % %+)&,+*
$.*.@*)!$"AN 3$/

Page | 118
IPsec VPN
$.*.N*&.)&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

$.*.N
9/:/: '$08 &'"#""')',

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUQ(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TZ(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RSY(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TS(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_TS(.83$(0(_RUQ(.81 -" _YU(.

:=a' %@HA5@EG5A5@

$)"$)"RZS;RWY;S;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;

$)".//$./$.!*-RZS;RWY;S;R:
Page | 119
IPsec VPN
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_Q(.83$(0(_Q(.81 -" _Q(.
9/:/; '$09 #"(%"&

& %)%

$.*.@*)!$"AN)&,'7'&# 0+*+ %+)%#
$.*.@*)!$"AN)&,'7'&# 0+*+++) ,+*
$.*.@*)!$">"-*0+>+*'$4AN 3$/
$.*.@*)!$"AN,*)%$$'**.&)@ABCD
$.*.@*)!$"AN,*)%$$++) ,+*
$.*.@*)!$">0. -)( AN 3$/
$.*.@*)!$"AN

$.*.@*)!$"AN *"$'%#&,+*
$.*.@*)!$"AN)0'+& *"$''&# 0@?
$.*.@*)!$">$.&(+>+*'$4AN0/# )/$/$*)+- >.#-
$.*.@*)!$">$.&(+>+*'$4AN )-4+/$*) .
$.*.@*)!$">$.&(+>+*'$4AN#.#(V
$.*.@*)!$">$.&(+>+*'$4AN"-*0+S
$.*.@*)!$">$.&(+>+*'$4AN 3$/
$.*.@*)!$"AN

$.*.@*)!$"AN '#&#'&&#$0'&&#@FA5@E5@5@7@FA5@E5@5D?

$.*.@*)!$"AN+,%%#7)&,'$0)&,'+0' '*7)
$.*.@*)!$"AN+,%%#7)&,'$0)&,' '*7++) ,+*
$.*.@*)!$">/0)) '>$+. AN')7*)7"0 *&
$.*.@*)!$">/0)) '>$+. AN 3$/

$.*.@*)!$"AN+,%%#7)&,'$0)&,'%)#7++) ,+*
$.*.@*)!$">/0)) '>" ) -'AN)**7'&&#$0'&&#
$.*.@*)!$">/0)) '>" ) -'AN 3$/

$.*.@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$

$.*.@*)!$"AN)0'+&0%$ 7$'$'@?*++)%*&)$7*++*+
$.*.@*)!$"AN)0'+&$'*$'@? '*7 *"$'0%$ $'
$.*.@*)!$"AN)0'+&$'*$' %+)&,+*

$.*.@*)!$"AN7*)-)$0*)-)')&+&&#+*I
$.*.@*)!$">>. -1 ->"-*0+AN 3$/

$.*.@*)!$"AN7*)-)$0*)-)9 %* :&*+@HA5@EG5A5A *&
Page | 120
IPsec VPN
$.*.@*)!$">>. -1 ->#*./AN 3$/

$.*.@*)!$"AN/0)) '>"-*0+/ .//4+ $+. >-
$.*.@*)!$"AN+,%%#7)&,'+*+%)#7++) ,+*
$.*.@*)!$">/0)) '>" ) -'AN,+%+ + &%7*)-)7)&,'$0*)-)
$.*.@*)!$">/0)) '>" ) -'AN 3$/

$.*.@*)!$"AN**7# *+@@?')$ + '@HA5@EG5A5?ADD5ADD5ADD5?@FA5@E5@5?ADD5ADD5ADD5?
$.*.@*)!$"AN%+9 %* :?**7# *+@@?
$.*.@*)!$"AN 3$/
$.*.N
9/:/< '$0: #"(%" "'

*)!$"0-
'$ )/ . //$)" .0# /#/ "-*0+ )( 8 0. -)( )
+..2*-$)!*-(/$*)*-$)"/**1 ( )/$*)$)./ +>V. //$)"; //$)" /$'
$.1$'' $)+- 1$*0.';
9/:/= '$0; #""'" "'

*28/-4/**)) /'$ )/) )/ -0. -)( )+..2*-*-$)"/*
!$) $)/#$.';
9/:/54 '$0< &'"

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUZ(. _SVT
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _YT(. _SVT
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _XV(. _SVT
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _WW(. _SVT

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_WW(.83$(0(_RUZ(.81 -" _ZT(.

:=a' %@HA5@EG5A5@

$)"$)"RZS;RWY;S;R2$/#TS4/ .*!/:

Page | 121
IPsec VPN
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RQV(. _SVU

$)".//$./$.!*-RZS;RWY;S;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_ZQ(.83$(0(_RQV(.81 -" _ZT(.
:=a

R; ) /# *)) /$*)$..0 ..!0''4 ./'$.# . ' /++ *+ *!-*(/#
//0.( )0/*1 -$!4/# /$'.*!/# /0)) '

Figure 5.24 Tunnel Details

Page | 122

6

GRE VPN

GRE VPN
:
Generic Routing Encapsulation (GRE) is a generic and point-to-point tunnel.
It is developed by CISCO systems. It is a static tunnel. Generic means, it
allows many other protocols to be encapsulated in IP [16]. It works at the
network layer of the OSI reference model. Its specification was described in
RFC 2784.
:/5 (%',
GRE provides a stateless, private connection. It is not considered a secure
protocol because it does not use encryption like the IP Security (IPsec). It
works with other protocol to provide security. The IPsec protocol is often
used with GRE to provide strong confidentiality, authentication, and
integrity. The combination of these two protocols is generally known as
IPsec over GRE. When GRE traffic is passed through a firewall then the
firewall will block this type of traffic by default. A network administrator
needs to open protocol type 47 datagrams which are coming or going to the
remote tunnel endpoints.
:/6 "$&( '#"

A GRE header causes an extra overhead of 8 to 16 bytes. In the first phase,
the payload is encapsulated in a GRE header as it is shown in the Fig. 6.1. In
the second phase, the resulting GRE packet once again encapsulated in some
other protocol (IPv4) header then it is forwarded. The outer protocol header
is also called delivery protocol. GRE sets 47 value in the protocol field of
IPv4 header. Both endpoints are pre-configured. The source and destination
IPv4 addresses of the tunnel are defined during configuration.
Figure 6.1 GRE Encapsulation
Page | 124
GRE VPN
:/7 '0'#0'
&#)%
:/7/5 ')&
¾ Configure NAT
¾ Configure IPsec over GRE VPN Tunnel on both sides
¾ Test VPN
:/7/6 #$# #,

Figure 6.2 Site-to-Site IPsec over GRE VPN Setup
:/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PCs as mentioned above in
/*+*'*"$'$"-(W;S;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
Page | 125
GRE VPN
)/ -) /@*)!$">$!ANG
)/ -) /N
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q

)%7@4

-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG
-)#>RN

-)#>RN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#>RN
Page | 126
GRE VPN
)%7A4

-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG
-)#>SN

-)#>SN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;S;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+
-)#>SN
:/7/8 '$06 #"(%"''

#('"

)%7@4

-)#>R@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5@G
-)#>R@*)!$"AN 3$/
-)#>RN

-)#>RN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;RY/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
FQ;Q;Q;Q<QBR<QC1$SQT;Q;RRT;RY
-)#>RN
Page | 127
GRE VPN
)%7A4

-)#>S@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5BB
-)#>S@*)!$"AN 3$/
-)#>SN

-)#>SN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
-)#>SN
:/7/9 '$07 #"(%"

)%7@4

-)#>R@*)!$"AN '%+ %* *&,))&,+7$'%+ %+)*++)%+?6?&-)#&

-)#>R@*)!$"AN '**7# *+/+%@@?
-)#>R@*)!$"> 3/>)'AN )4$+RZS;RWY;R;QQ;Q;Q;SVVRZS;RWY;S;QQ;Q;Q;SVV
-)#>R@*)!$"> 3/>)'AN+ -($/$+RZS;RWY;R;QQ;Q;Q;SVV)4
-)#>R@*)!$"> 3/>)'AN 3$/
-)#>R@*)!$"AN

-)#>R@*)!$"AN)&,+7$'%+')$ +@?
-)#>R@*)!$">-*0/ >(+AN$+ ')**@@?
-)#>R@*)!$">-*0/ >(+AN 3$/
-)#>R@*)!$"A
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN '%+&,+*
-)#>R@*)!$">$!AN 3$/

-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN '%+ %*
Page | 128
GRE VPN
-)#>R@*)!$">$!ANG
-)#>RN

)%7A4

-)#>S@*)!$"AN '%+ %* *&,))&,+7$'%+ %+)*++)%+?6@&-)#&

-)#>S@*)!$"AN '**7# *+/+%@@?
-)#>S@*)!$"> 3/>)'AN )4$+RZS;RWY;S;QQ;Q;Q;SVVRZS;RWY;R;QQ;Q;Q;SVV
-)#>S@*)!$"> 3/>)'AN+ -($/$+RZS;RWY;S;QQ;Q;Q;SVV)4
-)#>S@*)!$"> 3/>)'AN 3$/
-)#>S@*)!$"AN

-)#>S@*)!$"AN)&,+7$'%+')$ +@?
-)#>S@*)!$">-*0/ >(+AN$+ ')**@@?
-)#>S@*)!$">-*0/ >(+AN 3$/
-)#>S@*)!$"AN

-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN '%+&,+*
-)#>S@*)!$">$!AN 3$/

-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN '%+ %*
-)#>S@*)!$">$!ANG
-)#>SN
:/7/: '$08 &'"#""')',

)%7@4

-)#>RN+$)"SQT;Q;RRT;TU

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WQ<XV<ZW(.

-)#>RN' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
;;
0 ..-/ $.Q+ - )/@Q<VA

Page | 129
GRE VPN
-)#>RN*&. '%++)%*#+ &%*

-*
).$ "'*'
).$ '*'0/.$ '*'0/.$ "'*'
$(+SQT;Q;RRT;RX:VRSRZS;RWY;R;R:VRSSQT;Q;RRT;TU:VRSSQT;Q;RRT;TU:VRS
-)#>RN
:/7/; '$09 #"(%"'0'#0'

#)%(""

)%7@4

-)#>R@*)!$"AN)0'+& *"$''&# 0@?
-)#>R@*)!$">$.&(+AN )-4+/$*) .
-)#>R@*)!$">$.&(+AN#.#(V
-)#>R@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>R@*)!$">$.&(+AN"-*0+S
-)#>R@*)!$">$.&(+AN 3$/

-)#>R@*)!$"AN)0'+& *"$'"0+*+"0)**A?B5?5@@B5BC
-)#>R@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
-)#>R@!">-4+/*>/-).AN 3$/

-)#>R@*)!$"AN)0'+&$'*$'@? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>R@*)!$">-4+/*>(+AN*+')A?B5?5@@B5BC
-)#>R@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>R@*)!$">-4+/*>(+AN$+)**@?@
-)#>R@*)!$">-4+/*>(+AN 3$/

-)#>R@*)!$"AN '**7# *+/+%@?@
-)#>R@*)!$"> 3/>)'AN')$ +)&*+A?B5?5@@B5@F&*+A?B5?5@@B5BC
-)#>R@*)!$"> 3/>)'AN 3$/

-)#>R@*)!$"AN %+)+,%%#?
-)#>R@*)!$">$!AN ')**@FA5@E5@5@ADD5ADD5?5?
-)#>R@*)!$">$!AN+,%%#*&,)A?B5?5@@B5@F
-)#>R@*)!$">$!AN+,%%#*+ %+ &%A?B5?5@@B5BC
-)#>R@*)!$">$!AN+,%%#$&) '
-)#>R@*)!$">$!AN)0$+&$'*$'
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/

-)#>R@*)!$"AN '**7# *+/+%@?D
-)#>R@*)!$"> 3/>)'AN+ -($/"- #*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX
-)#>R@*)!$"> 3/>)'AN+ -($/ .+#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX
Page | 130
GRE VPN
-)#>R@*)!$"> 3/>)'AN+ -($/0+#*./SQT;Q;RRT;TU ,$.&(+#*./SQT;Q;RRT;RX
-)#>R@*)!$"> 3/>)'AN )4$+)4)4'*"
-)#>R@*)!$"> 3/>)'AN 3$/

-)#>R@*)!$"AN ')&,+@HA5@EG5A5?ADD5ADD5ADD5?@FA5@E5@5A

-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN)0'+&$'*$'
-)#>R@*)!$">$!AN '**7)&,'@?D %
-)#>R@*)!$">$!ANG
-)#>RN

)%7A4

-)#>S@*)!$"AN)0'+& *"$''&# 0A?
-)#>S@*)!$">$.&(+AN )-4+/$*) .
-)#>S@*)!$">$.&(+AN#.#(V
-)#>S@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>S@*)!$">$.&(+AN"-*0+S
-)#>S@*)!$">$.&(+AN 3$/

-)#>S@*)!$"AN)0'+& *"$'"0+*+"0)**A?B5?5@@B5@F
-)#>S@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
-)#>S@!">-4+/*>/-).AN 3$/

-)#>S@*)!$"AN)0'+&$'*$'A? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>S@*)!$">-4+/*>(+AN*+')A?B5?5@@B5@F
-)#>S@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>S@*)!$">-4+/*>(+AN$+)**@?A
-)#>S@*)!$">-4+/*>(+AN 3$/

-)#>S@*)!$"AN '**7# *+/+%@?A
-)#>S@*)!$"> 3/>)'AN')$ +)&*+A?B5?5@@B5BC&*+A?B5?5@@B5@F
-)#>S@*)!$"> 3/>)'AN 3$/

-)#>S@*)!$"AN %+)+,%%#?
-)#>S@*)!$">$!AN ')**@FA5@E5@5AADD5ADD5?5?
-)#>S@*)!$">$!AN+,%%#*&,)A?B5?5@@B5BC
-)#>S@*)!$">$!AN+,%%#*+ %+ &%A?B5?5@@B5@F
-)#>S@*)!$">$!AN+,%%#$&) '
-)#>S@*)!$">$!AN)0$+&$'*$'
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
Page | 131
GRE VPN
-)#>S@*)!$"AN '**7# *+/+%@?D
-)#>S@*)!$"> 3/>)'AN+ -($/"- #*./SQT;Q;RRT;RX#*./SQT;Q;RRT;TU
-)#>S@*)!$"> 3/>)'AN+ -($/ .+#*./SQT;Q;RRT;RX#*./SQT;Q;RRT;TU
-)#>S@*)!$"> 3/>)'AN+ -($/0+#*./SQT;Q;RRT;RX ,$.&(+#*./SQT;Q;RRT;TU
-)#>S@*)!$"> 3/>)'AN )4$+)4)4'*"
-)#>S@*)!$"> 3/>)'AN 3$/

-)#>S@*)!$"AN ')&,+@HA5@EG5@5?ADD5ADD5ADD5?@FA5@E5@5@

-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN)0'+&$'*$'
-)#>S@*)!$">$!AN '**7)&,'@?D %
-)#>S@*)!$">$!ANG
-)#>SN
:/7/< '$0: &'"

4

:=a' %@HA5@EG5A5@

$)"$)"RZS;RWY;S;R2$/#TS4/ .*!/:

,0 .//$( *0/;
+'4!-*(RZS;RWY;S;R:4/ ._TS/$( _TTS(. _SVU
+'4!-*(RZS;RWY;S;R:4/ ._TS/$( _RQQ(. _SVU
+'4!-*(RZS;RWY;S;R:4/ ._TS/$( _RQZ(. _SVU

$)".//$./$.!*-RZS;RWY;S;R:
& /.: )/_U8 $1 _T8 *./_R@SV]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_RQQ(.83$(0(_TTS(.81 -" _RYQ(.

)%7@4

-)#>RN' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_RS<RXT<WQY(.
-)#>RN

Page | 132
GRE VPN
)%7A4

-)#>SN' %@HA5@EG5@5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;R;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_TS<ZS<RWY(.

-)#>SN*&.)0'+& '**

$)/ -! :0)) 'Q
-4+/*(+/":.(+8'*'-;SQT;Q;RRT;TU

'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;TU<SVV;SVV;SVV;SVV<UX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<UX<QA
0-- )/?+ -:SQT;Q;RRT;RX

8!'"._D*-$"$)?$.?'8+- )/?$.?/-).+*-/8E
N+&/. )+.:RX8N+&/. )-4+/:RX8N+&/.$" ./RX
N+&/. +.:RX8N+&/. -4+/:RX8N+&/.1 -$!4RX
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q8N+&/. *(+- ..!$' :Q
N. ) --*-.Q8N- 1 --*-.Q

'*'-4+/* )+/;:SQT;Q;RRT;TU8- (*/ -4+/* )+/;:SQT;Q;RRT;RX
+/#(/0RVRU8( $(/0RVRU
0-- )/*0/*0).+$:SXXRYSY

$)*0) .+..:
.+$:Q3XRQQUV@RZRQVUWVQRA
/-).!*-(: .+> . .+>(V>#(8
$)0. . //$)"._D0)) '8E
.'*/:Q8*))$:SQQQ8!'*2?$:R8-4+/*(+:.(+
./$($)":- ($)$)"& 4'$! /$( @&<. A:@UWQXZZZ<TUVRA

.$5 :Y4/ .
B0/+0/*($// C

-)#>SN*&.)0'+& *"$'*

./ .- .// *))>$.'*/
SQT;Q;RRT;RXSQT;Q;RRT;TU?
RQ
-)#>SN*&.)0'+& '*+)%*&)$7*+

-).!*-(. //. /:D .+> . .+>(V>#(E
Page | 133
GRE VPN
2$'') "*/$/ _D0)) '8E8

-)#>SN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
RXS;RW;Q;Q<RW$.$- /'4*)) / 80)) 'Q
RZS;RWY;R;Q<SUBR<QC1$RXS;RW;R;R
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q

-)#>SN*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QRZS;RWY;S;R()0'0+0+
.//# -) /Q<RSQT;Q;RRT;TU()0'0+0+
0)) 'QRXS;RW;R;S()0'0+0+

-)#>SN*&. %+)+,%%#?

0)) 'Q$.0+8'$) +-*/**'$.0+
-2- $.0)) '

)/ -) /- ..$.RXS;RW;R;S<RW
RVRU4/ .8Z$/8 VQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*) 8'**+&)*/. /
+'$1 )*/. /
0)) '.*0- SQT;Q;RRT;TU8 ./$)/$*)SQT;Q;RRT;RX
0)) '+-*/**'</-).+*-/<
8& 4$.' 8. ,0 )$)"$.'
0)) ' SVV
# &.0(($)"*!+& /.$.' 8!.//0)) '$)" )'
./$)+0/QQ:QX:QU8*0/+0/QQ:QX:QU8*0/+0/#)") 1 -
./' -$)"*!I.#*2$)/ -! I*0)/ -.) 1 -

)+0/,0 0 :Q<XV<Q<Q@.$5 <(3<-*+.<!'0.# .A9*/'*0/+0/-*+.:Q
0 0 $)"./-/ "4:!$!*
0/+0/,0 0 :Q<Q@.$5 <(3A
Page | 134
GRE VPN
V($)0/ $)+0/-/ Q$/.<. 8Q+& /.<.
V($)0/ *0/+0/-/ Q$/.<. 8Q+& /.<.
RX+& /.$)+0/8RYSY4/ .8Q)*0!! -
$1 Q-*./.8Q-0)/.8Q"$)/.8Q/#-*//' .
Q$)+0/ --*-.8Q8Q!-( 8Q*1 --0)8Q$")*- 8Q*-/
RX+& /.*0/+0/8RYSY4/ .8Q0) --0).
Q*0/+0/ --*-.8Q*''$.$*).8Q$)/ -! - . /.
Q*0/+0/0!! -!$'0- .8Q*0/+0/0!! -..2++ *0/

-)#>SN*&. '**7# *+*

3/ )
..'$./RQS
+ -($/"- #*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX@TU(/# .A
3/ )
..'$./RQV
+ -($/"- #*./SQT;Q;RRT;RX#*./SQT;Q;RRT;TU@RX(/# .A
+ -($/ .+#*./SQT;Q;RRT;RX#*./SQT;Q;RRT;TU@RX(/# .A
+ -($/0+#*./SQT;Q;RRT;RX ,$.&(+#*./SQT;Q;RRT;TU@RQ(/# .A
)4$+)4)4'*"
3/ )
..'$./RRQ
)4$+RZS;RWY;S;QQ;Q;Q;SVVRZS;RWY;R;QQ;Q;Q;SVV
+ -($/$+RZS;RWY;S;QQ;Q;Q;SVV)4

Page | 135
GRE VPN
:/8 '0'#0'
&#)% 2"3
:/8/5 ')&
¾ Configure NAT
¾ Configure IPsec over GRE VPN Tunnel on both sides
¾ Test VPN
:/8/6 #$# #,

Figure 6.3 Site-to-Site IPsec over GRE VPN Setup
:/8/7 '$05
%&&"
Assign IP addresses on router’s interfaces, ASA and PCs as mentioned above in
/*+*'*"$'$"-(W;T;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)+)%+@6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N

Page | 136
GRE VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY 0+0+
/# -) /R<R SQT;Q;RRT;TT 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;Q<SY$..0) // 8S.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8/# -) /R<R
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
)/ -) /N

)%7@4

-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG

-)#>RN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX 0+0+
.//# -) /Q<RRZS;RWY;R;R 0+0+

Page | 137
GRE VPN
-)#>RN*&. ')&,+&%%+

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
-)#>RN

4

$.*.a )'
$.*.N*)!$"0- / -($)'
$.*.@*)!$"AN %+)+)%+?6?
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ &,+*
: 0-$/4' 1 '!*-I*0/.$ I. //*Q4 !0'/;

$.*.@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
$.*.@*)!$">$!AN 3$/
$.*.@*)!$"AN %+)+)%+?6@
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ %*
: 0-$/4' 1 '!*-I$).$ I. //*RQQ4 !0'/;

$.*.@*)!$">$!AN ')**A?B5?5@@B5EDADD5ADD5ADD5AC?
$.*.@*)!$">$!AN 3$/
$.*.@*)!$"AN 3$/
$.*.N

$.*.N*&.)&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;WUSVV;SVV;SVV;SUQ$.$- /'4*)) / 8$).$

Page | 138
GRE VPN
$.*.N*&. %+) ')
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;TU()0'0+0+
/# -) /Q<RSQT;Q;RRT;WV()0'0+0+
$.*.N

)%7A4

-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)+)%+?6?
-)#>S@*)!$">$!AN ')**A?B5?5@@B5EEADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+@6?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG

-)#>SN*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
/# -) /Q<Q SQT;Q;RRT;WW 0+0+
.//# -) /R<QRZS;RWY;S;R 0+0+

-)#>SN*&. ')&,+&%%+

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;WU$.$- /'4*)) / 8/# -) /Q<Q
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /R<Q
-)#>SN
:/8/8 '$06 #"(%"''

#('"

)%7@4

-)#>R@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5@G
-)#>R@*)!$"AN 3$/
-)#>RN

-)#>RN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
Page | 139
GRE VPN
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;RY/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
-)#>RN

)%7A4

-)#>S@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5ED
-)#>S@*)!$"AN 3$/
-)#>SN

-)#>SN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;WV/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;WU$.$- /'4*)) / 8/# -) /Q<Q
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /R<Q
FQ;Q;Q;Q<QBR<QC1$SQT;Q;RRT;WV
-)#>SN

4

$.*.@*)!$"AN)&,+&,+* ?5?5?5??5?5?5?A?B5?5@@B5BB
$.*.@*)!$"AN 3$/
$.*.N
$.*.N*&.)&,+

Page | 140
GRE VPN
* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;WUSVV;SVV;SVV;SUQ$.$- /'4*)) / 8$).$
$.*.N

%+)%+4
)/ -) /@*)!$"AN ')&,+A?B5?5@@B5ECADD5ADD5ADD5AC?A?B5?5@@B5BC
)/ -) /@*)!$">$!AN 3$/
)/ -) /N
:/8/9 '$07 #"(%"

)%7@4

-)#>R@*)!$"AN '%+ %* *&,)# *+@? %+)*++)%+?6?&-)#&
-)#>R@*)!$"AN**7# *+@?')$ +@HA5@EG5@5??5?5?5ADD

-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN '%+&,+*
-)#>R@*)!$">$!AN 3$/

-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN '%+ %*
-)#>R@*)!$">$!ANG
-)#>RN

)%7A4

-)#>S@*)!$"AN '%+ %* *&,)# *+@? %+)+)%+?6?&-)#&
-)#>S@*)!$"AN**7# *+@?')$ +@HA5@EG5A5??5?5?5ADD

-)#>S@*)!$"AN %+)+)%+?6?
-)#>S@*)!$">$!AN '%+&,+*
-)#>S@*)!$">$!AN 3$/
Page | 141
GRE VPN
-)#>S@*)!$"AN %+)*++)%+@6?
-)#>S@*)!$">$!AN '%+ %*
-)#>S@*)!$">$!ANG
-)#>SN

4

$.*.@*)!$"AN%+9 %* :???
$.*.@*)!$"AN**7# *+@?@')$ + $'%0%0
$.*.@*)!$"AN**7)&,'@?@ % %+)&,+*
$.*.@*)!$"AN 3$/
$.*.N
:/8/: '$08 &'"#""')',

)%7@4

-)#>RN' %A?B5?5@@B5EE

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;WW8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_TW<YR<RTW(.

-)#>RN' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
;;
0 ..-/ $.Q+ - )/@Q<VA
:/8/; '$09 #"(%"

&#)%

)%7@4

-)#>R@*)!$"AN)0'+& *"$''&# 0@?
-)#>R@*)!$">$.&(+AN )-4+/$*) .
-)#>R@*)!$">$.&(+AN#.#(V
-)#>R@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>R@*)!$">$.&(+AN"-*0+S
-)#>R@*)!$">$.&(+AN 3$/

-)#>R@*)!$"AN)0'+& *"$'"0+*+"0)**A?B5?5@@B5EE
-)#>R@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
-)#>R@!">-4+/*>/-).AN 3$/
Page | 142
GRE VPN
-)#>R@*)!$"AN)0'+&$'*$'@? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>R@*)!$">-4+/*>(+AN*+')A?B5?5@@B5EE
-)#>R@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>R@*)!$">-4+/*>(+AN$+)**@?@
-)#>R@*)!$">-4+/*>(+AN 3$/

-)#>R@*)!$"AN '**7# *+/+%@?@
-)#>R@*)!$"> 3/>)'AN')$ +)&*+A?B5?5@@B5@F&*+A?B5?5@@B5EE
-)#>R@*)!$"> 3/>)'AN 3$/

-)#>R@*)!$"AN %+)+,%%#?
-)#>R@*)!$">$!AN ')**@FA5@E5@5@ADD5ADD5?5?
-)#>R@*)!$">$!AN+,%%#*&,)A?B5?5@@B5@F
-)#>R@*)!$">$!AN+,%%#*+ %+ &%A?B5?5@@B5EE
-)#>R@*)!$">$!AN+,%%#$&) '
-)#>R@*)!$">$!AN)0$+&$'*$'
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/

-)#>R@*)!$"AN '**7# *+/+%@?D
-)#>R@*)!$"> 3/>)'AN+ -($/"- #*./SQT;Q;RRT;WW#*./SQT;Q;RRT;RX
-)#>R@*)!$"> 3/>)'AN+ -($/ .+#*./SQT;Q;RRT;WW#*./SQT;Q;RRT;RX
-)#>R@*)!$"> 3/>)'AN+ -($/0+#*./SQT;Q;RRT;WW ,$.&(+#*./SQT;Q;RRT;RX
-)#>R@*)!$"> 3/>)'AN 3$/

-)#>R@*)!$"AN ')&,+@HA5@EG5A5?ADD5ADD5ADD5?@FA5@E5@5A

-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN)0'+&$'*$'
-)#>R@*)!$">$!AN '**7)&,'@?D %
-)#>R@*)!$">$!ANG
-)#>RN

)%7A4

-)#>S@*)!$"AN)0'+& *"$''&# 0@?
-)#>S@*)!$">$.&(+AN )-4+/$*) .
-)#>S@*)!$">$.&(+AN#.#(V
-)#>S@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>S@*)!$">$.&(+AN"-*0+S
-)#>S@*)!$">$.&(+AN 3$/

Page | 143
GRE VPN
-)#>S@*)!$"AN)0'+& *"$'"0+*+"0)**A?B5?5@@B5@F
-)#>S@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
-)#>S@!">-4+/*>/-).AN 3$/

-)#>S@*)!$"AN)0'+&$'*$'@? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>S@*)!$">-4+/*>(+AN*+')A?B5?5@@B5@F
-)#>S@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>S@*)!$">-4+/*>(+AN$+)**@?@
-)#>S@*)!$">-4+/*>(+AN 3$/

-)#>S@*)!$"AN '**7# *+/+%@?@
-)#>S@*)!$"> 3/>)'AN')$ +)&*+A?B5?5@@B5EE&*+A?B5?5@@B5@F
-)#>S@*)!$"> 3/>)'AN 3$/

-)#>S@*)!$"AN %+)+,%%#?
-)#>S@*)!$">$!AN ')**@FA5@E5@5AADD5ADD5?5?
-)#>S@*)!$">$!AN+,%%#*&,)A?B5?5@@B5EE
-)#>S@*)!$">$!AN+,%%#*+ %+ &%A?B5?5@@B5@F
-)#>S@*)!$">$!AN+,%%#$&) '
-)#>S@*)!$">$!AN)0$+&$'*$'
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/

-)#>S@*)!$"AN '**7# *+/+%@?D
-)#>S@*)!$"> 3/>)'AN+ -($/"- #*./SQT;Q;RRT;RX#*./SQT;Q;RRT;WW
-)#>S@*)!$"> 3/>)'AN+ -($/ .+#*./SQT;Q;RRT;RX#*./SQT;Q;RRT;WW
-)#>S@*)!$"> 3/>)'AN+ -($/0+#*./SQT;Q;RRT;RX ,$.&(+#*./SQT;Q;RRT;WW
-)#>S@*)!$"> 3/>)'AN 3$/

-)#>S@*)!$"AN ')&,+@HA5@EG5@5?ADD5ADD5ADD5?@FA5@E5@5@

-)#>S@*)!$"AN %+)+)%+?6?
-)#>S@*)!$">$!AN)0'+&$'*$'
-)#>S@*)!$">$!AN '**7)&,'@?D %
-)#>S@*)!$">$!ANG
-)#>SN

4

$.*.@*)!$"AN**7# *+@?@')$ +,'&*+A?B5?5@@B5@F( *"$' &*+A?B5?5@@B5EE ( *"$'

$.*.@*)!$"AN**7# *+@?@')$ +*'&*+A?B5?5@@B5@F&*+A?B5?5@@B5EE
$.*.@*)!$"AN 3$/
Page | 144
GRE VPN
:/8/< '$0: &'"

)%7A4

-)#>SN' %@HA5@EG5@5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;R;R8/$( *0/$.S. *).:
;6666
0 ..-/ $.YQ+ - )/@U<VA8-*0)>/-$+($)<1"<(3_VW<ZV<RWU(.

-)#>SN*&.)0'+& *"$'*

./ .- .// *))>$.'*/
SQT;Q;RRT;RXSQT;Q;RRT;WW ?
RQ

-)#>SN*&.)0'+& '**

$)/ -! :0)) 'Q
-4+/*(+/":.(+8'*'-;SQT;Q;RRT;WW

'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;WW<SVV;SVV;SVV;SVV<UX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<UX<QA
0-- )/?+ -:SQT;Q;RRT;RX

8!'"._D*-$"$)?$.?'8+- )/?$.?/-).+*-/8E
N+&/. )+.:U8N+&/. )-4+/:U8N+&/.$" ./U
N+&/. +.:U8N+&/. -4+/:U8N+&/.1 -$!4U
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q8N+&/. *(+- ..!$' :Q
N. ) --*-.R8N- 1 --*-.Q

'*'-4+/* )+/;:SQT;Q;RRT;WW8- (*/ -4+/* )+/;:SQT;Q;RRT;RX
+/#(/0RVQQ8( $(/0RVQQ
0-- )/*0/*0).+$:UVVURSR

Page | 145

7

DMVPN

DMVPN
;
Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic
tunneling form of a VPN. It is configured almost on all brands of IOS-based
routers. It works as a hub & spokes. The spokes are connected with hub over
a public network. It is said to be a partial mesh. The DMVPN uses Next Hop
Resolution Protocol (NHRP) as a signaling mechanism over the hub &
spokes tunnels to trigger the spokes to discover each other and build dynamic
tunnels [17]. In a hub-and-spoke network, tunnels between spokes can be
dynamically built on demand (dynamic-mesh) without additional
configuration on the hubs or spokes. Each spoke has a permanent tunnel to
the hub. Each spoke is registered as a client of the NHRP server. When a
spoke needs to send a packet to a destination (private) subnet on another
spoke, it queries the NHRP server for the destination (target) spoke.
However, spoke-to-spoke tunnel is built over the multipoint GRE interface.
The spoke-to-spoke links are established on the demand whenever there is
traffic between the spokes. It provides scalability in a large network. Routing
protocols are configured in large-scale networks to complete routing
dynamically and quickly.
;/5 (%',
DMVPN uses GRE with IPsec security architecture to provide strong
authentication, confidentiality, and integration.
;/6 "$&( '#"

All data traffic, NHRP frames and other control traffic are needed to be
protected in DMVPN. In order to efficiently support Layer 2 based protocols,
all packets and frames must be encapsulated in GRE first; the resulting GRE
packet then must be protected by IPsec as it is displayed in the Fig. 7.1.
Usually, transport mode of the IPsec is used.
Figure 7.1 GRE Encapsulation
Page | 147
DMVPN
;/7 ,"!( '$#"' 2 (-$#&3
;/7/5 ')&
¾ Configure DMVPN Tunnels
¾ Test VPN
;/7/6 #$# #,

Figure 7.2 DMVPN Setup
;/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces as menti*) *1 $) /*+*'*"$'
$"-(X;S;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
Page | 148
DMVPN
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+@6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5EDADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N*&. ' %+))

)/ -!

>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;RY ()0' 0+0+
.//# -) /R<QSQT;Q;RRT;WV ()0' 0+0+
)/ -) /N*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;Q<SY$..0) // 8T.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;WU$.$- /'4*)) / 8.//# -) /R<Q
)/ -) /N

3

a )'
N*)!$"0- / -($)'
@*)!$"AN %+)*++)%+?6?
@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
@*)!$">$!AN)*.#0/*2)
@*)!$">$!AN 3$/
@*)!$"AN %+)*++)%+?6@
@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
@*)!$">$!AN)*.#0/*2)
Page | 149
DMVPN
@*)!$">$!ANG

N*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+

N*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
N

)%7@4

-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG

-)#>RN*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<Q RZS;RWY;S;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+

Page | 150
DMVPN
-)#>RN*&. ')&,+&%%+

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8.//# -) /Q<R
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
-)#>RN

)%7A4

-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN ')**A?B5?5@@B5EEADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN ')**@HA5@EG5B5@ADD5ADD5ADD5?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG

-)#>SN*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;WW ()0' 0+0+
.//# -) /Q<RRZS;RWY;T;R ()0' 0+0+

-)#>SN*&. ')&,+&%%+

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;WU$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;T;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
-)#>SN
;/7/8 '$06 #"(%"''

#('"

4

@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5@G
@*)!$"AN 3$/

N*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
Page | 151
DMVPN
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;RY/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
N

)%7@4

-)#>R@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5BB
-)#>R@*)!$"AN 3$/

)%7A4

-)#>S@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5ED
-)#>S@*)!$"AN 3$/
-)#>SN
;/7/9 '$07 &'"#""')',

4

N' %A?B5?5@@B5BC

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
;;666
0 ..-/ $.WQ+ - )/@T<VA8-*0)>/-$+($)<1"<(3_SQ<RSQ<SWU(.

N' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
;;
0 ..-/ $.Q+ - )/@Q<VA
N
Page | 152
DMVPN
;/7/: '$08 #"(%" (""

4

@*)!$"AN)0'+& *"$''&# 0@?
@*)!$">$.&(+AN )-4+/$*)T .
@*)!$">$.&(+AN#.#(V
@*)!$">$.&(+AN0/# )/$/$*)+- >.#-
@*)!$">$.&(+AN"-*0+S
@*)!$">$.&(+AN 3$/

@*)!$"AN)0'+& *"$'"0? *&@AB)**?5?5?5??5?5?5?
@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
@!">-4+/*>/-).AN 3$/

@*)!$"AN)0'+& '*')& #$-'%
@$+. >+-*!$' AN*++)%*&)$7*++*+
@$+. >+-*!$' AN 3$/
@*)!$"AN %+)+,%%#?
@*)!$">$!AN ')**@FA5@E5@5@ADD5ADD5ADD5?
@*)!$">$!AN+,%%#$&)$,#+ '& %+
@*)!$">$!AN+,%%#*&,)A?B5?5@@B5@F
@*)!$">$!AN '%)'$'$,#+ *+0%$
@*)!$">$!AN '%)'%+.&)"7 @
@*)!$">$!AN '%)',+%+ + &%
@*)!$">$!AN)*$+) 3/>#*+>. '! $"-+R
@*)!$">$!AN)*$+.+'$/>#*-$5*) $"-+R
@*)!$">$!AN+,%%#')&++ &% '*')& #$-'%
@*)!$">$!AN 3$/

@*)!$"AN)&,+) )'@
@*)!$">-*0/ -AN)*0/*>.0((-4
@*)!$">-*0/ -AN) /2*-&RXS;RW;R;QQ;Q;Q;SVV
@*)!$">-*0/ -AN) /2*-&RZS;RWY;R;QQ;Q;Q;SVV
@*)!$">-*0/ -ANG
N

)%7@4

-)#>R@*)!$"AN)0'+& *"$''&# 0@?
-)#>R@*)!$">$.&(+AN )-4+/$*)T .
-)#>R@*)!$">$.&(+AN#.#(V
-)#>R@*)!$">$.&(+AN0/# )/$/$*)+- >.#-
-)#>R@*)!$">$.&(+AN"-*0+S
Page | 153
DMVPN
-)#>R@*)!$">$.&(+AN 3$/

-)#>R@*)!$"AN)0'+& *"$'"0? *&@AB)**?5?5?5??5?5?5?
-)#>R@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-)#>R@!">-4+/*>/-).AN 3$/

-)#>R@*)!$"AN)0'+& '*')& #$-'%
-)#>R@$+. >+-*!$' AN*++)%*&)$7*++*+
-)#>R@$+. >+-*!$' AN 3$/
-)#>R@*)!$"AN %+)+,%%#?
-)#>R@*)!$">$!AN ')**@FA5@E5@5AADD5ADD5ADD5?
-)#>R@*)!$">$!AN+,%%#$&)$,#+ '& %+
-)#>R@*)!$">$!AN+,%%#*&,)A?B5?5@@B5BC
-)#>R@*)!$">$!AN '%)'$'@FA5@E5@5@A?B5?5@@B5@F
-)#>R@*)!$">$!AN '%)'$'$,#+ *+A?B5?5@@B5@F
-)#>R@*)!$">$!AN '%)'%*@FA5@E5@5@
-)#>R@*)!$">$!AN '%)'%+.&)"7 @
-)#>R@*)!$">$!AN '%)',+%+ + &%
-)#>R@*)!$">$!AN)*$+) 3/>#*+>. '! $"-+R
-)#>R@*)!$">$!AN)*$+.+'$/>#*-$5*) $"-+R
-)#>R@*)!$">$!AN+,%%#')&++ &% '*')& #$-'%
-)#>R@*)!$">$!AN 3$/

-)#>R@*)!$"AN)&,+) )'@
-)#>R@*)!$">-*0/ -AN)*0/*>.0((-4
-)#>R@*)!$">-*0/ -AN) /2*-&RXS;RW;R;QQ;Q;Q;SVV
-)#>R@*)!$">-*0/ -AN) /2*-&RZS;RWY;S;QQ;Q;Q;SVV
-)#>R@*)!$">-*0/ -ANG
-)#>RN

)%7A4

-)#>S@*)!$"AN)0'+& *"$''&# 0@?
-)#>S@*)!$">$.&(+AN )-4+/$*)T .
-)#>S@*)!$">$.&(+AN#.#(V
-)#>S@*)!$">$.&(+AN0/# )/$/$*)+- >.#-
-)#>S@*)!$">$.&(+AN"-*0+S
-)#>S@*)!$">$.&(+AN 3$/
-)#>S@*)!$"AN)0'+& *"$'"0? *&@AB)**?5?5?5??5?5?5?
-)#>S@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-)#>S@!">-4+/*>/-).AN 3$/

-)#>S@*)!$"AN)0'+& '*')& #$-'%
-)#>S@$+. >+-*!$' AN*++)%*&)$7*++*+
Page | 154
DMVPN
-)#>S@$+. >+-*!$' AN 3$/
-)#>S@*)!$"AN %+)+,%%#?
-)#>S@*)!$">$!AN ')**@FA5@E5@5BADD5ADD5ADD5?
-)#>S@*)!$">$!AN+,%%#$&)$,#+ '& %+
-)#>S@*)!$">$!AN+,%%#*&,)A?B5?5@@B5EE
-)#>S@*)!$">$!AN '%)'$'@FA5@E5@5@A?B5?5@@B5@F
-)#>S@*)!$">$!AN '%)'$'$,#+ *+A?B5?5@@B5@F
-)#>S@*)!$">$!AN '%)'%*@FA5@E5@5@
-)#>S@*)!$">$!AN '%)'%+.&)"7 @
-)#>S@*)!$">$!AN '%)',+%+ + &%
-)#>S@*)!$">$!AN)*$+) 3/>#*+>. '! $"-+R
-)#>S@*)!$">$!AN)*$+.+'$/>#*-$5*) $"-+R
-)#>S@*)!$">$!AN+,%%#')&++ &% '*')& #$-'%
-)#>S@*)!$">$!AN 3$/

-)#>S@*)!$"AN)&,+) )'@
-)#>S@*)!$">-*0/ -AN)*0/*>.0((-4
-)#>S@*)!$">-*0/ -AN) /2*-&RXS;RW;R;QQ;Q;Q;SVV
-)#>S@*)!$">-*0/ -AN) /2*-&RZS;RWY;T;QQ;Q;Q;SVV
-)#>S@*)!$">-*0/ -ANG
-)#>SN
;/7/; '$09 &'"

4

N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
0)) 'QRXS;RW;R;R()0'0+0+

N' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_YY<RQQ<RSU(.

N' %@HA5@EG5B5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;T;R8/$( *0/$.S. *).:
Page | 155
DMVPN
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WQ<YY<RQY(.

N*&. ')&,+

* .:>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;RY/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RXS;RW;Q;Q<SU$..0) // 8R.0) /.
RXS;RW;R;Q$.$- /'4*)) / 80)) 'Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
RZS;RWY;S;Q<SUBZQ<SZXSXQQRWC1$RXS;RW;R;S8QQ:QQ:QU80)) 'Q
RZS;RWY;T;Q<SUBZQ<SZXSXQQRWC1$RXS;RW;R;T8QQ:QQ:QU80)) 'Q

N*&.)0'+& *"$'*

./ .- .// *))>$.'*/.//0.
SQT;Q;RRT;RXSQT;Q;RRT;TU ?
TQ

SQT;Q;RRT;RXSQT;Q;RRT;WW ?
UQ

N*&.)0'+& '**

$)/ -! :0)) 'Q
-4+/*(+/":0)) 'Q># >Q8'*'-SQT;Q;RRT;RX

+-*/ / 1-!:@)*) A
'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<UX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;TU<SVV;SVV;SVV;SVV<UX<QA
0-- )/?+ -SQT;Q;RRT;TU+*-/VQQ

8!'"._D*-$"$)?$.?'8E
N+&/. )+.:RTV8N+&/. )-4+/:RTV8N+&/.$" ./:RTV
N+&/. +.:RTU8N+&/. -4+/:RTU8N+&/.1 -$!4:RTU
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q
N+&/.)*/ *(+- .. :Q8N+&/. *(+- ..!$' :Q
Page | 156
DMVPN
N. ) --*-.Q8N- 1 --*-.Q

)%7A4

-)#>SN' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_RXS<RZR<SSU(.
-)#>SN

Page | 157

8

SSL VPN

SSL VPN
<
Secure Socket Layer VPN is proposed by IETF. It is used with a standard
web browser. It does not require any special client software installation on
the end user's computer. It allows remote users to access web applications,
client-server applications and internal network connections over the public
network (Internet) without any special client software. SSL VPN offers
adaptability, ease of use and granular control for a range of users on a variety
of computers accessing resources through many locations. The primary goal
of the SSL protocol is to provide privacy and reliability between two
communicating applications. The protocol is composed of two layers [18].
One is transport layer and second is application layer. Its specification was
described in RFC 6101. The SSL record protocol is used for encapsulation
of various higher level protocols. One advantage of SSL is that it is an
application protocol independent. There are two major types of SSL VPN.
1. SSL Portal VPN

2. SSL Tunnel VPN
In SSL portal VPN, the end user can access multiple network services
securely through a single SSL connection to a website. The site is called a
portal because it has only one door for multiple resources. The remote user
can access VPN gateway using any modern web browser for authentication
defined by the gateway.
In SSL tunnel VPN, the end user can access multiple network services
including applications and protocols securely that are not web-based through
a tunnel.
</5 (%',
SSL provides strong encryption, authentication and integrity services.
Initially, a handshake process is done to define a secret key then after
encryption is used. Symmetric or asymmetric cryptographic techniques are
used to ensure the data encryption. DES or 3DES are symmetric encryption
algorithms in which the same key is used for encryption or decryption. In
asymmetric encryption type, RSA algorithm and a key pair are used for
encryption or description. Peer authentication is also based on the symmetric
or asymmetric. The few third-party certificates are also used to peer
authentication. Message transport includes a message integrity check using
Page | 159
SSL VPN
a key Message Authentication Code (MAC). Secure hash functions (e.g.,
SHA & MD5) are used for MAC computations.
</6 "$&( '#"

In SSL VPN, the application data is received in chunks or blocks. The
Message Authentication Code (MAC) is attached with blocks and is
encapsulated into an object called record as it is displayed in Fig 8.1 below.
The record consists of 5 bytes long header.
Figure 8.1 SSL Encapsulation
Page | 160
SSL VPN
</7 #('%&" '*,
</7/5 ')&
¾ Configure Router as a DNS Server
¾ Configure Router as a Self-Signed Certificate
¾ Configure Router as an SSL VPN Gateway
¾ Test VPN
</7/6 #$# #,

Figure 8.2 SSL VPN Setup
</7/7 '$05
%&&"
/*+*'*"$'$"-(Y;S;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N

Page | 161
SSL VPN
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R

)%4

-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N

-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N

Page | 162
SSL VPN
4

</7/8 '$06 #"(%"''

#('"

)%4

-)#@*)!$"AN ')&,+?5?5?5??5?5?5?A?B5?5@@B5BB
-)#@*)!$"AN 3$/
-)#N

-)#N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

Page | 163
SSL VPN
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
-)#N
</7/9 '$07 #"(%"#('%& %)%

%+)%+4
)/ -) /@*)!$"AN '%**)-)
)/ -) /@*)!$"AN '%$7*)-)A?B5?5@@B5@G
)/ -) /@*)!$"AN '&*+$0**#-'%5&$A?B5?5@@B5BC
)/ -) /@*)!$"AN)*$+*($)>'**&0+
)/ -) /@*)!$"AN 3$/
)/ -) /N
)/ -) /N*&. '%*- .

$ 2 !0'/+-( / -.:
*""$)"$.*!!
.*'1 -. //$)".:
*($)'**&0+$.$.'
!0'/*($))( :
*($). -#'$./:
**&0+/$( *0/:T. *).
**&0+- /-$ .:S
*($))( >. -1 -.:
SQT;Q;RRT;RY
-1 -. //$)".:
*-2-$)"*!,0 -$ .$.$.'
*-2- -/$( *0/:T. *).
*-2- -- /-$ .:S
*-2- -- .. .:
</7/: '$08 &'"#""')',

4

:=a' %A?B5?5@@B5BC

$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:

Page | 164
SSL VPN

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_SUS(.83$(0(_TTY(.81 -" _SZU(.

:=a' %$0**#-'%5&$

$)"$)"(4..'1+);*(BSQT;Q;RRT;TUC2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUY(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SRT(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RZR(. _SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _SSQ(. _SVU

$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_RUY(.83$(0(_SSQ(.81 -" _RZT(.

:=a' %@HA5@EG5@5@

$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:

+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;
+'4!-*(SQT;Q;RRT;RY: ./$)/$*)#*./0)- #' ;

$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_Q(.83$(0(_Q(.81 -" _Q(.

)%4

-)#N' %A?B5?5@@B5@F

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;RX8/$( *0/$.S. *).:
66666
-)#N

Page | 165
SSL VPN
%+)%+4
)/ -) /N*&. '%**++ *+ *

- ,0 ./.- $1 _S@S^QA
- ,0 ./.-*++ _Q@Q^QA
- .+*). .- +'$ _S@S^QA

*-2- -,0 0 .//$./$.:
0-- )/.$5 _Q
3$(0(.$5 _V
-*+._Q
</7/; '$09 #"(%" 0"%''&

-)#@*)!$"AN '&$ %7%$$0**#-'%5&$
-)#@*)!$"AN)0'+&"0%)+)*%)#7"0*$&,#,*A?CG##$0"0/'&)+#
# )( !*-/# & 4.2$'' :(4& 4

]# & 4(*0'0..$5 $.SQUY$/.
] ) -/$)"SQUY$/& 4.8& 4.2$'' 3+*-/' ;;;
] >V> : R;ZZ#. ) )'

-)#@*)!$"AN)0'+&'" +),*+'& %+$0+'& %+
-)#@>/-0./+*$)/AN%)&##$%+*#* %
-)#@>/-0./+*$)/AN*,!+7%$J*+2 J...5$0**#-'%5&$
-)#@>/-0./+*$)/AN)-&+ &%7"%&%
-)#@>/-0./+*$)/AN)*"0' )$0"0
-)#@>/-0./+*$)/AN 3$/

-)#@*)!$"AN)0'+&'" %)&##$0+'& %+
]
)'0 /# -*0/ -. -$')0( -$)/# .0% /)( 7B4 .<)*C:)*
]
)'0 )
- ..$)/# .0% /)( 7B)*C:)*
) -/ '!$") *0/ - -/$!$/ 7B4 .<)*C:4 .
*0/ - '!$") -/$!$/ .0 ..!0''4- /

-)#N.)
0$'$)"*)!$"0-/$*);;;

]>V>
?
:*)!$"0- !-*(*).*' 4/ ./*)*).*'
BC
-)#N )%-)$4
$- /*-4*!)1-(:<

RSQ>-2>RSXR`)*/ a./-/0+>*)!$"
Page | 166
SSL VPN
RSR>>>>TVXU`)*/ a+-$1/ >*)!$"
RSS>-2>RSXR`)*/ a0) -'4$)">*)!$"
R>>>>TU`)*/ a+ -.$./ )/>/
S>-2>U`)*/ a-!?*'?./-/.
T>-2>Q`)*/ a$!
) 3>/'
U>-2>ZRQ`)*/ a-)#(4..'1NR; -

RSZQRW4/ ./*/'@RSQQST4/ .!- A

-)#N*&.)0'+&'" )+ +*
*0/ - '!>$") -/$!$/
//0.:1$''
-/$!$/ -$'0( -:QR
-/$!$/ ." : ) -'0-+*.

..0 -:
#*./)( _-)#;(4..'1+);*(
*_ ./
)_222;(4..'1+);*(
0% /:
( :-)#;(4..'1+);*(
#*./)( _-)#;(4..'1+);*(
*_ ./
)_222;(4..'1+);*(
'$$/4/ :
./-// :QZ:RU:UQ YSQRX
)/ :QQ:QQ:QQ)RSQSQ
..*$/ -0./+*$)/.:(4/+*$)/

-)#N*&.)0'+&'" +),*+'& %+*
-0./+*$)/(4/+*$)/:
0% /( :
#*./)( _-)#;(4..'1+);*(
*_ ./
)_222;(4..'1+);*(
-$'0( -:QR
-.$./ )/. '!>.$") -/$!$/ /-0./+*$)/

-)#N*&.)0'+&"0$0',"0)*
] 4+$-2." ) -/ /:QZ:QV:QR YSQRX
4)( :(4& 4
/*-" 1$ :+-$1/ >*)!$"
." : ) -'0-+*. 4
4$. 3+*-/' ;
4/:
TQYSQRSSTQQQWQZSYWUYYWXQQRQRQRQVQQQTYSQRQQQTQYSQRQQSYSQRQR
Page | 167
SSL VPN
QQSXTVWRTVZZTZSRXZQQWRZRWVYTTUYUXQSWQXTSQY
TQTVSSYRYQQQTRYWTYSRZUUQSQZZTWRZWVZWQUSSSZUWRU
VRWQUXRRVWUQVSURWYRTQXXRYTXZRSURQQQWW
WTQTYXSZWWQXVZZWZYUZSXZZWYUZZTZUXYUUYVZSS
UZXVWUWXURYRXVTTVTWYYXVYTUQTQRXRWTYTYYYVQT
VZQSVRRWVZURVXXSVSZZSUSYWYTVXSQWVQQ
YRYTRRVTQWQTZUWQXUSWRUYWTVWXWVYTUWZVTQ
VWYYQTRQYQXZRUQVWSXZVVWWUZSTVUWXUWXRTZQT
XTQSQTQRQQQR
] 4+$-2." ) -/ /:QZ:QV:QU YSQRX
4)( :(4& 4;. -1 -
(+*--4& 4
." :)-4+/$*) 4
4$.)*/ 3+*-/' ;
4/:
TQXTQQQWQZSYWUYYWXQQRQRQRQVQQQTWQQTQWYQSWRQQXSZUYZTVU
WUWWUYQXZXXWYVQVRWTVYWQRUZWUSSWUYZWTQWTYSU
QYTTURUZVZRZVXUURTQTSUXVYVUXSTVVQYVSRQ
TWQSTWYSXQVZVRUVRRQSWZYSRXXZYTQTQSQTQRQQQR
</7/< '$0: #"(%" '*,

)%4

-)#@*)!$"AN) 2>(* '
-)#@*)!$"AN,*)%$+*+'**.&)?+*+
-)#@*)!$"AN,+%+ + &%#& %,#+#&#

-)#@*)!$"AN.-'%+.0$0**#+.0
-)#@*)!$">2 1+)>"/ 24AN ')**A?B5?5@@B5BC'&)+CCB
-)#@*)!$">2 1+)>"/ 24AN++'7) )+'&)+G?
-)#@*)!$">2 1+)>"/ 24AN**#+),*+'& %+$0+'& %+
-)#@*)!$">2 1+)>"/ 24AN %*)-
-)#@*)!$">2 1+)>"/ 24AN 3$/

-)#@*)!$"AN.-'%&%+/+$0&%+/+
-)#@*)!$">2 1+)>*)/ 3/AN+.0$0**#+.0
-)#@*)!$">2 1+)>*)/ 3/AN**#,+%+ +-) 0##
-)#@*)!$">2 1+)>*)/ 3/AN$/7,*)*@??
-)#@*)!$">2 1+)>*)/ 3/AN %*)-
] >V>:..'1+)*)/ 3/:(4*)/ 3/#)" .// /*
-)#@*)!$">2 1+)>*)/ 3/AN#& %7$**;#&$+&$0**#-'%5&$;
-)#@*)!$">2 1+)>*)/ 3/AN'&# 0)&,'$0,#+'&# 0
-)#@*)!$">2 1+)>"-*0+AN,)#7# *+;# %+#** ;
-)#@*)!$">2 1+)>"-*0+AN 3$/
-)#@*)!$">2 1+)>*)/ 3/AN,#+7)&,'7'&# 0$0,#+'&# 0
-)#@*)!$">2 1+)>*)/ 3/AN,)#7# *+;# %+#** ;
Page | 168
SSL VPN
-)#@*)!$">2 1+)>0-'AN %;# %+#** ;
-)#@*)!$">2 1+)>0-'AN,)#7+/+;)-);,)#7-#,“++'466A?B5?5@@B5BC”
-)#@*)!$">2 1+)>0-'AN 3$/
</7/= '$0; &'"

4

Figure 8.4 before Certificate

Figure 8.5 after Certificate
)%4

-)#N*&..-'%+.0

/ 24( ($)+ -/$*)
>>>>>>>>>>>>>>>>>>>>>>>>>>
(4..'"/ 240+0+
Page | 169
SSL VPN
-)#N*&..-'%&%+/+

* .:>($)//0.8>+ -/$*)//0.
*./>$-/0' *./

*)/ 3/( / 24*($)< *./
>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
(4*)/ 3/(4..'"/>>0+0+
-)#N

Page | 170

9

High Availability
VPN

High
Hig
gh Availabilityy VPN
= ) ',

High availability VPN is a feature that enables a device (router) to avoid
single point of failure. It provides redundancy in the network. It provides
continuously processing and forwarding packets if one point is failed.
Multiple links are used in parallel to provide high availability. One link
works as active or primary while the second link works as standby or backup.
Standby link immediately works as active automatically if active link goes
down. This feature is most valuable in the corporate sector. These two links
may also work together for load balancing. There are several high
availability service provider protocols, such as:
1. HSRP
2. VRRP
3. GLBP
=/5
Hot Standby Router Protocol (HSRP) is a CISCO proprietary redundancy
protocol. It allows two or more routers to work together to represent a single
IP address for a particular network. It is not a routing protocol. It allows for
almost immediate failover to a secondary interface when the primary
interface is not available. The virtual IP address is used as a gateway for hosts
in the network. The host that uses the HSRP address as a gateway never
knows the actual physical IP or MAC address of the routers in the group.
Only the virtual IP address that was created within the HSRP configuration
along with a virtual MAC address is known to other hosts on the network.
Its specification was described in RFC 2281 [19]. It has two versions.
In HSRP, a group of routers is configured as a standby group. This group is

based on a single virtual IP address. In this standby group, one router is active
and second is standby. Selection of active router is based upon priority. High
priority router will win the election. By default, priority is 100. If the priority
is same on all routers then, the selection is based upon IP addresses. With
highest IP address will win the election. This election process is consists of
6 different states (Initial, Learn, Listen, Speak, Standby & Active). HSRP
uses UDP with port number 1985 for messages. It uses multicast address
224.0.0.2 with TTL 1. If active router fails, standby router will become
active. If first primary router comes back up and returns to service, standby
will continue to stay active. There are times when you may always want the
first primary to be in an active state in the HSRP group. CISCO provides a
Page | 172
Hig
High
way for users to control this by using the preempt command. Preempt forces
a router to be active after recovering from a failure.
RRI (Reverse Router Injection) is a feature designed to simplify network

design for VPNs which requires redundancy and routing. When routes are
created, they are injected into any dynamic routing protocol and distributed
to surrounding devices. RRI works with both dynamic and static crypto
maps.
=/6
The Virtual Router Redundancy Protocol (VRRP) is also a redundancy
protocol. It is an open standard and described in RFC 3768 by IETF [20]. It
provides a function similar to the proprietary protocols "Hot Standby Router
3URWRFRO DQG ,3 6WDQGE\ 3URWRFRO 7KDW¶V ZK\, CISCO claims that a
similar protocol with essentially the same facility is patented and licensed. It
uses multicast address 224.0.0.18 and IP protocol number 112. It creates
virtual routers which are an abstract representation of multiple routers, i.e.
master and backup routers, acting as a group. The default priority is 100 in
this protocol. In the group, one router is master and second is back up.
Election of the master router is based upon priority. With highest priority
router will win the election.
=/7
Gateway Load Balancing Protocol (GLBP) is a CISCO proprietary protocol
that attempts to overcome the limitations of existing redundant router
protocols by adding basic load balancing functionality. By default, GLBP
load balance is in round-robin style. GLBP elects one AVG (Active Virtual
Gateway) for each group. The second best AVG is placed in the standby state
and all other members are placed in the listening state. By default, GLBP
router uses the multicast address 224.0.0.102 to send hello packets to their
peers every 3 seconds over UDP port number 3222.
Page | 173
High
Hig
=/8 '0'#0'
& ) ', *'
=/8/5 ')&
¾ Configure HSRP
¾ Configure Site-to-Site IPsec VPN
¾ Testing
=/8/6 #$# #,

Figure 9.1 Site-to-Site IPsec High Availability VPN Setup
=/8/7 '$05
%&&"
/*+*'*"$'$"-(Z;R;
)/ -! .(0./ )' $)J-0))$)".// ;

%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@HADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG

Page | 174
High
Hig
)/ -) /N*&. ' %+))

)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<R SQT;Q;RRT;RZ()0' 0+0+
)/ -) /N*&. ')&,+

* .: >'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48 R>
>
' 1 '>R8 S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/

/ 24*!'./- .*-/$.)*/. /

SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R

4

Figure 9.2 Client IP Addresing
Page | 175
High
Hig
) $)04

-$(-4a )'
-$(-4N*)!$"0- / -($)'
-$(-4@*)!$"AN %+)*++)%+?6?
-$(-4@*)!$">$!AN ')**@HA5@EG5@5AADD5ADD5ADD5?
-$(-4@*)!$">$!AN)*.#0/*2)
-$(-4@*)!$">$!AN 3$/
-$(-4@*)!$"AN %+)*++)%+?6@
-$(-4@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
-$(-4@*)!$">$!AN)*.#0/*2)
-$(-4@*)!$">$!ANG

-$(-4N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;R;S ()0' 0+0+
.//# -) /Q<R SQT;Q;RRT;RX ()0' 0+0+
-$(-4N

&%)04

*)-4a )'
*)-4N*)!$"0- / -($)'
*)-4@*)!$"AN %+)*++)%+?6?
*)-4@*)!$">$!AN ')**@HA5@EG5@5BADD5ADD5ADD5?
*)-4@*)!$">$!AN)*.#0/*2)
*)-4@*)!$">$!AN 3$/
*)-4@*)!$"AN %+)*++)%+?6@
*)-4@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
*)-4@*)!$">$!AN)*.#0/*2)
*)-4@*)!$">$!ANG

*)-4N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;R;T ()0' 0+0+
.//# -) /Q<R SQT;Q;RRT;RY ()0' 0+0+
*)-4N

)%7A4
-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6?
Page | 176
High
Hig
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG

-)#>SN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;S;R ()0' 0+0+
-)#>SN
=/8/8 '$06 #"(%"''

#('"

)%7A4

-)#>S@*)!$"AN ')&,+A?B5?5@@B5@EADD5ADD5ADD5AC?A?B5?5@@B5BB
-)#>S@*)!$"AN 3$/
-)#>SN

-)#>SN*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q

SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
FSQT;Q;RRT;RW<SYBR<QC1$SQT;Q;RRT;TT
-)#>SN

) $)04

-$(-4@*)!$"AN ')&,+A?B5?5@@B5BAADD5ADD5ADD5AC?A?B5?5@@B5@H
-$(-4@*)!$"AN 3$/
Page | 177
High
Hig
-$(-4N

-$(-4N*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;RZ/*) /2*-&Q;Q;Q;Q

RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R
FSQT;Q;RRT;TS<SYBR<QC1$SQT;Q;RRT;RZ
-$(-4N

&%)04

*)-4@*)!$"AN ')&,+A?B5?5@@B5BAADD5ADD5ADD5AC?A?B5?5@@B5@H
*)-4@*)!$"AN 3$/
*)-4N

*)-4N*&. ')&,+

* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8 R>
>
' 1 '>R8 S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/

/ 24*!'./- .*-/$.SQT;Q;RRT;RZ/*) /2*-&Q;Q;Q;Q

RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R
FSQT;Q;RRT;TS<SYBR<QC1$SQT;Q;RRT;RZ
*)-4N
Page | 178
High
Hig
=/8/9 '$07 &'"#""')',

) $)04

-$(-4N+$)"SQT;Q;RRT;TU

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
;6666
0 ..-/ $.YQ+ - )/@U<VA8-*0)>/-$+($)<1"<(3_WQ<XV<ZW(.

-$(-4N' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
;;
0 ..-/ $.Q+ - )/@Q<VA
&%)04

*)-4N+$)"SQT;Q;RRT;TU

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WQ<XV<ZW(.

*)-4N' %@HA5@EG5A5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
;;
0 ..-/ $.Q+ - )/@Q<VA
=/8/: '$08 #"(%"

) $)04

-$(-4@*)!$"AN %+)*++)%+?6?
-$(-4@*)!$">$!AN*+%0@ '@HA5@EG5@5D
-$(-4@*)!$">$!AN*+%0@') &) +0A??
-$(-4@*)!$">$!AN*+%0@')$'+
-$(-4@*)!$">$!AN*+%0@%$ %*
-$(-4@*)!$">$!AN*+%0@+)"*++)%+?6?@@?
-$(-4@*)!$">$!AN 3$/

Page | 179
High
Hig
-$(-4@*)!$"AN %+)*++)%+?6@
-$(-4@*)!$">$!AN*+%0A 'A?B5?5@@B5A?
-$(-4@*)!$">$!AN*+%0A') &) +0A??
-$(-4@*)!$">$!AN*+%0A')$'+
-$(-4@*)!$">$!AN*+%0A%$
-$(-4@*)!$">$!AN*+%0A+)"*++)%+?6@@@?
-$(-4@*)!$">$!AN 3$/
-$(-4@*)!$"AN
&%)04

*)-4@*)!$"AN %+)*++)%+?6?
*)-4@*)!$">$!AN*+%0@ '@HA5@EG5@5D
*)-4@*)!$">$!AN*+%0@')$'+
*)-4@*)!$">$!AN*+%0@%$ %*
*)-4@*)!$">$!AN 3$/
*)-4@*)!$"AN %+)*++)%+?6@
*)-4@*)!$">$!AN*+%0A 'A?B5?5@@B5A?
*)-4@*)!$">$!AN*+%0A')$'+
*)-4@*)!$">$!AN*+%0A%$
*)-4@*)!$">$!AN 3$/
*)-4@*)!$"AN
) $)04

-$(-4N*&.*+%0

.//# -) /Q<Q>-*0+R
// $./$1
S.// #)" .8'./.// #)" QQ:QT:SQ
$-/0'
- ..$.RZS;RWY;R;V
/$1 1$-/0'- ..$.QQQQ;QQX;QR
*'1$-/0'- ..$.QQQQ;QQX;QR@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)R;SXW. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.'*'
/)4-*0/ -$.RZS;RWY;R;T8+-$*-$/4RQQ@ 3+$- .$)X;WXW. A
-$*-$/4SQQ@*)!$"0- SQQA
-*0+)( $.I$).$ I@!"A
.//# -) /Q<R>-*0+S
// $./$1
S.// #)" .8'./.// #)" QQ:QS:UU
$-/0'
- ..$.SQT;Q;RRT;SQ
/$1 1$-/0'- ..$.QQQQ;QQX;QS
Page | 180
High
Hig
*'1$-/0'- ..$.QQQQ;QQX;QS@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)R;SWY. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.'*'
/)4-*0/ -$.SQT;Q;RRT;RY8+-$*-$/4RQQ@ 3+$- .$)Y;RTS. A
-$*-$/4SQQ@*)!$"0- SQQA
-*0+)( $.I I@!"A
-$(-4N

&%)04

*)-4N*&.*+%0

.//# -) /Q<Q>-*0+R
// $./)4
R.// #)" 8'./.// #)" QQ:QQ:TQ
$-/0'
- ..$.RZS;RWY;R;V
/$1 1$-/0'- ..$.QQQQ;QQX;QR
*'1$-/0'- ..$.QQQQ;QQX;QR@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)Q;QVS. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.RZS;RWY;R;S8+-$*-$/4SQQ@ 3+$- .$)X;XZS. A
/)4-*0/ -$.'*'
-$*-$/4RQQ@ !0'/RQQA
-*0+)( $.I$).$ I@!"A
.//# -) /Q<R>-*0+S
// $./)4
R.// #)" 8'./.// #)" QQ:QQ:QV
$-/0'
- ..$.SQT;Q;RRT;SQ
/$1 1$-/0'- ..$.QQQQ;QQX;QS
*'1$-/0'- ..$.QQQQ;QQX;QS@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)Q;UWU. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.SQT;Q;RRT;RX8+-$*-$/4SQQ@ 3+$- .$)X;XYQ. A
/)4-*0/ -$.'*'
-$*-$/4RQQ@ !0'/RQQA
-*0+)( $.I I@!"A
*)-4N
Page | 181
High
Hig
=/8/; '$09 #"(%"
& #)%

) $)04

-$(-4@*)!$"AN)0'+& *"$''&# 0@?
-$(-4@*)!$">$.&(+AN%)0'+ &%B*
-$(-4@*)!$">$.&(+AN*$D
-$(-4@*)!$">$.&(+AN,+%+ + &%')7*)
-$(-4@*)!$">$.&(+AN"-*0+S
-$(-4@*)!$">$.&(+AN 3$/

-$(-4@*)!$"AN)0'+& *"$'"0?+*+ '*-'%)**?5?5?5?
-$(-4@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-$(-4@!">-4+/*>/-).AN 3$/

-$(-4@*)!$"AN)0'+&0%$ 7$'$'@?
-$(-4@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-$(-4@*)!$">-4+/*>(+AN$+)**@?@
-$(-4@*)!$">-4+/*>(+AN)-)*7)&,+
-$(-4@*)!$">-4+/*>(+AN 3$/
-$(-4@*)!$"AN

-$(-4@*)!$"AN '**7# *+/+%@?@
-$(-4@*)!$"> 3/>)'AN')$ + '@HA5@EG5@5??5?5?5ADD%0
-$(-4@*)!$"> 3/>)'AN 3$/

-$(-4@*)!$"AN ')&,+@HA5@EG5A5?ADD5ADD5ADD5?A?B5?5@@B5@H
-$(-4@*)!$"AN)0'+&$'*$'@? '*7 *"$'0%$ $'

-$(-4@*)!$"AN %+)*++)%+?6@
-$(-4@*)!$">$!AN)0'+&$'*$'),%%0
-$(-4@*)!$">$!ANG
-$(-4N

&%)04

*)-4@*)!$"AN)0'+& *"$''&# 0@?
*)-4@*)!$">$.&(+AN%)0'+ &%B*
*)-4@*)!$">$.&(+AN*$D
*)-4@*)!$">$.&(+AN,+%+ + &%')7*)
*)-4@*)!$">$.&(+AN"-*0+S
*)-4@*)!$">$.&(+AN 3$/

*)-4@*)!$"AN)0'+& *"$'"0?+*+ '*-'%)**?5?5?5?
Page | 182
High
Hig
*)-4@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
*)-4@!">-4+/*>/-).AN 3$/

*)-4@*)!$"AN)0'+&0%$ 7$'$'@?
*)-4@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
*)-4@*)!$">-4+/*>(+AN$+)**@?@
*)-4@*)!$">-4+/*>(+AN)-)*7)&,+
*)-4@*)!$">-4+/*>(+AN 3$/
*)-4@*)!$"AN

*)-4@*)!$"AN '**7# *+/+%@?@
*)-4@*)!$"> 3/>)'AN')$ + '@HA5@EG5@5??5?5?5ADD%0
*)-4@*)!$"> 3/>)'AN 3$/

*)-4@*)!$"AN ')&,+@HA5@EG5A5?ADD5ADD5ADD5?A?B5?5@@B5@H
*)-4@*)!$"AN)0'+&$'*$'@? '*7 *"$'0%$ $'

*)-4@*)!$"AN %+)*++)%+?6@
*)-4@*)!$">$!AN)0'+&$'*$'),%%0
*)-4@*)!$">$!ANG
*)-4N

)%7A4

-)#>S@*)!$"AN)0'+& *"$''&# 0@?
-)#>S@*)!$">$.&(+AN%)0'+ &%B*
-)#>S@*)!$">$.&(+AN*$D
-)#>S@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>S@*)!$">$.&(+AN"-*0+S
-)#>S@*)!$">$.&(+AN 3$/

-)#>S@*)!$"AN)0'+& *"$'"0?+*+ '*-'%)**A?B5?5@@B5A?
-)#>S@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-)#>S@!">-4+/*>/-).AN 3$/

-)#>S@*)!$"AN)0'+&$'*$'@? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>S@*)!$">-4+/*>(+AN*+')A?B5?5@@B5A?
-)#>S@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>S@*)!$">-4+/*>(+AN$+)**@?A
-)#>S@*)!$">-4+/*>(+AN 3$/

-)#>S@*)!$"AN '**7# *+/+%@?A
-)#>S@*)!$"> 3/>)'AN')$ + '%0@HA5@EG5@5??5?5?5ADD
Page | 183
High
Hig
-)#>S@*)!$"> 3/>)'AN 3$/

-)#>S@*)!$"AN ')&,+@HA5@EG5@5?ADD5ADD5ADD5?A?B5?5@@B5BB

-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN)0'+&$'*$'
-)#>S@*)!$">$!ANG
-)#>SN
=/8/< '$0: &'"

:=a' %@HA5@EG5A5@

$)"$)"RZS;RWY;S;R2$/#TS4/ .*!/:
+'4!-*(RZS;RWY;S;R:4/ ._TS/$( _XS(. _SVU
+'4!-*(RZS;RWY;S;R:4/ ._TS/$( _XY(. _SVU

$)".//$./$.!*-RZS;RWY;S;R:
& /.: )/_U8 $1 _U8 *./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_XS(.83$(0(_XY(.81 -" _XW(.

)%7A4

-)#>SN*&.)0'+& *"$'*

./ .- .// *))>$.'*/
SQT;Q;RRT;SQSQT;Q;RRT;TU?
RQ

-)#>SN*&.)0'+& '**

$)/ -! :.//# -) /Q<R
-4+/*(+/":.(+8'*'-;SQT;Q;RRT;TU

'*'$ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
0-- )/?+ -:SQT;Q;RRT;SQ

8!'"._D*-$"$)?$.?'8E
N+&/. )+.:Y8N+&/. )-4+/:Y8N+&/.$" ./Y
N+&/. +.:Y8N+&/. -4+/:Y8N+&/.1 -$!4Y
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q8N+&/. *(+- ..!$' :Q
N. ) --*-.W8N- 1 --*-.Q
Page | 184
High
Hig
'*'-4+/* )+/;:SQT;Q;RRT;TU8- (*/ -4+/* )+/;:SQT;Q;RRT;SQ
+/#(/0RVQQ8( $(/0RVQQ
0-- )/*0/*0).+$:VYZWRUT

-)#>SN' %@HA5@EG5@5@

4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;R;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WU<YY<RTW(.
-)#>SN

Page | 185
%"&.

BRC G. De Laet and G. Schauwers, “Network security fundamentals”, Cisco Press, 2005.

BSC ; (5 #8 ; ''8 ; -/# $)8 ; -08 ; $//' 8 ) ; *-)8 I*$)/>/*>+*$)/
/0)) '$)"+-*/**'@A8ISQXQ>RXSR8SWTX8RZZZ;
BTC ;*-));;''8I$-*.*!/*$)/>/*>*$)/)-4+/$*)@A-*/**'I8TQXY8
SQQR;
BUC #//+:<<222;#>*)'$) ;*(<. 0-$/4<) 2.<$/ (<$-*.*!/>.4.>*)>/>0. >>)>
> >RWXSSVX;#/('
BVC ;*2).' 48;' )$8;0 ).8;''8;*-)8);'/ -8I 4 -/2*/0)) '$)"
+-*/**'@ SAI8SQXQ>RXSR8SWWR8RZZZ;
BWC ; 08;*2).' 48)
;*4- /8I 4 -2*0)) '$)"-*/**'> -.$*)T@ S1TAI8
!TZTR8SQQV;
BXC ;/ '8;*8;$3*)8;*-)8);**/#8I 0-$)" S0.$)"
. I8SQXQ>
RXSR8TRZT8SQQR;
BYC ;/&$).*)8I 0-$/4-#$/ /0- !*-/#
)/ -) /-*/**'”,
()&'
$+*%# "

8RYSV8RZZV;
BZC ; * ) ; $3*)8 I
. >) /2*-& - .. /-).'/$*) @A *(+/$$'$/4
- ,0$- ( )/.I8TXRV8SQQU;
BRQC ;; -$)"); $) )8I
)/ -) /+-*/**'81 -.$*)W@
1WA.+ $!$/$*)8ISUWQ8
RZZY;
BRRC ; )/8;/&$).*)8)
;; -8I
0/# )/$/$*) -”8SUQS8RZZY;
BRSC ; /);#02 -.8“Network security fundamentals”,$.*- ..8SQQV;
BRTC ; )/8I
)+.0'/$)". 0-$/4+4'*@AI8UTQT8SQQV;
BRUC ;0"#)8;# -/' -8;#) $ -8);0-) -8I
)/ -) / 0-$/4..*$/$*)
) 4)" ( )/-*/**'@
A”8SUQY8RZZY;
BRVC ;0!()8; *!!()8;$-8);-*) )8I
)/ -) / 43#)" -*/**' -.$*)
2 (IKEv2)”, VZZW8SQRQ;
BRWC ; -$)$8; $8 ; )&.8 ; 4 -8 ); -$)8 I ) -$ *0/$)" )+.0'/$*)
@AI8
8SXYU8SQQQ;
BRXC ; /$ )) 8 ; 0(-8 ) ; 0'' ) -" -, “Flexible Dynamic Mesh VPN draft>
/$ )) >(1+)>00”, CISCO, 201T;
BRYC ;- $ -8;-'/*)8);*# -8I# . 0- .*& /.'4 -@ A+-*/**'1 -.$*)T;Q8I
SQRR;
BRZC ; $8;*-/*)8; $8);*' 8I$.* */ /)4 *0/ --*/**'@ AI88
SSYR8RZZY;
BSQC ; $) )8I$-/0'*0/ - 0))4-*/**'@AI88TXWY8SQQU;

View publication stats

Virtual Private Networksin Theoryand Practice

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Virtual Private Networksin Theoryand Practice

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Virtual Private Networks in Theory and Practice

Book · March 2018

Challanges and thier mitigation during co-existance of IPv4-IPv6 View project

The user has requested enhancement of the downloaded file.

   

        

      

 

I special acknowledge Dr. Muhammad Yousaf, Assistant Professor of

I also acknowledge Miss Muntaha Sohail, Lecturer in English Department,

5 %'( %)' '*#%

5/5/5 #""' ',

1. DES (Data Encryption Standard)

1. MD-5 (Message Digest)

1. TACACS (Terminal Access Controller Access Control System)

5/5/8 )  ',

5/5/9 "'0$ ,

5/6/6 %)' '*#%&&

1. Remote Access VPN

5/8  %#'## &

1. PPTP (Point-to-Point Tunneling Protocol)

1. Control Messages: These messages directly pass through the tunnel

Figure 2.1 PPTP Control Messages

6/6 "$&( '#"

Figure 2.2 PPTP Encapsulation

6/7/6 #$# #,

)/ -) /N*&. ' %+)) 

6/7/8 '$06 #"(%"''

6/7/9 '$07 #""')',&'"

6/7/: '$08 #"(%"#('%& %)%

6/7/; '$09 #"(%"-''"# "'

T; #**. &2)+%.&%%+ &%J'$& /+

X; ) -4+ *!#**.  2#**. (, )%)0'+ &%!-*(

S; 4+ 0. -)( +*+J+..2*-+*+)'$&

U; # - "$./ -$)"4*0-*(+0/ -*)/# ) /2*-&2$)*2++ -.

Figure 2.15 Completing

6/7/= '$0; &'"

1. A control connection is established for a tunnel between LAC and

Figure 3.1 Tunnel Setup

7/6 "$&( '#"

Figure 3.2 L2TP Encapsulation

7/7/6 #$# #,

)/ -) /N*&. ' %+)) 

7/7/8 '$06 #"(%"''

7/7/9 '$07 #"(%"#('%& %)%

)/ -) /N*&. '%*- .

7/7/: '$08 &'"#""')',

)/ -) /N*&. '%**++ *+ *

7/7/; '$09 #"(%"#('%& 6 %)%

)/ -!

7/7/< '$0: #"(%"-''" 6 "'

Figure 3.6 Security

U; ) -4+ *!#**. A 2#**. (, )%)0'+ &%!-*(

7/7/= '$0; #""'" "'

T; #  "$./ -$)"4*0-*(+0/ -*)/# ) /2*-&2$)*2++ -.

7/7/54 '$0< &'"

Figure 3.13 Connection Details

L2TP over IPsec

8/6 "$&( '#"

Figure 4.1 L2TP over IPsec Encapsulation

8/7/6 #$# #,

)/ -) /N*&. ' %+)) 

5 %'( %)' '*#%

5/5/5 #""' ',

5/5/8 ) ',

5/5/9 "'0$ ,

5/6/6 %)' '*#%&&

5/8 %#'## &

6/6 "$&( '#"

6/7/6 #$# #,

)/ -) /N*&. ' %+))

6/7/8 '$06 #"(%"''

6/7/9 '$07 #""')',&'"

6/7/: '$08 #"(%"#('%& %)%

6/7/; '$09 #"(%"-''"# "'

T; #**. &2)+%.&%%+ &%J'$& /+

X; ) -4+ !#. 2#. (, )%)0'+ &%!-(

S; 4+ 0. -)( ++J+..2-+*+)'$&

U; # - "$./ -$)"40-(+0/ -)/# ) /2-&2$)*2++ -.

6/7/= '$0; &'"

7/6 "$&( '#"

7/7/6 #$# #,

)/ -) /N*&. ' %+))

7/7/8 '$06 #"(%"''

7/7/9 '$07 #"(%"#('%& %)%

)/ -) /N&. '%- .

7/7/: '$08 &'"#""')',

)/ -) /N*&. '%**++ +

7/7/; '$09 #"(%"#('%&6 %)%

)/ -!

7/7/< '$0: #"(%"-''"6 "'

U; ) -4+ !#. A 2#. (, )%)0'+ &%!-(

7/7/= '$0; #""'" "'

T; # "$./ -$)"40-(+0/ -)/# ) /2-&2$)*2++ -.

7/7/54 '$0< &'"

8/6 "$&( '#"

8/7/6 #$# #,

)/ -) /N*&. ' %+))

8/7/8 '$06 #"(%"''

8/7/9 '$07 &'"#""')',

T; @+/$)'8 $! /# + -/$)" .4./ ( $. ' '$& $)2. <SQQQA;

V; #**. ,) +0&# 0%$%+)'$&;

X; # ,) +0&# 0%$%+$. $)%'7 %'$&

Z; ' /)+ ,) +0&# 0/- / +'$4!*-

RV; # )/# ,) +0,# 1)++ -.8+' . '$& /+5

RX; ' /##%+.&)"&%%+ &%*)'$& /+;

RZ; 4+ *,+./# )( )'$&;

SR; 4+ $'/ - .-$+/$*))'$& /+;

ST; #**. *' )** J /4+ /#

SV; //# '&)+%&5.@F?@)'$& /+;

SZ; #**. *,+$)/#

TR; # #+)+ &% 1)2$''++ -8/# );' . '$& //;

TT; #**. &+ +*,) +0)'$& /+;

TV; #**. %)0'+ &%% %+) +0)'$& /+;

TX; ' / ,+!-( #+)# *+8)'$& /+;

TZ; #**. ,+!- #+)+ &%8)'$& /+;

UT; 240). /#//# +*'$4$./$1/ ;

UU; 1 //$)";

S; # -$!4$)"0. -)( )+..2-2$)2++ -.

)/ -! :.//# -) /Q<Q

9/6 "$&( '#"

9/7/6 #$# #,

)/ -) /N*&. ' %+))

9/7/8 '$06 #"(%"''

).$ $)/ -! .:

9/7/: '$08 &'"#""')',

9/7/; '$09 #"(%"'0'#0'

9/8/6 #$# #,

)/ -) /N*&. ' %+))

: 0-$/4' 1 '!-I$).$ I. //RQQ4 !0'/;

: 0-$/4' 1 '!-I0/.$ I. //*Q4 !0'/;

(+$' )-$RV>0)>QXRZ:SZ40$' -.

: 0-$/4' 1 '!-I0/.$ I. //*Q4 !0'/;

: 0-$/4' 1 '!-I$).$ I. //RQQ4 !0'/;

9/8/8 '$06 #"(%"''

9/8/9 '$07 &'"#""')',

9/8/; '$09 &'"

9/9/6 #$# #,

)/ -) /N*&. ' %+))

9/9/8 '$06 #"(%"''

9/9/9 '$07 &'"#""')',

9/9/: '$08 #"(%"!#'&&