Professional Documents
Culture Documents
Virtual Private Networks in Theory and Practice
Virtual Private Networks in Theory and Practice
net/publication/330313436
CITATION READS
1 4,939
1 author:
Zeeshan Ashraf
University of Lahore
10 PUBLICATIONS 22 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Routing & Switching And Security in Next Generation IP Network View project
All content following this page was uploaded by Zeeshan Ashraf on 11 January 2019.
!
"#
$#%#
&$' ()*+
,
(%% -./#0
(
(
#,
! ( 1 2
.## %
%#/&#
$3%
!
"
#
$
%
&
'
()$
#
#)(*+,$
-.
- /+(0 "
#
$
%
& '
#
#/+(0
Dedication
This book is dedicated to my parents and my family.
Page | i
Acknowledgment
All books are the product of a team work and I thank all the members of the
Scholars Press publisher: including the project editor, friends, seniors,
colleagues, and my teachers.
Page | ii
##"'"'&
Chapter 1 Introduction
1 Virtual Private Network ........................................................................ 2
1.1 VPN Services .................................................................................... 2
1.1.1 Confidentiality......................................................................... 2
1.1.2 Integrity ................................................................................... 3
1.1.3 Authentication ......................................................................... 3
1.1.4 Availability .............................................................................. 4
1.1.5 Anti-Replay ............................................................................. 4
1.2 VPN Advantages .............................................................................. 4
1.2.1 Data Security ........................................................................... 4
1.2.2 Private Network Access .......................................................... 4
1.2.3 Bandwidth ............................................................................... 5
1.2.4 Cost Reduction ........................................................................ 5
1.2.5 Deployment Flexibility ........................................................... 5
1.3 VPN Types........................................................................................ 5
1.3.1 Remote Access VPN ............................................................... 5
1.3.2 Site-to-Site VPN...................................................................... 5
1.4 VPN Protocols .................................................................................. 6
1.5 VPN Supported Devices ................................................................... 6
Chapter 2 PPTP VPN
2 PPTP VPN ............................................................................................. 8
2.1 PPTP Security ................................................................................... 8
2.2 Encapsulation .................................................................................... 9
2.3 Router as a PPTP VPN Server........................................................ 10
2.3.1 Lab Objectives ...................................................................... 10
2.3.2 Topology ............................................................................... 10
2.3.3 Step-1 IP Addressing............................................................. 10
2.3.4 Step-2 Configuring Static IP Routing ................................... 12
2.3.5 Step-3 Connectivity Testing.................................................. 13
Page | iii
2.3.6 Step-4 Configuring Router as a PPTP VPN Server .............. 14
2.3.7 Step-5 Configuring & Setting of PPTP VPN Client ............. 15
2.3.8 Step-6 Connecting VPN Client ............................................. 19
2.3.9 Step-7 Testing ....................................................................... 21
Chapter 3 L2TP VPN
3 L2TP VPN ........................................................................................... 25
3.1 L2TP Security ................................................................................. 26
3.2 Encapsulation .................................................................................. 27
3.3 Router as a L2TP VPN Server........................................................ 28
3.3.1 Lab Objectives ...................................................................... 28
3.3.2 Topology ............................................................................... 28
3.3.3 Step-1 IP Addressing............................................................. 28
3.3.4 Step-2 Configuring Static IP Routing ................................... 30
3.3.5 Step-3 Configuring Router as a DNS Server ........................ 31
3.3.6 Step-4 Testing Connectivity.................................................. 31
3.3.7 Step-5 Configuring Router as a L2TP VPN Server .............. 33
3.3.8 Step-6 Configuring & Setting L2TP VPN Client ................. 34
3.3.9 Step-7 Connecting VPN Client ............................................. 36
3.3.10 Step-8 Testing ....................................................................... 38
Chapter 4 L2TP over IPsec VPN
4 L2TP over IPsec VPN ......................................................................... 42
4.1 L2TP over IPsec Security ............................................................... 42
4.2 Encapsulation .................................................................................. 42
4.3 Router as an L2TP over IPsec VPN Server .................................... 44
4.3.1 Lab Objectives ...................................................................... 44
4.3.2 Topology ............................................................................... 44
4.3.3 Step-1 IP Addressing............................................................. 44
4.3.4 Step-2 Configuring Static IP Routing ................................... 46
4.3.5 Step-3 Testing Connectivity.................................................. 47
4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN...... 48
Page | iv
4.3.7 Step-5 Configuring & Setting L2TP over IPsec VPN Client 49
4.3.8 Step-6 Connecting VPN Client ............................................. 70
4.3.9 Step-7 Testing ....................................................................... 72
Chapter 5 IPsec VPN
5 IPsec VPN ........................................................................................... 79
5.1 IPsec Security Architecture ............................................................ 79
5.2 Encapsulation .................................................................................. 81
5.3 Site-to-Site IPsec VPN b/w Routers ............................................... 83
5.3.1 Lab Objectives ...................................................................... 83
5.3.2 Topology ............................................................................... 83
5.3.3 Step-1 IP Addressing............................................................. 83
5.3.4 Step-2 Configuring Static IP Routing ................................... 86
5.3.5 Step-3 Configuring NAT ...................................................... 88
5.3.6 Step-4 Testing Connectivity.................................................. 89
5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel ............. 90
5.3.8 Step-6 Testing ....................................................................... 92
5.4 Site-to-Site IPsec VPN b/w PIX & ASA........................................ 95
5.4.1 Lab Objectives ...................................................................... 95
5.4.2 Topology ............................................................................... 95
5.4.3 Step-1 IP Addressing............................................................. 95
5.4.4 Step-2 Configuring Static IP Routing ................................... 99
5.4.5 Step-3 Testing Connectivity................................................ 100
5.4.6 Step-4 Configuring IPsec Tunnel ........................................ 101
5.4.7 Step-5 Testing ..................................................................... 102
5.5 Remote Access IPsec VPN with Router (Easy VPN) .................. 104
5.5.1 Lab Objectives .................................................................... 104
5.5.2 Topology ............................................................................. 104
5.5.3 Step-1 IP Addressing........................................................... 104
5.5.4 Step-2 Configuring Static IP Routing ................................. 106
5.5.5 Step-3 Testing Connectivity................................................ 107
Page | v
5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel ..... 107
5.5.7 Step-5 Installing & Setting CISCO IPsec VPN Client ....... 109
5.5.8 Step-6 Connecting IPsec VPN Client ................................. 113
5.5.9 Step-7 Testing ..................................................................... 115
5.6 Remote Access IPsec VPN with ASA (Easy VPN) ..................... 116
5.6.1 Lab Objectives .................................................................... 116
5.6.2 Topology ............................................................................. 116
5.6.3 Step-1 IP Addressing........................................................... 116
5.6.4 Step-2 Configuring NAT .................................................... 118
5.6.5 Step-3 Configuring Static IP Routing ................................. 118
5.6.6 Step-4 Testing Connectivity................................................ 119
5.6.7 Step-5 Configuring ASA as IPsec VPN Server .................. 120
5.6.8 Step-6 Configuring VPN Client .......................................... 121
5.6.9 Step-7 Connecting VPN Client ........................................... 121
5.6.10 Step-8 Testing ..................................................................... 121
Chapter 6 GRE VPN
6 GRE VPN .......................................................................................... 124
6.1 GRE Security ................................................................................ 124
6.2 Encapsulation ................................................................................ 124
6.3 Site-to-Site IPsec over GRE VPN ................................................ 125
6.3.1 Lab Objectives .................................................................... 125
6.3.2 Topology ............................................................................. 125
6.3.3 Step-1 IP Addressing........................................................... 125
6.3.4 Step-2 Configuring Static IP Routing ................................. 127
6.3.5 Step-3 Configuring NAT .................................................... 128
6.3.6 Step-4 Testing Connectivity................................................ 129
6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel .. 130
6.3.8 Step-6 Testing ..................................................................... 132
6.4 Site-to-Site IPsec over GRE VPN (Behind ASA) ........................ 136
6.4.1 Lab Objectives .................................................................... 136
Page | vi
6.4.2 Topology ............................................................................. 136
6.4.3 Step-1 IP Addressing........................................................... 136
6.4.4 Step-2 Configuring Static IP Routing ................................. 139
6.4.5 Step-3 Configuring NAT .................................................... 141
6.4.6 Step-4 Testing Connectivity................................................ 142
6.4.7 Step-5 Configuring IPsec over GRE ................................... 142
6.4.8 Step-6 Testing ..................................................................... 145
Chapter 7 DMVPN
7 DMVPN............................................................................................. 147
7.1 DMVPN Security.......................................................................... 147
7.2 Encapsulation ................................................................................ 147
7.3 Dynamic Multipoint VPN (Hub & Spokes) ................................. 148
7.3.1 Lab Objectives .................................................................... 148
7.3.2 Topology ............................................................................. 148
7.3.3 Step-1 IP Addressing........................................................... 148
7.3.4 Step-2 Configuring Static IP Routing ................................. 151
7.3.5 Step-3 Testing Connectivity................................................ 152
7.3.6 Step-4 Configuring DMVPN Tunnel .................................. 153
7.3.7 Step-5 Testing ..................................................................... 155
Chapter 8 SSL VPN
8 SSL VPN ........................................................................................... 159
8.1 SSL Security ................................................................................. 159
8.2 SSL Encapsulation ........................................................................ 160
8.3 Router as an SSL VPN Gateway .................................................. 161
8.3.1 Lab Objectives .................................................................... 161
8.3.2 Topology ............................................................................. 161
8.3.3 Step-1 IP Addressing........................................................... 161
8.3.4 Step-2 Configuring Static IP Routing ................................. 163
8.3.5 Step-3 Configuring Router as a DNS Server ...................... 164
8.3.6 Step-4 Testing Connectivity................................................ 164
Page | vii
8.3.7 Step-5 Configuring Self-Signed Certificates ...................... 166
8.3.8 Step-6 Configuring SSL VPN Gateway ............................. 168
8.3.9 Step-7 Testing ..................................................................... 169
Chapter 9 High Availability VPN
9 High Availability VPN ...................................................................... 172
9.1 HSRP ............................................................................................ 172
9.2 VRRP ............................................................................................ 173
9.3 GLBP ............................................................................................ 173
9.4 Site-to-Site IPsec High Availability VPN with HSRP ................. 174
9.4.1 Lab Objectives .................................................................... 174
9.4.2 Topology ............................................................................. 174
9.4.3 Step-1 IP Addressing........................................................... 174
9.4.4 Step-2 Configuring Static IP Routing ................................. 177
9.4.5 Step-3 Testing Connectivity................................................ 179
9.4.6 Step-4 Configuring HSRP ................................................... 179
9.4.7 Step-5 Configuring IPsec VPN over HSRP ........................ 182
9.4.8 Step-6 Testing ..................................................................... 184
References: ................................................................................................ 186
Page | viii
Learning Outcomes
This book encompasses virtual private network technologies theoretical as
well as practical. In this study guide, it demonstrates how the VPNs actually
work and their practical implementation with different lab scenarios, step by
step. The objective of this book is to teach the students and professionals in
an easy way. In this book, a reader learns the theoretical knowledge of VPNs,
but the IOS based practical implementation of several types of VPNs in his
home and office.
There are several types of VPNs with different scenarios. After a study of
this book, the reader will familiar with almost all type of VPN and can
perform all these types of VPNs with different scenarios in his office and
home.
Page | ix
1
Introduction
Introduction
5/5
%)&
VPNs provide different types of security services through different security
protocols. These services are:
1. Confidentiality
2. Integrity
3. Authentication
4. Availability
5. Anti-replay
Page | 2
Introduction
encrypt the data if its public key is used to decrypt data. The mechanism
means, the way or method defines how to drive the algorithm and key.
Modern encryption algorithms are:
5/5/6
"'%',
Integrity means originality. It is a technique to ensure that data is not
modified or altered by an unauthorized person during the transmission. The
data remains consistent, both internally and externally. It is guaranteed that
data is received by the receiver in original and there is no any change in data
during transmission. In network security, it is also called hashing. Hashing
is one-way process in which a 32-bit long hash value is calculated from the
data with a specific algorithm. This hash value also transmits while
transmitting the data. On the receiver side, the receiver once again calculates
the hash value of the received data with the same algorithm and compares
this hash value with that value which came with data. If the value is same
then its integrity is not compromised on the other hand, the hash value is
different even one character then it indicates that its integrity is
compromised. The receiver will discard his receiving data. Modern hashing
algorithms are:
5/5/7 ('"''#"
Authentication is a technique which verifies the identity of a user or a
process. It restricts unauthorized users to access data or service. In this
process, the credentials provided by the user are compared to those which
are already saved in the database file. Moreover, the user is granted
authorization for access if credentials match and the process is completed. If
the credentials mismatch, the user is not granted access. Authentication is
may be local or remote. In local authentication, the credentials are saved on
the same machine while in remote authentication, user credentials are saved
on another server. The receiver machine sends user credentials for checking
either it is true or false to authentication server and responds. If the machine
receives true by authentication server then it grants access and if it receives
false then it denies access. For security purpose, Challenge Handshake
Page | 3
Introduction
Authentication Protocol (CHAP) is used between machine and
authentication server. Modern remote authentication servers are:
5/6
)"'&
VPN technology is heavily influenced the corporate sector by its many
advantages. Due to these advantages, it is more popular and deployable
technology in the industry. These advantages are:
5/6/5 '(%',
Public network (Internet) is not a secure network and it is not possible to
secure it, as complete. It is very risky and easy to access or alter data by a
third person (Intruder) when data moves across the public network. So, it is
needed to secure data before transferring it over a public network. VPN
allows data to encapsulate it into security header before transmitting transfer
to its destination. When data is encapsulated in security header then it is not
easy to access or alter data. On the receiving side, it is decapsulated.
Page | 4
Introduction
5/6/7 "*'
Users or branch offices use leased lines such as E1, T1, Frame Relay or
Asynchronous Transfer Mode (ATM) to access compan\¶VGDWDRUVHUYLFHV
securely. These leased lines provide typically 128 Kbps, 256 Kbps, and 512
Kbps connection speeds. These leased lines are expensive. Users and branch
offices require more bandwidth for their services or advance applications and
its speed. The Internet Service Providers (ISPs) are providing relatively high-
bandwidth IP connections, such as broadband Digital Subscriber Line (DSL)
or cable access for VPN on shared bases.
5/6/8 #&'('#"
ISPs are providing relatively high-bandwidth IP connections, such as
broadband DSL or cable service on shared bases. As a result, many
customers are migrating their primary WAN connectivity to these services
or deploying such WAN alternatives as a secondary high-speed WAN circuit
to augment their existing private network. These high-bandwidth and share
bases IP connections are relatively lower cost as compared to leased lines.
5/6/9 $ #,!"' + ',
VPNs can be quickly established wherever an Internet access connection is
available. They offer a great degree of flexibility in connecting branch
offices or even while traveling outside the office or at home.
5/7
,$&
VPN can be connected in different forms. A secure connection is created
over a public network. Sometimes it is called as a tunnel. All traffic is passed
through this tunnel. There are two basic types of VPN and they are:
5/7/5 !#'&&
In remote access VPN type, a single user is connected to a private network
and access its services and resources remotely. The connection between the
user and the private network happens through the Internet, this connection is
secure and private. Usually, home users or teleworkers use this type of VPN.
The teleworkers or employees use a remote access VPN to connect to his/her
compan\¶VSULYDWHQHWZRUNDQGUHPRWHO\DFFHVVILOHVDQGUHVRXUFHVRQWKH
private network while traveling.
5/7/6 '0'#0'
Site-to-Site VPN type is mostly used in the corporate network. In this type
RI931FRPSDQ\¶Voffices in different geographical locations, use Site-to-
Page | 5
Introduction
site VPN to connect the network with head office or another branch office.
In this VPN type, a device acts as a gateway in one branch office and
similarly in another branch office. The connection is established between the
both. When the connection is established, then multiple users can use this
connection in their branch offices.
5/9
($$#%')&
A dedicated VPN support device is VPN Concentrator. A VPN concentrator
is a type of networking device that provides secure creation of VPN
connections and delivery of messages between VPN nodes. However, some
other devices like (Routers, multi-layer switches, PIX, ASA, PCs,
smartphones and tablets) may also support VPN. These devices should have
VPN support operating systems. Multiple vendors have designed such types
of devices like CISCO, Juniper, Linksys, Microsoft, Linux, and Mac etc. The
VPN service provided by these devices is said to be IOS based VPN.
Moreover, in this guide, CISCO based devices (Router, PIX & ASA) and
Window based PCs are used.
Page | 6
2
PPTP VPN
PPTP VPN
6
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN
technique in network security. It was introduced by ³Matthew Ramsay´ in
1999 with the support of Microsoft. Its specification was described in RFC
2637 [2]. It basically extends the Point-to-Point Protocol (PPP). The PPP
transfers multi-protocol datagrams over a point-to-point link. It uses dial-up
networking method which is called Virtual Private Dial-up Network
(VPDN). It is more suitable for remote access applications through VPN. It
also supports LAN internetworking. It operates at layer 2 of the OSI model.
It works as a client/server model which is simply configured. By default, the
client is a software based system which is normally available in all Microsoft
Windows, Linux and MAC operating systems. It remains most popular
technology, especially on Microsoft Windows computers. It is connection
oriented protocol and it uses TCP port 1723. In this tunneling technique,
tunnels are created by following two steps:
1. First of all, the clients connect to their ISPs through using any service
(dial-up, ISDN, DSL modem or LAN).
2. Secondly, PPTP creates a TCP session between client and server to
establish a secure tunnel.
Once the PPTP tunnel is established between client and server then two types
of information can be passed through a tunnel. Moreover, a unique Call ID
value is assigned to each session for its identification.
6/5 (%',
PPTP supports authentication, encryption and packet filtering. In
authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-
TLS, and PAP are used. MS-CHAPv1 is insecure. EAP-TLS is a superior
choice. However, it requires a Public Key Infrastructure implementation for
both client and server certificates. When MS-CHAPv1/v2 is used in PPTP
Page | 8
PPTP VPN
then the payloads encrypt by using Microsoft Point-to-Point Encryption
(MPPE). The MPPE supported 40-bits, 56-bits & 128-bits encryption. It
enhances the confidentiality of PPP-encapsulated packets [3]. Packet
filtering is implemented on VPN servers.
In Oct. 2012, security of PPTP is broken and its usage is no longer and also
not recommended by Microsoft [4].
Page | 9
PPTP VPN
6/7 #('%&
%)%
6/7/5 ')&
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure Router as a PPTP VPN Server
¾ Configure PC as a Microsoft PPTP VPN Client
¾ Try to Connect VPN Client
¾ Test VPN
Figure 2.3 PPTP VPN Setup
6/7/7 '$05
%&&"
..$")
- .. . on router’s interface. ) . ( )/$*) *1 $)
/*+*'*"$'$"-(S;T;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N
Page | 10
PPTP VPN
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
)%4
-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N
-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N
Page | 11
PPTP VPN
4
Figure 2.4 Client IP Address
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
$-/0'> ..R0)..$") 0). /*2)*2)
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)
-)#N*&.-'%)&,'
"-*0+R
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q
"-*0+++/+>1+)
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).Q/$1 /0)) '.Q
-)#N*&.-'%*** &%
]*/$1 /0)) '.
Figure 2.5 Set up a new Connection
Page | 15
PPTP VPN
S; !/ -/# /2*-&*)) /$*)$5-2$)*2++ -.8#**. &%%+
+&.&)"'#J'$&
/+
Figure 2.6 Connect to a Workplace
Figure 2.7 Create new Connection
Page | 16
PPTP VPN
U; ' /*$0 %+)%+&%%+ &%
Figure 2.8 New Connection Name & IP Address
V; #**. +)+ L &%+)&# %# L
+.&)" < ) % %+) L %
'+) ++ %* ) . ' / /# ')&')+ * *! /# - )/'4 *)!$"0-
*)) /$*)
Figure 2.9 Properties
Page | 17
PPTP VPN
W; #*. ,) +0
Figure 2.10 Security
Figure 2.11 Select Properties
Page | 18
PPTP VPN
6/7/< '$0: #""'"
"'
R; -4/**)) /
Figure 2.12 Username & Password
Figure 2.13 Connecting
Page | 19
PPTP VPN
T; # 1 -$!4$)"0. -)( )+..2*-2$)*2++ -.
Figure 2.14 Verifying
Page | 20
PPTP VPN
V; # )*)) / /# )$/)# &/# .//0.*!/# *)) /$*)
Figure 2.16 Connection Status
Figure 2.17 Connection Details
Page | 21
PPTP VPN
:=a' %@HA5@EG5@5@
$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STS(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SSW(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TTY(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TVR(.
_SVV
$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_SSW(.83$(0(_TVR(.81 -" _SYW(.
)%4
-)#N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
$-/0'> ..RRZS;RWY;R;R0). /0+0+
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)
-)#N*&. %+)- )+,#7**@
$-/0'> ..R$.0+8'$) +-*/**'$.0+
-2- $.$-/0' ..$)/ -!
)/ -! $.0))0( - ;.$)"- ..*!.//# -) /Q<R@RZS;RWY;R;RA
RVQQ4/ .8RQQQQQ$/<. 8
RQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*)8
+ )
+ ):
8
*1 ..8'*) !-*($-/0'> (+'/ R
...//0.Q3UU
-*/**'++/+8/0)) '$TWXXW8. ..$*)$SQWTS8'**+&)*/. /
+'$1 )*/. /
$.+0'. !*-V. *).*)- . /
./$)+0/QQ:QV:QX8*0/+0/) 1 -8*0/+0/#)") 1 -
./' -$)"*!I.#*2$)/ -! I*0)/ -.QQ:SS:VX
Page | 22
PPTP VPN
-)#N*&.,*)*
$) . - *./@.A
'
*/$*)
FQ*)Q$' QQ:QQ:QQ
)/ -! . -*
' -- ..
$T/ ./*QQ:QZ:VVRXS;RW;R;RR
-)#N*&.-'%*** &%
..$*)
)!*-(/$*)*/'/0)) '.R. ..$*).R
*
(
0)
)/!. -)( //
./#")$,
SQWTSSVWTWXXW$T/ ./ ./QQ:QQ:URS
-)#N*&.-'%+,%%#''+'
0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*
(;( // (*/ - ..*-/ ..$*).-*0+
TWXXW ./SQT;Q;RRT;RXUZZTRR
-)#N*&.-'%+,%%#''+'+)%*'&)+
0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*
4+
*'- ..*-/ (*/ - ..*-/
TWXXW
SQT;Q;RRT;TURXSTSQT;Q;RRT;RXUZZT
-)#N*&.-'%+,%%#'"+*
0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*
&/.>
)&/.>0/4/ .>
)4/ .>0/
TWXXWWRSRWWXZVSR
-)#N
Page | 23
3
L2TP VPN
L2TP VPN
7 6
Layer 2 Tunneling Protocol (L2TP) was introduced with the combination of
two tunneling protocols in 1999. Firstly, Layer 2 Forwarding (L2F) protocol
by CISCO Systems and second is Point-to-Point Tunneling Protocol (PPTP)
by Microsoft. It merges the best features of the both. In other words, it is an
extension of PPTP. It was specified in RFC 2661 [5]. The L2F is a tunneling
protocol and it was developed to establish VPN over the public network
(Internet). It does not provide encryption by itself. It was specially designed
to tunnel PPP traffic. In 2005, a new version of L2TP was introduced as
L2TPv3 with additional security features, improved encapsulation and the
ability to carry data links over the network. Its specification was described
in RFC 3931 [6].
The entire L2TP packet including (payload & L2TP header) is sent within a
User Datagram Protocol (UDP) with port number 1701. It is common to
carry PPP session within an L2TP tunnel. It does not support strong
authentication and confidentiality by itself. The IPsec protocol is often used
with L2TP to provide strong confidentiality, authentication, and integrity.
The combination of these two protocols is generally known as L2TP/IPsec.
L2TP allows creating a VPDN to connect remote clients to its corporate
network by using different connecting services provided by ISPs. It operates
at layer 2 of the OSI model. It works as a client/server model.
Two endpoints of the L2TP tunnel are called LAC (L2TP Access
Concentrator) and LNS (L2TP Network Server). The LNS waits for new
tunnels. The LAC remains between an LNS and a remote system and
forwards packets to the server. Once the tunnel is established between peer
then, the network traffic moves in bidirectional. The packets exchanged
within the tunnel characterized as either it is controlled packet or it is a data
packet, it is reliable for control packets and not reliable for data packets. If
the reliability is desired for data packets then it is provided by another
protocol running within the session of the tunnel.
In this tunneling technique as the tunnels are created by following two steps:
Page | 25
L2TP VPN
During the setup of the L2TP tunnel, different types of control messages and
data messages are exchanged between LAC and LNS. It is highlighted in the
Fig. 3.1 below. The traffic of each session is secluded by L2TP. So, it is
possible to setup multiple virtual networks against a single tunnel. The
Maximum Transmission Unit (MTU) remains same. The Hello messages are
sent to peer as control messages for keep alive after every 60 seconds.
Once the tunnel is established, PPP frames from the remote systems are
received at LAC. It encapsulates in L2TP and forwards to LNS over the
appropriate tunnel.
7/5 6(%',
L2TP supports authentication and encryption. In authentication, PPP based
protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used.
When MS-CHAPv1/v2 is used then the payloads encrypt by using MPPE. It
also supports Triple Data Encryption Standard (3DES) and Advanced
Page | 26
L2TP VPN
Encryption Standard (AES-256 bits). It enhances the confidentiality of PPP-
encapsulated packets.
Page | 27
L2TP VPN
7/7 #('%&6
%)%
7/7/5 ')&
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Configure Router as a DNS Server
¾ Test Connectivity
¾ Configure Router as a L2TP VPN Server
¾ Configure PC as a Microsoft L2TP VPN Client
¾ Try to Connect VPN Client by Domain Name
¾ Test VPN
Figure 3.3 L2TP VPN Setup
7/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PC as mentioned above in
/*+*'*"$'$"-(T;T;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N
Page | 28
L2TP VPN
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
)%4
-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N
-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N
Page | 29
L2TP VPN
4
Figure 3.4 Client IP Addressing
)/ -) /@*)!$"AN '%**)-)
)/ -) /@*)!$"AN '%$7*)-)A?B5?5@@B5@G
)/ -) /@*)!$"AN '&*+#A+'-'%5&$A?B5?5@@B5BC
)/ -) /@*)!$"AN)*$+*($)>'**&0+
)/ -) /@*)!$"AN 3$/
)/ -) /N
Figure 3.5 Properties
Page | 34
L2TP VPN
T; #*. ,) +0
Figure 3.7 Select Protocol
Page | 35
L2TP VPN
V; '$&*)-%++ %*
Figure 3.8 Advance Setting
Figure 3.9 Connecting
Page | 36
L2TP VPN
S; # -$!4$)"0. -)( )+..2*-2$)*2++ -.
Figure 3.10 Verifying
Figure 3.11 Completing
Page | 37
L2TP VPN
U; # *)) /$*)//0.2$)*2++ -.
Figure 3.12 Connection Status
Page | 38
L2TP VPN
:=a' %@HA5@EG5@5@
$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _RWW(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SUW(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SYV(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _SXX(.
_SVV
$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_RWW(.83$(0(_SYV(.81 -" _SUT(.
)%4
-)#N' %@FA5@E5@5C
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RXS;RW;R;U8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_RWU<SQU<TQQ(.
-)#N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
$-/0'> ..R0)..$") 0). /*2)*2)
$-/0'> ..S0)..$") 0). /0+0+
$-/0'> ..TRZS;RWY;R;R0). /0+0+
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)
-)#N*&. %+)*- )+,#7**B
$-/0'> ..T$.0+8'$) +-*/**'$.0+
-2- $.$-/0' ..$)/ -!
)/ -! $.0))0( - ;.$)"- ..*!.//# -) /Q<R@RZS;RWY;R;RA
RVQQ4/ .8RQQQQ$/<. 8
RQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*)8
+ )
+ ):
*1 ..8'*) !-*($-/0'> (+'/ R
...//0.Q3Q
-*/**''S/+8/0)) '$TVZUZ8. ..$*)$SZYTZ
Page | 39
L2TP VPN
+'$1 . /@RQ. A
UQ+& /.$)+0/8UVSS4/ .
RV+& /.*0/+0/8STX4/ .
./' -$)"*!I.#*2$)/ -! I*0)/ -.) 1 -
-)#N*&.,*)*
$) . - *./@.A
'
*/$*)
FQ*)Q$' QQ:QQ:QQ
)/ -! . -*
' -- ..
$T/ ./*QQ:QZ:VVRXS;RW;R;U
-)#N*&.-'%)&,'
"-*0+'S/+>1+)
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R
-)#N*&.-'%+,%%##A+'
S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*0)
(0)
(*/ ( // (*/ - .. ..)
S'..
TVZUZR5 .#) ./SQT;Q;RRT;RXR'S/+
-)#N*&.-'%*** &%#A+'*++
S ..$*)
)!*-(/$*)*/'/0)) '.R. ..$*).R
*
(
0)
. -)( 8
)/!<//
./#")$,
$
VWYZURTVZUZ/ ./8 $T ./QQ:RQ:SUW
-)#N*&.-'%+,%%##A+'+)%*'&)+
S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*0)
4+ -*/
*'- ..*-/ (*/ - ..*-/
TVZUZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR
-)#N*&.-'%+,%%##A+''"+*
S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*0)
&/.>
)&/.>0/4/ .>
)4/ .>0/
TVZUZRVURRUYTTSSUXX
Page | 40
4
8 6#)%
&
L2TP does not provide strong authentication and confidentiality by itself. It
is often used with IPsec protocol to provide strong confidentiality,
authentication, and integrity. The combination of these two protocols is
generally known as L2TP/IPsec. The IPsec is a protocol suite which is used
at upper layer (network layer) to provide secure communication between two
peers [7]. This protocol provides IP Security Architecture, Internet Key
Exchange (IKE), IPsec Authentication Header (AH) and IPsec
Encapsulation Security Payload (ESP). The IKE is the key management
protocol while AH and ESP are used to protect IP traffic. It would be
discussed in detail in the next part.
8/5 6#)%
&(%',
L2TP is used over IPsec then its security is high. The client negotiates the
IPsec Security Association (SA) usually through IKE. It is carried out over
UDP with port 500. It uses a pre-shared key, public key or certificates for
authentication. Transport mode of IPsec is used in this security mechanism.
IPsec supports a variety of encryption standards like (DES, 3DES & AES)
for data confidentiality. It also supports a range of data integrity protocols
like (MD-5 & SHA).
Since L2TP packet is wrapped within the IPsec header and it does not gather
any information about the internal L2TP packet. So, it is not necessary to
open UDP port 1701 on firewalls between the endpoints. The inner packet is
Page | 42
L2TP over IPsec VPN
not acted upon until after IPsec data has been decrypted and stripped which
only takes place at the endpoints.
Page | 43
L2TP over IPsec VPN
8/7 #('%&"6#)%
&
%)%
8/7/5 ')&
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure Router as an L2TP over IPsec VPN Server
¾ Configure PC as a Microsoft L2TP over IPsec VPN Client
¾ Try to Connect VPN Client
¾ Test VPN
Figure 4.2 L2TP over IPsec VPN Setup
8/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PC as mentioned above in
/*+*'*"$'$"-(U;S;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N
Page | 44
L2TP over IPsec VPN
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
)%4
-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N
-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N
Page | 45
L2TP over IPsec VPN
4
Figure 4.3 Client IP Addressing
Page | 48
L2TP over IPsec VPN
8/7/; '$09 #"(%"-''"6#)%
&
"'
R; *''*2/ +>W$)
S
;
S; '$&*)-%++ %*) )/ -/# +- >.#- & 4
Figure 4.4 Advanced Properties
Figure 4.5 Run
Page | 49
L2TP over IPsec VPN
U; ,) +0&# 0%$%+4#**.$)"6$&-%'7 %!-*( #;
Figure 4.6 Console
Figure 4.7 Add or Remove
Page | 50
L2TP over IPsec VPN
W; # )/# !*''*2$)".- )++ -.8+' . #**. &#&$',+))'$&
% *5
Figure 4.8 Select Domain
Figure 4.9 Add IP Security Policies
Page | 51
L2TP over IPsec VPN
Y; # ,) +0&# 0%$%+$. '$&
Figure 4.10 IP Security Policy Management
Figure 4.11 Console
Page | 52
L2TP over IPsec VPN
RQ; # )/# ,) +0&# 0 1)++ -.8+' . '$&
/+5
Figure 4.12 IP Security Policy Wizard
RR; Type a suitable name in the name field, such as “A&-) *”)'$& /+;
Figure 4.13 IP Security Policy Name
Page | 53
L2TP over IPsec VPN
RS; )# &+ -++,#+)*'&%*),#)'$&
/+;
Figure 4.14 Request for Secure Communication
RT; # ) /# !*''*2$)" 2$)*2 ++ -.8 +' . # & + ')&')+ * ) '$&
% *;
Figure 4.15 Completing IP Security Policy
Page | 54
L2TP over IPsec VPN
RU; + ) *)&')+ *window, there is a default rule “K0%$ L”. Please click
;
Figure 4.16 Filter Rules
Figure 4.17 Creating New Security Rule
Page | 55
L2TP over IPsec VPN
RW; ' /+ *),#&*%&+*' 0+,%%#)'$&
/+;
Figure 4.18 Tunnel Endpoint
Figure 4.19 Network Type
Page | 56
L2TP over IPsec VPN
RY; )
$'/ -'$.//*/#$.-0' 4'$&$)";
Figure 4.20 Add New Filter List
Figure 4.21 IP Filter List for Outside
Page | 57
L2TP over IPsec VPN
SQ; # )/# #+) 1)++ -.8+' . '$&
/+5
Figure 4.22 New IP Filter Wizard
Figure 4.23 IP Filter Description
Page | 58
L2TP over IPsec VPN
SS; #**. *' )**J/4+ /#
- ...@*0- A)'$&
/+;
Figure 4.24 IP Traffic Source
Figure 4.25 IP Traffic Destination
Page | 59
L2TP over IPsec VPN
SU; #**. ./# +-*/**'/4+ ;'$&
/+;
Figure 4.26 IP Protocol Types
Figure 4.27 IP Protocol Ports
Page | 60
L2TP over IPsec VPN
SW; # &*3 +')&')+ *)'$& % */**(+' /$)"/#
!$'/ -2$5-;
Figure 4.28 Completing IP Filter Wizard
SX; '$&
/*!$)$.#/# . //$)".;
Figure 4.29 IP Filter Properties
Page | 61
L2TP over IPsec VPN
SY; '$&
/*!$)$.#/# . //$)".;
Figure 4.30 IP Filter List
Figure 4.31 IPsec Filter List
Page | 62
L2TP over IPsec VPN
TQ; '$&/*. /0+/$*)!*-/#$.-0' ;
Figure 4.32 New Filter Rule
Figure 4.33 New IP Security Filter Wizard
Page | 63
L2TP over IPsec VPN
TS; 4+ *,+./# )( )'$&
/+;
Figure 4.34 Filter Action Name
Figure 4.35 General Options
Page | 64
L2TP over IPsec VPN
TU; #**. Do not communicate…. )'$&
/+;
Figure 4.36 Communicating with Computers
Figure 4.37 IP Traffic Security Policies
Page | 65
L2TP over IPsec VPN
TW; )# & +')&')+ *)'$& % *;
Figure 4.38 Completing IP Security Filter Wizard
Figure 4.39 Filter Action
Page | 66
L2TP over IPsec VPN
TY; 4+ & 4.),+%+ + &%+&@+- .#- & 4A)'$&
/+;
Figure 4.40 Authentication Method
Figure 4.41 Completing Security Rule
Page | 67
L2TP over IPsec VPN
UQ; *24*0). *,+-0' ;'$&
;
Figure 4.42 IPsec Rules
UR; '$&
0-$/4*'$$ .*)
*'*(+0/ -
Figure 4.43 New Created Security Policy
Page | 68
L2TP over IPsec VPN
US; #**. A&-) *L** %!-*(/# *).*' .- );
Figure 4.44 Assigned Policy
Figure 4.45 Policy Activated
Page | 69
L2TP over IPsec VPN
8/7/< '$0: #""'"
"'
R; !/ -/4+ 0. -)( J+..2*-'$&&%%+
Figure 4.46 Connecting
Figure 4.47 Verifying
Page | 70
L2TP over IPsec VPN
T; # "$./ -$)"4*0-*(+0/ -*)/# ) /2*-&2$)*2++ -.
Figure 4.48 Completing
U; # *)) /$*)//0.2$)*2
Figure 4.49 Connection Status
Page | 71
L2TP over IPsec VPN
8/7/= '$0; &'"
4
Figure 4.50 Connection Details
:=a' %@HA5@EG5@5@
$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(.
_SVV
$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_STX(.83$(0(_TWQ(.81 -" _TRS(.
Page | 72
L2TP over IPsec VPN
)%4
-)#N' %@FA5@E5@5@
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RXS;RW;R;R8/$( *0/$.S. *).:
6;666
0 ..-/ $.YQ+ - )/@U<VA8-*0)>/-$+($)<1"<(3_RYU<SRQ<SUY(.
-)#N*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
$-/0'> ..R0)..$") 0). /*2)*2)
$-/0'> ..S0)..$") 0). /0+0+
$-/0'> ..S;RRZS;RWY;R;R0). /0+0+
$-/0'> (+'/ RRZS;RWY;R;R0). /*2)*2)
-)#N*&.-'%)&,'
"-*0+'S/+
-*0+. ..$*)'$($/WVVTV/$1 . ..$*).R/$1 /0)) '.R
-)#N*&.-'%+,%%##A+'*++
S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*0)
(0)
*'( (*/ ( //
./>#"
UXVYZR-)#5 .#) ./QQ:RQ:VV
-)#N*&.-'%+,%%##A+'*,$$)0
S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*0)
(0)
(*/ ( // (*/ - .. ..)
S'..
UXVYZR5 .#) ./SQT;Q;RRT;RXR'S/+
-)#N*&.-'%+,%%#+)%*'&)+
S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*0)
4+ -*/
*'- ..*-/ (*/ - ..*-/
UXVYZRXSQT;Q;RRT;TURXQRSQT;Q;RRT;RXRXQR
Page | 73
L2TP over IPsec VPN
-)#N*&. %+)*- )+,#7**A5@
$-/0'> ..S;R$.0+8'$) +-*/**'$.0+
-2- $.$-/0' ..$)/ -!
)/ -! $.0))0( - ;.$)"- ..*!.//# -) /Q<R@RZS;RWY;R;RA
RVQQ4/ .8RQQQQ$/<. 8
RQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*)8
+ )
+ ):
*1 ..8'*) !-*($-/0'> (+'/ R
...//0.Q3Q
-*/**''S/+8/0)) '$UXVYZ8. ..$*)$ZYR
+'$1 . /@RQ. A
RVR+& /.$)+0/8YQWW4/ .
RTS+& /.*0/+0/8TVXV4/ .
./' -$)"*!I.#*2$)/ -! I*0)/ -.) 1 -
-)#N*&.-'%+,%%#'"+*
S0)) '
)!*-(/$*)*/'/0)) '.R. ..$*).R
*0)
&/.>
)&/.>0/4/ .>
)4/ .>0/
UXVYZSRVSRVRTQXUWXSX
-)#N*&.)0'+&*** &%
-4+/*. ..$*)0-- )/.//0.
1U-4+/*
./.-.// *))>$.//0.
SQT;Q;RRT;TUSQT;Q;RRT;RX?
RQQR
-)#N*&.)0'+& '*+)%*&)$7*+
-).!*-(. //. /:D .+>T . .+>.#>#(E
2$'') "*/$/ _D-).+*-/8E8
-).!*-(. /NM6 !0'/?/-).!*-(?. /?Q:D .+>T . .+>.#>#(E
2$'') "*/$/ _D-).+*-/8E8
-)#N*&.)0'+& *"$''&# 0
'*'
+*'$4
-*/ /$*).0$/ *!+-$*-$/4V
)-4+/$*)'"*-$/#(:#- & 4/-$+'
#.#'"*-$/#(: 0- .#/)-
0/# )/$/$*)( /#*:- >#- 4
$!!$ > ''()"-*0+:NS@RQSU$/A
'$! /$( :YWUQQ. *).8)*1*'0( '$($/
Page | 75
L2TP over IPsec VPN
-)#N*&.)0'+& '**
$)/ -! :.//# -) /Q<Q
-4+/*(+/":'S/+8'*'-SQT;Q;RRT;TU
+-*/ / 1-!:@)*) A
'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;TU<SVV;SVV;SVV;SVV<RX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:
@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<RX<RXQRA
0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ
8!'"._DE
N+&/. )+.:RZ8N+&/. )-4+/:RZ8N+&/.$" ./:RZ
N+&/. +.:RZ8N+&/. -4+/:RZ8N+&/.1 -$!4:RZ
'*'-4+/* )+/;:SQT;Q;RRT;TU8- (*/ -4+/* )+/;:SQT;Q;RRT;RX
+/#(/0RVQQ8$+(/0RVQQ8$+(/0$.//# -) /Q<Q
0-- )/*0/*0).+$:Q3UZVS@TQSZXSZSVQA
@<A:8 "-*0+:)*)
B0/+0/*($// C
4
:=a' %@HA5@EG5@5@
$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _STX(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TWQ(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TUQ(.
_SVV
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _TRU(.
_SVV
$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_STX(.83$(0(_TWQ(.81 -" _TRS(.
-)#N*&.)0'+& '**
$)/ -! :.//# -) /Q<Q
-4+/*(+/":'S/+8'*'-SQT;Q;RRT;TU
+-*/ / 1-!:@)*) A
'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;TU<SVV;SVV;SVV;SVV<RX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:
@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<RX<RXQRA
0-- )/?+ -SQT;Q;RRT;RX+*-/VQQ
Page | 76
L2TP over IPsec VPN
8!'"._DE
N+&/. )+.:UZ8N+&/. )-4+/:UZ8N+&/.$" ./:UZ
N+&/. +.:UZ8N+&/. -4+/:UZ8N+&/.1 -$!4:UZ
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q
N+&/.)*/ *(+- .. :Q8N+&/. *(+- ..!$' :Q
N. ) --*-.Q8N- 1 --*-.Q
-)#N*&.)0'+&$'
-4+/*+I'S/+(+IRQ$+. >$.&(+
4)($(+/ (+'/ /":(+
-4+/*+I'S/+(+IWVVTW$+. >$.&(+
-_SQT;Q;RRT;RX
3/ )
..'$./
..>'$./+ -($/0+#*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX+*-/_RXQR
4)($@- / !-*(4)($(+(+<RQA
0-- )/+ -:SQT;Q;RRT;RX
0-$/4..*$/$*)'$! /$( :UWQYQQQ&$'*4/ .<TWQQ. *).
.+*) ->)'4@<A:
@<A:
-).!*-(. /._D
/. /:D .+>T . .+>.#>#(E8
E
)/ -! .0.$)"-4+/*(+'S/+(+:
.//# -) /Q<Q
Page | 77
5
IPsec VPN
IPsec VPN
9
&
Internet Protocol Security (IPsec) is a network security protocol suite. It
provides strong authentication, data encryption, data origin authentication
and data integrity features. It can use as network-to-network, host-to-host,
and host-to-network over the public network (Internet). It works at the
network layer of the OSI model to provide end-to-end security. In 1992,
IETF started to create an open and freely available security protocol for
Internet Protocol (IP). It is officially standardized by IETF. It was specified
in RFC 1825 [8]. The IP is used at the network layer of the OSI model to
deliver datagrams over the public network. There are two versions of IP:
IPv4 and IPv6. IPv4 is a 32-bits while IPv6 is a 128-bits IP addressing
protocol. The Network Address Translation (NAT) is used with IPv4 in
private networks to save the public IP addresses as well as to provide security
in a way that it hides the public addresses during communication. Today,
NAT is widely deployed in home gateways, as well as in other locations
likely to be used by telecommuters, such as hotels [9].
The fast growth of the Internet has shattered the IPv4 addresses. In 1990, the
IETF has introduced IPv6 protocol with new features in terms of simple
header format, larger address space, built-in security, efficient routing and
better QoS [10]. The Internet Service Providers (ISPs) are trying to replace
their IPv4 networks with IPv6 gradually. This transition is very slow because
there are millions of devices in around the world. IPv6 is a next-generation
IP network. IPsec provides security to both versions of IP. In this project, the
focus is on IPv4.
9/5
&(%',%''(%
IPsec is an open standard protocol suite. It uses different types of protocols
to provide security. These protocols are: Authentication Header (AH),
Encapsulating Security Payloads (ESP), Security Associations (SA), Internet
Security Association and Key Management Protocol (ISAKMP) and Internet
Key Exchange (IKE & IKEv2).
Page | 79
IPsec VPN
by using different hashing algorithms like (MD5, SHA-1) and sends this hash
value along with data. Hashing is a one-way process [12]. On the receiving
side, it verifies the hash value by re-calculating the hash value of the received
data. If both hash values are equal then it means that the integrity of the data
is maintained and there is no any tampering with data during transmission
over the network while if the hash value does not same then it means that the
integrity has intercepted and the receiver will discard the data. The anti-
replay protection ensures that each packet must be unique and no duplication
by using sequence numbers. The origin authentication means that to know
who is on another side. The device on the other side of the tunnel must be
verified before the path is considered secure. The sender sends data
(certificate) after encryption with its private key and that data is verified at
receiver end by decrypt with VHQGHU¶VSXEOLFNH\IRUDXWKHQWLFDWLRQ There
are three authentication methods:
1. Pre-shared Key
2. RSA Signature
3. RSA Encryption Nonce
In pre-shared key authentication, the same key is used to configure each peer
in IPsec. In RSA signature authentication, different keys (private key &
public key) are used to encrypt or decrypt digitally. It is also called digital
certificates. These digital signature and digital certificates are forwarded to
the other side. Finally, RSA encryption nonce authentication, nonce (a
random number generated by the peer) is encrypted and exchanged between
peers, this nonce is used during the authentication peer process.
Page | 80
IPsec VPN
The ISAKMP defines procedures and packet formats to establish, negotiate,
modify and delete Security Associations [14]. It only provides a framework
for authentication and key exchange. It is implemented by manual
configuration with pre-shared key or IKE.
1. Transport Mode
2. Tunnel Mode
Page | 81
IPsec VPN
The tunnel mode is the default mode. It is used to provide security between
gateways (Router, PIX or ASA). In this mode, the entire original IP packet
is protected. The entire IP packet is encapsulated with IPsec ESP headers &
trailers, adds a new IP header and sends it to the other side of the tunnel as it
is shown in the Fig. 5.2. The ESP is identified in the New IP header with an
IP protocol ID of 50. The tunnel mode supports NAT traversal.
Page | 82
IPsec VPN
9/7 '0'#0'
&
1*#('%&
9/7/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Configure NAT
¾ Test Connectivity
¾ Configure IPsec VPN Tunnel on both sides
¾ Test VPN
Figure 5.3 Site-to-Site IPsec VPN Setup
9/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PC. . ( )/$*) *1 $)
/*+*'*"$'$"-(V;T;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
Page | 83
IPsec VPN
)/ -) /@*)!$">$!ANG
)/ -) /N
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R
)%7@4
-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG
-)#>RN
-)#>RN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#>RN
Page | 84
IPsec VPN
)%7A4
-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG
-)#>SN
-)#>SN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;S;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+
-)#>SN
7@4
Figure 5.4 PC-1 IP Addressing
Page | 85
IPsec VPN
7A4
Page | 86
IPsec VPN
$>
>
8
R>
>
' 1 '>R8
S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;Q<SY$..0) // 8S.0) /.
SQT;Q;RRT;TSBR<QC1$SQT;Q;RRT;RY
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
-)#>RN
)%7A4
-)#>S@*)!$"AN ')&,+A?B5?5@@B5@EADD5ADD5ADD5AC?A?B5?5@@B5BB
-)#>S@*)!$"AN 3$/
-)#>SN
-)#>SN*&. ')&,+
* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8
R>
>
' 1 '>R8
S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;Q<SY$..0) // 8S.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;RWBR<QC1$SQT;Q;RRT;TT
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
-)#>SN
-)#>SN' %A?B5?5@@B5@F
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;RX8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_SQ<WT<RSU(.
-)#>SN
Page | 87
IPsec VPN
9/7/9 '$07 #"(%"
7@4
:=a' %A?B5?5@@B5BC
$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:
,0 .//$( *0/;
,0 .//$( *0/;
,0 .//$( *0/;
,0 .//$( *0/;
$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _Q8
*./_U@RQQ]'*..A8
:=a
)%7@4
-)#>R@*)!$"AN '%+ %* *&,)# *+@? %+)*++)%+?6?&-)#&
-)#>R@*)!$"AN**7# *+@?')$ +@HA5@EG5@5??5?5?5ADD
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN '%+&,+*
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN '%+ %*
-)#>R@*)!$">$!ANG
-)#>RN
)%7A4
-)#>S@*)!$"AN '%+ %* *&,)# *+A? %+)*++)%+?6@&-)#&
-)#>S@*)!$"AN**7# *+A?')$ +@HA5@EG5A5??5?5?5ADD
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN '%+&,+*
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN '%+ %*
-)#>S@*)!$">$!ANG
-)#>SN
Page | 88
IPsec VPN
7@
:=a' %A?B5?5@@B5BC
$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _TYX(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RUX(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZR(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZY(.
_SVU
$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_ZR(.83$(0(_TYX(.81 -" _RYQ(.
:=a
)%7@4
-)#>RN*&. '%++)%*#+ &%*
-*
).$ "'*'
).$ '*'0/.$ '*'0/.$ "'*'
$(+SQT;Q;RRT;RX:RSYQRZS;RWY;R;S:RSYQSQT;Q;RRT;TU:RSYQSQT;Q;RRT;TU:RSYQ
-)#>RN*&. '%+*++ *+ *
*/'/$1 /-).'/$*).:R@Q.//$8R4)($9R 3/ ) A
0/.$ $)/ -! .:
.//# -) /Q<Q
Page | 91
IPsec VPN
9/7/< '$0: &'"
7@4
:=a' %A?B5?5@@B5BC
$)"$)"SQT;Q;RRT;TU2$/#TS4/ .*!/:
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RRS(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _YZ(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZY(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _XU(.
_SVU
$)".//$./$.!*-SQT;Q;RRT;TU:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_XU(.83$(0(_RRS(.81 -" _ZT(.
:=a' %@HA5@EG5A5@
$)"$)"RZS;RWY;S;R2$/#TS4/ .*!/:
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZQ(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RQV(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZQ(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZQ(.
_SVU
$)".//$./$.!*-RZS;RWY;S;R:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_ZQ(.83$(0(_RQV(.81 -" _ZT(.
:=a
)%7@4
-)#>RN*&. '%++)%*#+ &%*
-*
).$ "'*'
).$ '*'0/.$ '*'0/.$ "'*'
$(+SQT;Q;RRT;RX:RSYQRZS;RWY;R;S:RSYQRZS;RWY;S;R:RSYQRZS;RWY;S;R:RSYQ
$(+SQT;Q;RRT;RX:RSYQRZS;RWY;R;S:RSYQSQT;Q;RRT;TU:RSYQSQT;Q;RRT;TU:RSYQ
Page | 92
IPsec VPN
-)#>RN*&.)0'+& *"$'*
./ .- .// *))>$.'*/
SQT;Q;RRT;TUSQT;Q;RRT;RX?
RQ
-)#>RN*&.)0'+& '**
$)/ -! :.//# -) /Q<Q
-4+/*(+/":.(+8'*'-;SQT;Q;RRT;RX
'*'$ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@Q;Q;Q;Q<Q;Q;Q;Q<Q<QA
0-- )/?+ -:SQT;Q;RRT;TU
8!'"._D*-$"$)?$.?'8E
N+&/. )+.:X8N+&/. )-4+/:X8N+&/.$" ./X
N+&/. +.:X8N+&/. -4+/:X8N+&/.1 -$!4X
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q8N+&/. *(+- ..!$' :Q
N. ) --*-.R8N- 1 --*-.Q
'*'-4+/* )+/;:SQT;Q;RRT;RX8- (*/ -4+/* )+/;:SQT;Q;RRT;TU
+/#(/0RVQQ8( $(/0RVQQ
B0/+0/*($// C
-)#>RN*&.)0'+& *"$''&# 0
-*/ /$*).0$/ *!+-$*-$/4RQ
)-4+/$*)'"*-$/#(:>/)-4+/$*)/)-@VW>$/& 4.A;
#.#'"*-$/#(: .." $" ./V
0/# )/$/$*)( /#*:- >#- 4
$!!$ > ''()"-*0+:NS@RQSU$/A
'$! /$( :YWUQQ. *).8)*1*'0( '$($/
-)#>RN*&.)0'+&$'
-4+/*+I.(+IRQ$+. >$.&(+
-_SQT;Q;RRT;TU
3/ )
..'$./RQR
..>'$./RQR+ -($/$+)4)4
0-- )/+ -:SQT;Q;RRT;TU
0-$/4..*$/$*)'$! /$( :UWQYQQQ&$'*4/ .<TWQQ. *).
@<A:
-).!*-(. /._D/. /8E
)/ -! .0.$)"-4+/*(+.(+:
.//# -) /Q<Q
Page | 93
IPsec VPN
-)#>RN*&.)0'+& '*+)%*&)$7*+
-).!*-(. //. /:D .+> . .+>(V>#(E
2$'') "*/$/ _D0)) '8E8
Page | 94
IPsec VPN
9/8 '0'#0'
&
1*
-
9/8/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure IPsec Tunnel on both Sides
¾ Test VPN
9/8/7 '$05
%&&"
..$")
- .. . . "$1 ) *1 $) /*+*'*"$' $"-( V;W on router’s
$)/ -! .8
);
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)+)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)+)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
Page | 95
IPsec VPN
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;RY0+0+
/# -) /Q<RSQT;Q;RRT;TT0+0+
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8/# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8/# -) /Q<R
)/ -) /N
4
+$3!$- 2''a )'
+$3!$- 2''N*&.-)* &%
$.*
0-$/4++'$) *!/2- -.$*)Y;Q@SA
*(+$' *)-$RV>0)>QXRY:SV40$' -.
4./ ($(" !$' $.I)&)*2)8(*)$/*-(* **/ $(" I
*)!$"!$' /**/2.I./-/0+>*)!$"I
+$3!$- 2''0+X. .
-2- :
>VSV8RSY8 )/$0(
R 5
'.#SYRSYTKQ3!!!QQQQQ8RW
'.#SZUQQKQ3!!!YQQQ8TS
Q:3/:/# -) /Q:- ..$.QQ;RVY;QQQ8$-,Z
R:3/:/# -) /R:- ..$.QQQQ;R;TRQR8$-,RR
+$3!$- 2''N*)!$"0-/$*)/ -($)'
+$3!$- 2''@*)!$"AN %+)+)%+@
+$3!$- 2''@*)!$">$!AN%$ %*
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /QSQT;Q;RRT;TU()0'0+0+
/# -) /RRZS;RWY;S;R()0'0+0+
+$3!$- 2''N
4
$.*.a )'
$.*.N*&.-)* &%
$.*+/$1 0-$/4++'$) *!/2- -.$*)Y;Q@SA
SQQQ 5
)/ -)'*(+/'.#8SVW
'.#$-(2- 0KQ3!! QQQQQ8RQSU
Q:3/:/# -) /Q<Q:- ..$.QQ;UW; VQQ8$-,SVV
R:3/:/# -) /Q<R:- ..$.QQQQ;S;T!QR8$-,SVV
$.*.N*)!$"0- / -($)'
$.*.@*)!$"AN %+)+)%+?6?
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ &,+*
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;RX()0'0+0+
Page | 98
IPsec VPN
/# -) /Q<RRZS;RWY;R;R()0'0+0+
$.*.N
Page | 100
IPsec VPN
9/8/: '$08 #"(%"
&(""
4
$.*.@*)!$"AN)0'+& *"$'%#&,+*
$.*.@*)!$"AN)0'+& *"$''&# 0@?
$.*.@*)!$">$.&(+>+*'$4AN0/# )/$/$*)+- >.#-
$.*.@*)!$">$.&(+>+*'$4AN )-4+/$*) .
$.*.@*)!$">$.&(+>+*'$4AN#.#(V
$.*.@*)!$">$.&(+>+*'$4AN"-*0+S
$.*.@*)!$">$.&(+>+*'$4AN 3$/
$.*.@*)!$"AN**7# *+*$'/+%')$ + '%0%0
$.*.@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
$.*.@*)!$"AN)0'+&$'*$'@$+)***$'
$.*.@*)!$"AN)0'+&$'*$'@*+')A?B5?5@@B5BC
$.*.@*)!$"AN)0'+&$'*$'@*++)%*&)$7*++*+
$.*.@*)!$"AN)0'+&$'*$' %+)&,+*
$.*.@*)!$"AN+,%%#7)&,'A?B5?5@@B5BC+0' '*7#A#
$.*.@*)!$"AN+,%%#7)&,'A?B5?5@@B5BC '*7++) ,+*
$.*.@*)!$">/0)) '>$+. AN')7*)7"0 *&
$.*.@*)!$">/0)) '>$+. AN 3$/
$.*.@*)!$"AN 3$/
$.*.N
4
+$3!$- 2''@*)!$"AN *"$'%#&,+*
+$3!$- 2''@*)!$"AN *"$''&# 0@?
+$3!$- 2''@*)!$">$.&(+>+*'$4AN0/# )/$/$*)+- >.#-
+$3!$- 2''@*)!$">$.&(+>+*'$4AN )-4+/$*) .
+$3!$- 2''@*)!$">$.&(+>+*'$4AN#.#(V
+$3!$- 2''@*)!$">$.&(+>+*'$4AN"-*0+S
+$3!$- 2''@*)!$">$.&(+>+*'$4AN 3$/
+$3!$- 2''@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7**'7$D7$
+$3!$- 2''@*)!$"AN**7# *+@?D')$ + '%0%0
+$3!$- 2''@*)!$"AN)0'+&$'*$'@$+)**@?D
+$3!$- 2''@*)!$"AN)0'+&$'*$'@*+')A?B5?5@@B5@F
+$3!$- 2''@*)!$"AN)0'+&$'*$'@*++)%*&)$7*++*+
Page | 101
IPsec VPN
+$3!$- 2''@*)!$"AN)0'+&$'*$' %+)&,+*
+$3!$- 2''@*)!$"AN *"$'"0 *&)**A?B5?5@@B5@F%+$*"ADD5ADD5ADD5ADD
+$3!$- 2''@*)!$"AN 3$/
+$3!$- 2''N
Page | 103
IPsec VPN
9/9 !#'&&
&
*'#('%2&,
3
9/9/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure Router as an IPsec VPN Server
¾ Install & Configure CISCO IPsec VPN Client
¾ Connect VPN Client
¾ Test VPN
Figure 5.7 Remote Access IPsec VPN Setup
9/9/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PCs as mentioned above in
/*+*'*"$'$"-(V;X;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N
Page | 104
IPsec VPN
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R
5 4
;!!$ a )'
;!!$ N*)!$"0- / -($)'
;!!$ @*)!$"AN %+)*++)%+?6@
;!!$ @*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
;!!$ @*)!$">$!AN)*.#0/*2)
;!!$ @*)!$">$!AN 3$/
;!!$ @*)!$"AN %+)*++)%+?6?
;!!$ @*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
;!!$ @*)!$">$!AN)*.#0/*2)
;!!$ @*)!$">$!ANG
;!!$ N
;!!$ N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;R;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+
;!!$ N
Page | 105
IPsec VPN
4
Figure 5.8 Client IP Addressing
Page | 108
IPsec VPN
9/9/; '$09
"&' "-''"
&
"'
R; *2)'*)-0) 3 0/' !$' *!'$ )/; %*+##+ &% 1)5
Figure 5.9 CISCO VPN Client Installing Wizard
Figure 5.10 License Agreement
Page | 109
IPsec VPN
T; ' /*+ %+ &%&#))'$&
/+
Figure 5.11 Folder Setting
Figure 5.12 Installing Application
Page | 110
IPsec VPN
V;
)./''/$*)$./-/$)"
Figure 5.13 Installing
Figure 5.14 Completed
Page | 111
IPsec VPN
X; !/ -$)./''$)"8'%
# %+
Figure 5.15 VPN Client Interface
Figure 5.16 New Setting
Page | 112
IPsec VPN
Z; $''$)/# /$'.*!4*0-) 2*)) /$*))-
Figure 5.17 Client Disconnect Status
Figure 5.18 Connecting
Page | 113
IPsec VPN
S; *)//$)"/# 0-$/4/ 248 &%%+2+%)(, ),+%+ + &%
Figure 5.19 Authentication
Figure 5.20 User Name & Password
U;
!. -)( J..2*-1 -$!$ 8//0.:&%%+
Figure 5.21 Connected Status
Page | 114
IPsec VPN
9/9/= '$0; &'"
R; ) /# *)) /$*)$..0 ..!0''4 ./'$.# . ' /++ *+ *!-*(/#
//0.( )0/*1 -$!4/# /$'.*!/# /0)) '
Figure 5.22 Tunnel Details
4
:=a' %@HA5@EG5@5@
$)"$)"RZS;RWY;R;R2$/#TS4/ .*!/:
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _RUZ(.
_SVT
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _YT(.
_SVT
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _XV(.
_SVT
+'4!-*(RZS;RWY;R;R:4/ ._TS/$( _WW(.
_SVT
$)".//$./$.!*-RZS;RWY;R;R:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_WW(.83$(0(_RUZ(.81 -" _ZT(.
Page | 115
IPsec VPN
9/: !#'&&
&
*'2&,
3
9/:/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure NAT
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure ASA as an IPsec VPN Server
¾ Install & Configure CISCO IPsec VPN Client
¾ Connect VPN Client
¾ Test VPN
Figure 5.23 Remote Access IPsec VPN Setup
9/:/7 '$05
%&&"
Assign IP addresses on router’s interfaces, ASA8).( )/$*) *1 $)
/*+*'*"$'$"-(V;ST;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)+)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)+)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N
Page | 116
IPsec VPN
)/ -!
>- ..7 /#* //0.-*/**'
/# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
/# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8/# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8/# -) /Q<R
4
$.*.a )'
$.*.N*)!$"0- / -($)'
$.*.@*)!$"AN %+)+)%+?6?
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ &,+*
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;TU()0'0+0+
/# -) /Q<RRZS;RWY;S;R()0'0+0+
$.*.N
Page | 121
IPsec VPN
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _RQV(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZQ(.
_SVU
+'4!-*(SQT;Q;RRT;TU:4/ ._TS/$( _ZQ(.
_SVU
$)".//$./$.!*-RZS;RWY;S;R:
& /.: )/_U8 $1 _U8
*./_Q@Q]'*..A8
++-*3$(/ -*0)/-$+/$( .$)($''$>. *).:
$)$(0(_ZQ(.83$(0(_RQV(.81 -" _ZT(.
:=a
R; ) /# *)) /$*)$..0 ..!0''4 ./'$.# . ' /++ *+ *!-*(/#
//0.( )0/*1 -$!4/# /$'.*!/# /0)) '
Figure 5.24 Tunnel Details
Page | 122
6
GRE VPN
GRE VPN
:
Generic Routing Encapsulation (GRE) is a generic and point-to-point tunnel.
It is developed by CISCO systems. It is a static tunnel. Generic means, it
allows many other protocols to be encapsulated in IP [16]. It works at the
network layer of the OSI reference model. Its specification was described in
RFC 2784.
:/5 (%',
GRE provides a stateless, private connection. It is not considered a secure
protocol because it does not use encryption like the IP Security (IPsec). It
works with other protocol to provide security. The IPsec protocol is often
used with GRE to provide strong confidentiality, authentication, and
integrity. The combination of these two protocols is generally known as
IPsec over GRE. When GRE traffic is passed through a firewall then the
firewall will block this type of traffic by default. A network administrator
needs to open protocol type 47 datagrams which are coming or going to the
remote tunnel endpoints.
Page | 124
GRE VPN
:/7 '0'#0'
&#)%
:/7/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Configure NAT
¾ Test Connectivity
¾ Configure IPsec over GRE VPN Tunnel on both sides
¾ Test VPN
Figure 6.2 Site-to-Site IPsec over GRE VPN Setup
:/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PCs as mentioned above in
/*+*'*"$'$"-(W;S;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
Page | 125
GRE VPN
)/ -) /@*)!$">$!ANG
)/ -) /N
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;RY()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
)%7@4
-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG
-)#>RN
-)#>RN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#>RN
Page | 126
GRE VPN
)%7A4
-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG
-)#>SN
-)#>SN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;S;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+
-)#>SN
-)#>SN*&.)0'+& '*+)%*&)$7*+
-).!*-(. //. /:D .+> . .+>(V>#(E
Page | 133
GRE VPN
2$'') "*/$/ _D0)) '8E8
-)#>SN*&. ')&,+
* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8
R>
>
' 1 '>R8
S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.SQT;Q;RRT;TT/*) /2*-&Q;Q;Q;Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
RXS;RW;Q;Q<RW$.$- /'4*)) / 80)) 'Q
RZS;RWY;R;Q<SUBR<QC1$RXS;RW;R;R
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
FQ;Q;Q;Q<QBR<QC1$SQT;Q;RRT;TT
-)#>SN*&. ' %+))
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QRZS;RWY;S;R()0'0+0+
.//# -) /Q<RSQT;Q;RRT;TU()0'0+0+
0)) 'QRXS;RW;R;S()0'0+0+
-)#>SN*&. %+)+,%%#?
0)) 'Q$.0+8'$) +-*/**'$.0+
-2- $.0)) '
)/ -) /- ..$.RXS;RW;R;S<RW
RVRU4/ .8Z$/8
VQQQQQ0. 8
- '$$'$/4SVV<SVV8/3'*R<SVV8-3'*R<SVV
)+.0'/$*)
8'**+&)*/. /
+'$1 )*/. /
0)) '.*0- SQT;Q;RRT;TU8 ./$)/$*)SQT;Q;RRT;RX
0)) '+-*/**'</-).+*-/<
8& 4$.' 8. ,0 )$)"$.'
0)) '
SVV
# &.0(($)"*!+& /.$.' 8!.//0)) '$)" )'
./$)+0/QQ:QX:QU8*0/+0/QQ:QX:QU8*0/+0/#)") 1 -
./' -$)"*!I.#*2$)/ -! I*0)/ -.) 1 -
)+0/,0 0 :Q<XV<Q<Q@.$5 <(3<-*+.<!'0.# .A9*/'*0/+0/-*+.:Q
0 0 $)"./-/ "4:!$!*
0/+0/,0 0 :Q<Q@.$5 <(3A
Page | 134
GRE VPN
V($)0/ $)+0/-/ Q$/.<. 8Q+& /.<.
V($)0/ *0/+0/-/ Q$/.<. 8Q+& /.<.
RX+& /.$)+0/8RYSY4/ .8Q)*0!! -
$1 Q-*./.8Q-0)/.8Q"$)/.8Q/#-*//' .
Q$)+0/ --*-.8Q8Q!-( 8Q*1 --0)8Q$")*- 8Q*-/
RX+& /.*0/+0/8RYSY4/ .8Q0) --0).
Q*0/+0/ --*-.8Q*''$.$*).8Q$)/ -! - . /.
Q*0/+0/0!! -!$'0- .8Q*0/+0/0!! -..2++ *0/
-)#>SN*&. '**7# *+*
3/ )
..'$./RQS
+ -($/"- #*./SQT;Q;RRT;TU#*./SQT;Q;RRT;RX@TU(/# .A
3/ )
..'$./RQV
+ -($/"- #*./SQT;Q;RRT;RX#*./SQT;Q;RRT;TU@RX(/# .A
+ -($/ .+#*./SQT;Q;RRT;RX#*./SQT;Q;RRT;TU@RX(/# .A
+ -($/0+#*./SQT;Q;RRT;RX ,$.&(+#*./SQT;Q;RRT;TU@RQ(/# .A
)4$+)4)4'*"
3/ )
..'$./RRQ
)4$+RZS;RWY;S;QQ;Q;Q;SVVRZS;RWY;R;QQ;Q;Q;SVV
+ -($/$+RZS;RWY;S;QQ;Q;Q;SVV)4
Page | 135
GRE VPN
:/8 '0'#0'
&#)%
2"3
:/8/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Configure NAT
¾ Test Connectivity
¾ Configure IPsec over GRE VPN Tunnel on both sides
¾ Test VPN
Figure 6.3 Site-to-Site IPsec over GRE VPN Setup
:/8/7 '$05
%&&"
Assign IP addresses on router’s interfaces, ASA and PCs as mentioned above in
/*+*'*"$'$"-(W;T;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)+)%+@6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N
Page | 136
GRE VPN
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY 0+0+
/# -) /R<R SQT;Q;RRT;TT 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8
R>
>
' 1 '>R8
S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;Q<SY$..0) // 8S.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8/# -) /R<R
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
)/ -) /N
)%7@4
-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG
-)#>RN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX 0+0+
.//# -) /Q<RRZS;RWY;R;R 0+0+
Page | 137
GRE VPN
-)#>RN*&. ')&,+&%%+
SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
-)#>RN
4
$.*.a )'
$.*.N*)!$"0- / -($)'
$.*.@*)!$"AN %+)+)%+?6?
$.*.@*)!$">$!AN)*.#0/*2)
$.*.@*)!$">$!AN%$ &,+*
Page | 138
GRE VPN
$.*.N*&. %+) ')
)/ -!
>- ..7 /#*//0.-*/**'
/# -) /Q<QSQT;Q;RRT;TU()0'0+0+
/# -) /Q<RSQT;Q;RRT;WV()0'0+0+
$.*.N
)%7A4
-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)+)%+?6?
-)#>S@*)!$">$!AN ')**A?B5?5@@B5EEADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+@6?
-)#>S@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG
-)#>SN*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
/# -) /Q<Q SQT;Q;RRT;WW 0+0+
.//# -) /R<QRZS;RWY;S;R 0+0+
-)#>SN*&. ')&,+&%%+
SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;WU$.$- /'4*)) / 8/# -) /Q<Q
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /R<Q
-)#>SN
)/ -) /@*)!$"AN ')&,+A?B5?5@@B5ECADD5ADD5ADD5AC?A?B5?5@@B5BC
)/ -) /@*)!$">$!AN 3$/
)/ -) /N
Page | 145
7
DMVPN
DMVPN
;
Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic
tunneling form of a VPN. It is configured almost on all brands of IOS-based
routers. It works as a hub & spokes. The spokes are connected with hub over
a public network. It is said to be a partial mesh. The DMVPN uses Next Hop
Resolution Protocol (NHRP) as a signaling mechanism over the hub &
spokes tunnels to trigger the spokes to discover each other and build dynamic
tunnels [17]. In a hub-and-spoke network, tunnels between spokes can be
dynamically built on demand (dynamic-mesh) without additional
configuration on the hubs or spokes. Each spoke has a permanent tunnel to
the hub. Each spoke is registered as a client of the NHRP server. When a
spoke needs to send a packet to a destination (private) subnet on another
spoke, it queries the NHRP server for the destination (target) spoke.
However, spoke-to-spoke tunnel is built over the multipoint GRE interface.
The spoke-to-spoke links are established on the demand whenever there is
traffic between the spokes. It provides scalability in a large network. Routing
protocols are configured in large-scale networks to complete routing
dynamically and quickly.
;/5
(%',
DMVPN uses GRE with IPsec security architecture to provide strong
authentication, confidentiality, and integration.
Page | 147
DMVPN
;/7 ,"!( '$#"'
2 (-$#&3
;/7/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure DMVPN Tunnels
¾ Test VPN
Figure 7.2 DMVPN Setup
;/7/7 '$05
%&&"
Assign IP addresses on router’s interfaces as menti*) *1 $) /*+*'*"$'
$"-(X;S;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
Page | 148
DMVPN
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+@6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5EDADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N*&. ')&,+
* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8
R>
>
' 1 '>R8
S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;Q<SY$..0) // 8T.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<R
SQT;Q;RRT;WU$.$- /'4*)) / 8.//# -) /R<Q
)/ -) /N
3
a )'
N*)!$"0- / -($)'
@*)!$"AN %+)*++)%+?6?
@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
@*)!$">$!AN)*.#0/*2)
@*)!$">$!AN 3$/
@*)!$"AN %+)*++)%+?6@
@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
@*)!$">$!AN)*.#0/*2)
Page | 149
DMVPN
@*)!$">$!ANG
N*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
N*&. ')&,+
* .:>*)) / 8>.//$8
>
8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S8>
$>
>
8
R>
>
' 1 '>R8
S>
>
' 1 '>S8$>
>
$)/ --
F>)$/ !0'/8>+ ->0. -.//$-*0/ 8*>
>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
N
)%7@4
-)#>Ra )'
-)#>RN*)!$"0- / -($)'
-)#>R@*)!$"AN %+)*++)%+?6@
-)#>R@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN %+)*++)%+?6?
-)#>R@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
-)#>R@*)!$">$!AN)*.#0/*2)
-)#>R@*)!$">$!ANG
-)#>RN*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<Q RZS;RWY;S;R ()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TU ()0' 0+0+
Page | 150
DMVPN
-)#>RN*&. ')&,+&%%+
SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;TS$.$- /'4*)) / 8.//# -) /Q<R
RZS;RWY;S;Q<SU$.$- /'4*)) / 8.//# -) /Q<Q
-)#>RN
)%7A4
-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN ')**A?B5?5@@B5EEADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN ')**@HA5@EG5B5@ADD5ADD5ADD5?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG
-)#>SN*&. ' %+))
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;WW ()0' 0+0+
.//# -) /Q<RRZS;RWY;T;R ()0' 0+0+
-)#>SN*&. ')&,+&%%+
SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;WU$.$- /'4*)) / 8.//# -) /Q<Q
RZS;RWY;T;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
-)#>SN
Page | 152
DMVPN
;/7/: '$08 #"(%"
(""
4
@*)!$"AN)0'+& *"$''&# 0@?
@*)!$">$.&(+AN )-4+/$*)T .
@*)!$">$.&(+AN#.#(V
@*)!$">$.&(+AN0/# )/$/$*)+- >.#-
@*)!$">$.&(+AN"-*0+S
@*)!$">$.&(+AN 3$/
@*)!$"AN)0'+& *"$'"0? *&@AB)**?5?5?5??5?5?5?
@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
@!">-4+/*>/-).AN 3$/
@*)!$"AN)0'+& '*')& #$-'%
@$+. >+-*!$' AN*++)%*&)$7*++*+
@$+. >+-*!$' AN 3$/
@*)!$"AN %+)+,%%#?
@*)!$">$!AN ')**@FA5@E5@5@ADD5ADD5ADD5?
@*)!$">$!AN+,%%#$&)$,#+ '& %+
@*)!$">$!AN+,%%#*&,)A?B5?5@@B5@F
@*)!$">$!AN '%)'$'$,#+ *+0%$
@*)!$">$!AN '%)'%+.&)"7 @
@*)!$">$!AN '%)',+%+ + &%
@*)!$">$!AN)*$+) 3/>#*+>. '! $"-+R
@*)!$">$!AN)*$+.+'$/>#*-$5*) $"-+R
@*)!$">$!AN+,%%#')&++ &% '*')& #$-'%
@*)!$">$!AN 3$/
@*)!$"AN)&,+) )'@
@*)!$">-*0/ -AN)*0/*>.0((-4
@*)!$">-*0/ -AN) /2*-&RXS;RW;R;QQ;Q;Q;SVV
@*)!$">-*0/ -AN) /2*-&RZS;RWY;R;QQ;Q;Q;SVV
@*)!$">-*0/ -ANG
N
)%7@4
-)#>R@*)!$"AN)0'+& *"$''&# 0@?
-)#>R@*)!$">$.&(+AN )-4+/$*)T .
-)#>R@*)!$">$.&(+AN#.#(V
-)#>R@*)!$">$.&(+AN0/# )/$/$*)+- >.#-
-)#>R@*)!$">$.&(+AN"-*0+S
Page | 153
DMVPN
-)#>R@*)!$">$.&(+AN 3$/
-)#>R@*)!$"AN)0'+& *"$'"0? *&@AB)**?5?5?5??5?5?5?
-)#>R@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-)#>R@!">-4+/*>/-).AN 3$/
-)#>R@*)!$"AN)0'+& '*')& #$-'%
-)#>R@$+. >+-*!$' AN*++)%*&)$7*++*+
-)#>R@$+. >+-*!$' AN 3$/
-)#>R@*)!$"AN %+)+,%%#?
-)#>R@*)!$">$!AN ')**@FA5@E5@5AADD5ADD5ADD5?
-)#>R@*)!$">$!AN+,%%#$&)$,#+ '& %+
-)#>R@*)!$">$!AN+,%%#*&,)A?B5?5@@B5BC
-)#>R@*)!$">$!AN '%)'$'@FA5@E5@5@A?B5?5@@B5@F
-)#>R@*)!$">$!AN '%)'$'$,#+ *+A?B5?5@@B5@F
-)#>R@*)!$">$!AN '%)'%*@FA5@E5@5@
-)#>R@*)!$">$!AN '%)'%+.&)"7 @
-)#>R@*)!$">$!AN '%)',+%+ + &%
-)#>R@*)!$">$!AN)*$+) 3/>#*+>. '! $"-+R
-)#>R@*)!$">$!AN)*$+.+'$/>#*-$5*) $"-+R
-)#>R@*)!$">$!AN+,%%#')&++ &% '*')& #$-'%
-)#>R@*)!$">$!AN 3$/
-)#>R@*)!$"AN)&,+) )'@
-)#>R@*)!$">-*0/ -AN)*0/*>.0((-4
-)#>R@*)!$">-*0/ -AN) /2*-&RXS;RW;R;QQ;Q;Q;SVV
-)#>R@*)!$">-*0/ -AN) /2*-&RZS;RWY;S;QQ;Q;Q;SVV
-)#>R@*)!$">-*0/ -ANG
-)#>RN
)%7A4
-)#>S@*)!$"AN)0'+& *"$''&# 0@?
-)#>S@*)!$">$.&(+AN )-4+/$*)T .
-)#>S@*)!$">$.&(+AN#.#(V
-)#>S@*)!$">$.&(+AN0/# )/$/$*)+- >.#-
-)#>S@*)!$">$.&(+AN"-*0+S
-)#>S@*)!$">$.&(+AN 3$/
-)#>S@*)!$"AN)0'+& *"$'"0? *&@AB)**?5?5?5??5?5?5?
-)#>S@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-)#>S@!">-4+/*>/-).AN 3$/
-)#>S@*)!$"AN)0'+& '*')& #$-'%
-)#>S@$+. >+-*!$' AN*++)%*&)$7*++*+
Page | 154
DMVPN
-)#>S@$+. >+-*!$' AN 3$/
-)#>S@*)!$"AN %+)+,%%#?
-)#>S@*)!$">$!AN ')**@FA5@E5@5BADD5ADD5ADD5?
-)#>S@*)!$">$!AN+,%%#$&)$,#+ '& %+
-)#>S@*)!$">$!AN+,%%#*&,)A?B5?5@@B5EE
-)#>S@*)!$">$!AN '%)'$'@FA5@E5@5@A?B5?5@@B5@F
-)#>S@*)!$">$!AN '%)'$'$,#+ *+A?B5?5@@B5@F
-)#>S@*)!$">$!AN '%)'%*@FA5@E5@5@
-)#>S@*)!$">$!AN '%)'%+.&)"7 @
-)#>S@*)!$">$!AN '%)',+%+ + &%
-)#>S@*)!$">$!AN)*$+) 3/>#*+>. '! $"-+R
-)#>S@*)!$">$!AN)*$+.+'$/>#*-$5*) $"-+R
-)#>S@*)!$">$!AN+,%%#')&++ &% '*')& #$-'%
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN)&,+) )'@
-)#>S@*)!$">-*0/ -AN)*0/*>.0((-4
-)#>S@*)!$">-*0/ -AN) /2*-&RXS;RW;R;QQ;Q;Q;SVV
-)#>S@*)!$">-*0/ -AN) /2*-&RZS;RWY;T;QQ;Q;Q;SVV
-)#>S@*)!$">-*0/ -ANG
-)#>SN
)/ -!
>- ..7 /#*//0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RX()0'0+0+
.//# -) /Q<RRZS;RWY;R;R()0'0+0+
0)) 'QRXS;RW;R;R()0'0+0+
N' %@HA5@EG5A5@
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_YY<RQQ<RSU(.
N' %@HA5@EG5B5@
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;T;R8/$( *0/$.S. *).:
Page | 155
DMVPN
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WQ<YY<RQY(.
N*&. ')&,+
* .:>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/
/ 24*!'./- .*-/$.SQT;Q;RRT;RY/*) /2*-&Q;Q;Q;Q
SQT;Q;RRT;Q<SY$..0) // 8R.0) /.
SQT;Q;RRT;RW$.$- /'4*)) / 8.//# -) /Q<Q
RXS;RW;Q;Q<SU$..0) // 8R.0) /.
RXS;RW;R;Q$.$- /'4*)) / 80)) 'Q
RZS;RWY;R;Q<SU$.$- /'4*)) / 8.//# -) /Q<R
RZS;RWY;S;Q<SUBZQ<SZXSXQQRWC1$RXS;RW;R;S8QQ:QQ:QU80)) 'Q
RZS;RWY;T;Q<SUBZQ<SZXSXQQRWC1$RXS;RW;R;T8QQ:QQ:QU80)) 'Q
FQ;Q;Q;Q<QBR<QC1$SQT;Q;RRT;RY
N*&.)0'+& *"$'*
./ .- .// *))>$.'*/.//0.
SQT;Q;RRT;RXSQT;Q;RRT;TU ?
TQ
SQT;Q;RRT;RXSQT;Q;RRT;WW ?
UQ
N*&.)0'+& '**
$)/ -! :0)) 'Q
-4+/*(+/":0)) 'Q># >Q8'*'-SQT;Q;RRT;RX
+-*/ / 1-!:@)*) A
'*'$ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;RX<SVV;SVV;SVV;SVV<UX<QA
- (*/ $ )/@-<(.&<+-*/<+*-/A:@SQT;Q;RRT;TU<SVV;SVV;SVV;SVV<UX<QA
0-- )/?+ -SQT;Q;RRT;TU+*-/VQQ
8!'"._D*-$"$)?$.?'8E
N+&/. )+.:RTV8N+&/. )-4+/:RTV8N+&/.$" ./:RTV
N+&/. +.:RTU8N+&/. -4+/:RTU8N+&/.1 -$!4:RTU
N+&/.*(+- .. :Q8N+&/. *(+- .. :Q
N+&/.)*/*(+- .. :Q8N+&/.*(+-;!$' :Q
N+&/.)*/ *(+- .. :Q8N+&/. *(+- ..!$' :Q
Page | 156
DMVPN
N. ) --*-.Q8N- 1 --*-.Q
)%7A4
-)#>SN' %@HA5@EG5A5@
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_RXS<RZR<SSU(.
-)#>SN
Page | 157
8
SSL VPN
SSL VPN
<
Secure Socket Layer VPN is proposed by IETF. It is used with a standard
web browser. It does not require any special client software installation on
the end user's computer. It allows remote users to access web applications,
client-server applications and internal network connections over the public
network (Internet) without any special client software. SSL VPN offers
adaptability, ease of use and granular control for a range of users on a variety
of computers accessing resources through many locations. The primary goal
of the SSL protocol is to provide privacy and reliability between two
communicating applications. The protocol is composed of two layers [18].
One is transport layer and second is application layer. Its specification was
described in RFC 6101. The SSL record protocol is used for encapsulation
of various higher level protocols. One advantage of SSL is that it is an
application protocol independent. There are two major types of SSL VPN.
In SSL portal VPN, the end user can access multiple network services
securely through a single SSL connection to a website. The site is called a
portal because it has only one door for multiple resources. The remote user
can access VPN gateway using any modern web browser for authentication
defined by the gateway.
In SSL tunnel VPN, the end user can access multiple network services
including applications and protocols securely that are not web-based through
a tunnel.
</5 (%',
SSL provides strong encryption, authentication and integrity services.
Initially, a handshake process is done to define a secret key then after
encryption is used. Symmetric or asymmetric cryptographic techniques are
used to ensure the data encryption. DES or 3DES are symmetric encryption
algorithms in which the same key is used for encryption or decryption. In
asymmetric encryption type, RSA algorithm and a key pair are used for
encryption or description. Peer authentication is also based on the symmetric
or asymmetric. The few third-party certificates are also used to peer
authentication. Message transport includes a message integrity check using
Page | 159
SSL VPN
a key Message Authentication Code (MAC). Secure hash functions (e.g.,
SHA & MD5) are used for MAC computations.
Page | 160
SSL VPN
</7 #('%&"
'*,
</7/5 ')&
¾ Assign IP addresses according to topology
¾ Configure IP Routing
¾ Configure Router as a DNS Server
¾ Test Connectivity
¾ Configure Router as a Self-Signed Certificate
¾ Configure Router as an SSL VPN Gateway
¾ Test VPN
</7/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PC as mentioned above in
/*+*'*"$'$"-(Y;S;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
)/ -) /N
Page | 161
SSL VPN
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;RY()0' 0+0+
.//# -) /Q<RSQT;Q;RRT;TT()0' 0+0+
)/ -) /N
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<R
)%4
-)#a )'
-)#N*)!$"0- / -($)'
-)#@*)!$"AN %+)*++)%+?6?
-)#@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!AN 3$/
-)#@*)!$"AN %+)*++)%+?6@
-)#@*)!$">$!AN ')**@HA5@EG5@5@ADD5ADD5ADD5?
-)#@*)!$">$!AN)*.#0/*2)
-)#@*)!$">$!ANG
-)#N
-)#N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;R;R ()0' 0+0+
-)#N
Page | 162
SSL VPN
4
Figure 8.3 Client IP Addressing
)/ -) /@*)!$"AN '%**)-)
)/ -) /@*)!$"AN '%$7*)-)A?B5?5@@B5@G
)/ -) /@*)!$"AN '&*+$0**#-'%5&$A?B5?5@@B5BC
)/ -) /@*)!$"AN)*$+*($)>'**&0+
)/ -) /@*)!$"AN 3$/
)/ -) /N
Figure 8.4 before Certificate
Figure 8.5 after Certificate
)%4
-)#N*&..-'%+.0
/ 24( ($)+ -/$*)
>>>>>>>>>>>>>>>>>>>>>>>>>>
(4..'"/ 240+0+
Page | 169
SSL VPN
-)#N*&..-'%&%+/+
* .:>($)//0.8>+ -/$*)//0.
*./>$-/0' *./
*)/ 3/( / 24*($)< *./
>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
(4*)/ 3/(4..'"/>>0+0+
-)#N
Page | 170
9
High Availability
VPN
High
Hig
gh Availabilityy VPN
1. HSRP
2. VRRP
3. GLBP
=/5
Hot Standby Router Protocol (HSRP) is a CISCO proprietary redundancy
protocol. It allows two or more routers to work together to represent a single
IP address for a particular network. It is not a routing protocol. It allows for
almost immediate failover to a secondary interface when the primary
interface is not available. The virtual IP address is used as a gateway for hosts
in the network. The host that uses the HSRP address as a gateway never
knows the actual physical IP or MAC address of the routers in the group.
Only the virtual IP address that was created within the HSRP configuration
along with a virtual MAC address is known to other hosts on the network.
Its specification was described in RFC 2281 [19]. It has two versions.
=/6
The Virtual Router Redundancy Protocol (VRRP) is also a redundancy
protocol. It is an open standard and described in RFC 3768 by IETF [20]. It
provides a function similar to the proprietary protocols "Hot Standby Router
3URWRFRO DQG ,3 6WDQGE\ 3URWRFRO 7KDW¶V ZK\, CISCO claims that a
similar protocol with essentially the same facility is patented and licensed. It
uses multicast address 224.0.0.18 and IP protocol number 112. It creates
virtual routers which are an abstract representation of multiple routers, i.e.
master and backup routers, acting as a group. The default priority is 100 in
this protocol. In the group, one router is master and second is back up.
Election of the master router is based upon priority. With highest priority
router will win the election.
=/7
Gateway Load Balancing Protocol (GLBP) is a CISCO proprietary protocol
that attempts to overcome the limitations of existing redundant router
protocols by adding basic load balancing functionality. By default, GLBP
load balance is in round-robin style. GLBP elects one AVG (Active Virtual
Gateway) for each group. The second best AVG is placed in the standby state
and all other members are placed in the listening state. By default, GLBP
router uses the multicast address 224.0.0.102 to send hello packets to their
peers every 3 seconds over UDP port number 3222.
Page | 173
High
Hig
gh Availabilityy VPN
=/8 '0'#0'
& ) ',
*'
=/8/5 ')&
¾ Assign IP addresses according to the topology
¾ Configure IP Routing
¾ Test Connectivity
¾ Configure HSRP
¾ Configure Site-to-Site IPsec VPN
¾ Testing
Figure 9.1 Site-to-Site IPsec High Availability VPN Setup
=/8/7 '$05
%&&"
Assign IP addresses on router’s interfaces and PC as mentioned above in
/*+*'*"$'$"-(Z;R;
)/ -! .(0./ )' $)J-0))$)".// ;
%+)%+4
)/ -) /a )'
)/ -) /N*)!$"0- / -($)'
)/ -) /@*)!$"AN %+)*++)%+?6?
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5BBADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!AN 3$/
)/ -) /@*)!$"AN %+)*++)%+?6@
)/ -) /@*)!$">$!AN ')**A?B5?5@@B5@HADD5ADD5ADD5AC?
)/ -) /@*)!$">$!AN)*.#0/*2)
)/ -) /@*)!$">$!ANG
Page | 174
High
Hig
gh Availabilityy VPN
)/ -!
>- ..7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TT()0' 0+0+
.//# -) /Q<R SQT;Q;RRT;RZ()0' 0+0+
)/ -) /N*&. ')&,+
* .:
>'*'8>*)) / 8>.//$8>
8>(*$' 8>
>
8>
3/ -)'8>8
>$)/ --
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
R> 3/ -)'/4+ R8S> 3/ -)'/4+ S
$>
>
8.0>
>
.0((-48
R>
>
' 1 '>R8
S>
>
' 1 '>S
$>
>
$)/ -- 8F>)$/ !0'/8>+ ->0. -.//$-*0/
*>8>+ -$*$*2)'* .//$-*0/ 8^>- +'$/ -*0/
/ 24*!'./- .*-/$.)*/. /
SQT;Q;RRT;TS<SY$.$- /'4*)) / 8.//# -) /Q<Q
SQT;Q;RRT;RW<SY$.$- /'4*)) / 8.//# -) /Q<R
4
Figure 9.2 Client IP Addresing
Page | 175
High
Hig
gh Availabilityy VPN
) $)04
-$(-4a )'
-$(-4N*)!$"0- / -($)'
-$(-4@*)!$"AN %+)*++)%+?6?
-$(-4@*)!$">$!AN ')**@HA5@EG5@5AADD5ADD5ADD5?
-$(-4@*)!$">$!AN)*.#0/*2)
-$(-4@*)!$">$!AN 3$/
-$(-4@*)!$"AN %+)*++)%+?6@
-$(-4@*)!$">$!AN ')**A?B5?5@@B5@FADD5ADD5ADD5AC?
-$(-4@*)!$">$!AN)*.#0/*2)
-$(-4@*)!$">$!ANG
-$(-4N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;R;S ()0' 0+0+
.//# -) /Q<R SQT;Q;RRT;RX ()0' 0+0+
-$(-4N
&%)04
*)-4a )'
*)-4N*)!$"0- / -($)'
*)-4@*)!$"AN %+)*++)%+?6?
*)-4@*)!$">$!AN ')**@HA5@EG5@5BADD5ADD5ADD5?
*)-4@*)!$">$!AN)*.#0/*2)
*)-4@*)!$">$!AN 3$/
*)-4@*)!$"AN %+)*++)%+?6@
*)-4@*)!$">$!AN ')**A?B5?5@@B5@GADD5ADD5ADD5AC?
*)-4@*)!$">$!AN)*.#0/*2)
*)-4@*)!$">$!ANG
*)-4N*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QRZS;RWY;R;T ()0' 0+0+
.//# -) /Q<R SQT;Q;RRT;RY ()0' 0+0+
*)-4N
)%7A4
-)#>Sa )'
-)#>SN*)!$"0- / -($)'
-)#>S@*)!$"AN %+)*++)%+?6?
Page | 176
High
Hig
gh Availabilityy VPN
-)#>S@*)!$">$!AN ')**A?B5?5@@B5BCADD5ADD5ADD5AC?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!AN 3$/
-)#>S@*)!$"AN %+)*++)%+?6@
-)#>S@*)!$">$!AN ')**@HA5@EG5A5@ADD5ADD5ADD5?
-)#>S@*)!$">$!AN)*.#0/*2)
-)#>S@*)!$">$!ANG
-)#>SN*&. ' %+))
)/ -!
>- .. 7 /#* //0.-*/**'
.//# -) /Q<QSQT;Q;RRT;TU ()0' 0+0+
.//# -) /Q<RRZS;RWY;S;R ()0' 0+0+
-)#>SN
Page | 178
High
Hig
gh Availabilityy VPN
=/8/9 '$07 &'"#""')',
) $)04
-$(-4N+$)"SQT;Q;RRT;TU
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
;6666
0 ..-/ $.YQ+ - )/@U<VA8-*0)>/-$+($)<1"<(3_WQ<XV<ZW(.
-$(-4N' %@HA5@EG5A5@
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
;;
0 ..-/ $.Q+ - )/@Q<VA
&%)04
*)-4N+$)"SQT;Q;RRT;TU
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*SQT;Q;RRT;TU8/$( *0/$.S. *).:
66666
0 ..-/ $.RQQ+ - )/@V<VA8-*0)>/-$+($)<1"<(3_WQ<XV<ZW(.
*)-4N' %@HA5@EG5A5@
4+ .+ . ,0 ) /**-/;
)$)"V8RQQ>4/
#*./*RZS;RWY;S;R8/$( *0/$.S. *).:
;;
0 ..-/ $.Q+ - )/@Q<VA
&%)04
*)-4@*)!$"AN %+)*++)%+?6?
*)-4@*)!$">$!AN*+%0@ '@HA5@EG5@5D
*)-4@*)!$">$!AN*+%0@')$'+
*)-4@*)!$">$!AN*+%0@%$ %*
*)-4@*)!$">$!AN 3$/
*)-4@*)!$"AN %+)*++)%+?6@
*)-4@*)!$">$!AN*+%0A 'A?B5?5@@B5A?
*)-4@*)!$">$!AN*+%0A')$'+
*)-4@*)!$">$!AN*+%0A%$
*)-4@*)!$">$!AN 3$/
*)-4@*)!$"AN
) $)04
-$(-4N*&.*+%0
.//# -) /Q<Q>-*0+R
// $./$1
S.// #)" .8'./.// #)" QQ:QT:SQ
$-/0'
- ..$.RZS;RWY;R;V
/$1 1$-/0'- ..$.QQQQ;QQX;QR
*'1$-/0'- ..$.QQQQ;QQX;QR@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)R;SXW. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.'*'
/)4-*0/ -$.RZS;RWY;R;T8+-$*-$/4RQQ@ 3+$- .$)X;WXW. A
-$*-$/4SQQ@*)!$"0- SQQA
-*0+)( $.I$).$ I@!"A
.//# -) /Q<R>-*0+S
// $./$1
S.// #)" .8'./.// #)" QQ:QS:UU
$-/0'
- ..$.SQT;Q;RRT;SQ
/$1 1$-/0'- ..$.QQQQ;QQX;QS
Page | 180
High
Hig
gh Availabilityy VPN
*'1$-/0'- ..$.QQQQ;QQX;QS@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)R;SWY. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.'*'
/)4-*0/ -$.SQT;Q;RRT;RY8+-$*-$/4RQQ@ 3+$- .$)Y;RTS. A
-$*-$/4SQQ@*)!$"0- SQQA
-*0+)( $.I I@!"A
-$(-4N
&%)04
*)-4N*&.*+%0
.//# -) /Q<Q>-*0+R
// $./)4
R.// #)" 8'./.// #)" QQ:QQ:TQ
$-/0'
- ..$.RZS;RWY;R;V
/$1 1$-/0'- ..$.QQQQ;QQX;QR
*'1$-/0'- ..$.QQQQ;QQX;QR@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)Q;QVS. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.RZS;RWY;R;S8+-$*-$/4SQQ@ 3+$- .$)X;XZS. A
/)4-*0/ -$.'*'
-$*-$/4RQQ@ !0'/RQQA
-*0+)( $.I$).$ I@!"A
.//# -) /Q<R>-*0+S
// $./)4
R.// #)" 8'./.// #)" QQ:QQ:QV
$-/0'
- ..$.SQT;Q;RRT;SQ
/$1 1$-/0'- ..$.QQQQ;QQX;QS
*'1$-/0'- ..$.QQQQ;QQX;QS@ !0'/A
''*/$( T. 8#*'/$( RQ.
3/# ''*. )/$)Q;UWU. .
- (+/$*) )' 8($) '4Q. 8.4) '4Q.
/$1 -*0/ -$.SQT;Q;RRT;RX8+-$*-$/4SQQ@ 3+$- .$)X;XYQ. A
/)4-*0/ -$.'*'
-$*-$/4RQQ@ !0'/RQQA
-*0+)( $.I I@!"A
*)-4N
Page | 181
High
Hig
gh Availabilityy VPN
=/8/; '$09 #"(%"
&
#)%
) $)04
-$(-4@*)!$"AN)0'+& *"$''&# 0@?
-$(-4@*)!$">$.&(+AN%)0'+ &%B*
-$(-4@*)!$">$.&(+AN*$D
-$(-4@*)!$">$.&(+AN,+%+ + &%')7*)
-$(-4@*)!$">$.&(+AN"-*0+S
-$(-4@*)!$">$.&(+AN 3$/
-$(-4@*)!$"AN)0'+& *"$'"0?+*+ '*-'%)**?5?5?5?
-$(-4@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-$(-4@!">-4+/*>/-).AN 3$/
-$(-4@*)!$"AN)0'+&0%$ 7$'$'@?
-$(-4@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-$(-4@*)!$">-4+/*>(+AN$+)**@?@
-$(-4@*)!$">-4+/*>(+AN)-)*7)&,+
-$(-4@*)!$">-4+/*>(+AN 3$/
-$(-4@*)!$"AN
-$(-4@*)!$"AN '**7# *+/+%@?@
-$(-4@*)!$"> 3/>)'AN')$ + '@HA5@EG5@5??5?5?5ADD%0
-$(-4@*)!$"> 3/>)'AN 3$/
-$(-4@*)!$"AN ')&,+@HA5@EG5A5?ADD5ADD5ADD5?A?B5?5@@B5@H
-$(-4@*)!$"AN)0'+&$'*$'@? '*7 *"$'0%$ $'
-$(-4@*)!$"AN %+)*++)%+?6@
-$(-4@*)!$">$!AN)0'+&$'*$'),%%0
-$(-4@*)!$">$!ANG
-$(-4N
&%)04
*)-4@*)!$"AN)0'+& *"$''&# 0@?
*)-4@*)!$">$.&(+AN%)0'+ &%B*
*)-4@*)!$">$.&(+AN*$D
*)-4@*)!$">$.&(+AN,+%+ + &%')7*)
*)-4@*)!$">$.&(+AN"-*0+S
*)-4@*)!$">$.&(+AN 3$/
*)-4@*)!$"AN)0'+& *"$'"0?+*+ '*-'%)**?5?5?5?
Page | 182
High
Hig
gh Availabilityy VPN
*)-4@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
*)-4@!">-4+/*>/-).AN 3$/
*)-4@*)!$"AN)0'+&0%$ 7$'$'@?
*)-4@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
*)-4@*)!$">-4+/*>(+AN$+)**@?@
*)-4@*)!$">-4+/*>(+AN)-)*7)&,+
*)-4@*)!$">-4+/*>(+AN 3$/
*)-4@*)!$"AN
*)-4@*)!$"AN '**7# *+/+%@?@
*)-4@*)!$"> 3/>)'AN')$ + '@HA5@EG5@5??5?5?5ADD%0
*)-4@*)!$"> 3/>)'AN 3$/
*)-4@*)!$"AN ')&,+@HA5@EG5A5?ADD5ADD5ADD5?A?B5?5@@B5@H
*)-4@*)!$"AN)0'+&$'*$'@? '*7 *"$'0%$ $'
*)-4@*)!$"AN %+)*++)%+?6@
*)-4@*)!$">$!AN)0'+&$'*$'),%%0
*)-4@*)!$">$!ANG
*)-4N
)%7A4
-)#>S@*)!$"AN)0'+& *"$''&# 0@?
-)#>S@*)!$">$.&(+AN%)0'+ &%B*
-)#>S@*)!$">$.&(+AN*$D
-)#>S@*)!$">$.&(+AN,+%+ + &%')7*)
-)#>S@*)!$">$.&(+AN"-*0+S
-)#>S@*)!$">$.&(+AN 3$/
-)#>S@*)!$"AN)0'+& *"$'"0?+*+ '*-'%)**A?B5?5@@B5A?
-)#>S@*)!$"AN)0'+& '*+)%*&)$7*++*+*'7B**'7$D7$
-)#>S@!">-4+/*>/-).AN 3$/
-)#>S@*)!$"AN)0'+&$'*$'@? '*7 *"$'
]:#$.) 2-4+/*(+2$''- ($)$.' 0)/$'+ -
)1'$ ..'$./#1 )*)!$"0- ;
-)#>S@*)!$">-4+/*>(+AN*+')A?B5?5@@B5A?
-)#>S@*)!$">-4+/*>(+AN*++)%*&)$7*++*+
-)#>S@*)!$">-4+/*>(+AN$+)**@?A
-)#>S@*)!$">-4+/*>(+AN 3$/
-)#>S@*)!$"AN '**7# *+/+%@?A
-)#>S@*)!$"> 3/>)'AN')$ + '%0@HA5@EG5@5??5?5?5ADD
Page | 183
High
Hig
gh Availabilityy VPN
-)#>S@*)!$"> 3/>)'AN 3$/
-)#>S@*)!$"AN ')&,+@HA5@EG5@5?ADD5ADD5ADD5?A?B5?5@@B5BB
-)#>S@*)!$"AN %+)*++)%+?6?
-)#>S@*)!$">$!AN)0'+&$'*$'
-)#>S@*)!$">$!ANG
-)#>SN
Page | 185
%"&.
BRC G. De Laet and G. Schauwers, “Network security fundamentals”, Cisco Press, 2005.
BSC ; (5 #8 ; ''8 ; -/# $)8 ; -08 ;
$//' 8 ) ; *-)8 I*$)/>/*>+*$)/
/0)) '$)"+-*/**'@A8ISQXQ>RXSR8SWTX8RZZZ;
BTC ;*-));;''8I$-*.*!/*$)/>/*>*$)/)-4+/$*)@A-*/**'I8TQXY8
SQQR;
BUC #//+:<<222;#>*)'$) ;*(<. 0-$/4<) 2.<$/ (<$-*.*!/>.4.>*)>/>0. >>)>
> >RWXSSVX;#/('
BVC ;*2).' 48;' )$8;0 ).8;''8;*-)8);'/ -8I
4 -/2*/0)) '$)"
+-*/**'@
SAI8SQXQ>RXSR8SWWR8RZZZ;
BWC ;
08;*2).' 48)
;*4- /8I
4 -2*0)) '$)"-*/**'> -.$*)T@
S1TAI8
!TZTR8SQQV;
BXC ;/ '8;*8;$3*)8;*-)8);**/#8I 0-$)"
S0.$)"
. I8SQXQ>
RXSR8TRZT8SQQR;
BYC ;/&$).*)8I 0-$/4-#$/ /0- !*-/#
)/ -) /-*/**'”,
()&'
$+*%#
"
8RYSV8RZZV;
BZC ; * ) ; $3*)8 I
. >) /2*-& - .. /-).'/$*) @A *(+/$$'$/4
- ,0$- ( )/.I8TXRV8SQQU;
BRQC ;; -$)"); $) )8I
)/ -) /+-*/**'81 -.$*)W@
1WA.+ $!$/$*)8ISUWQ8
RZZY;
BRRC ; )/8;/&$).*)8)
;; -8I
0/# )/$/$*) -”8SUQS8RZZY;
BRSC ;
/);#02 -.8“Network security fundamentals”,$.*- ..8SQQV;
BRTC ; )/8I
)+.0'/$)". 0-$/4+4'*@AI8UTQT8SQQV;
BRUC ;0"#)8;# -/' -8;#) $ -8);0-) -8I
)/ -) / 0-$/4..*$/$*)
) 4)" ( )/-*/**'@
A”8SUQY8RZZY;
BRVC ;0!()8; *!!()8;$-8);-*) )8I
)/ -) / 43#)" -*/**' -.$*)
2 (IKEv2)”, VZZW8SQRQ;
BRWC ; -$)$8;
$8 ; )&.8 ; 4 -8 ); -$)8 I ) -$ *0/$)" )+.0'/$*)
@AI8
8SXYU8SQQQ;
BRXC ; /$ )) 8 ; 0(-8 ) ; 0'' ) -" -, “Flexible Dynamic Mesh VPN draft>
/$ )) >(1+)>00”, CISCO, 201T;
BRYC ;- $ -8;-'/*)8);*# -8I# . 0- .*& /.'4 -@
A+-*/**'1 -.$*)T;Q8I
SQRR;
BRZC ;
$8;*-/*)8;
$8);*' 8I$.* */ /)4 *0/ --*/**'@ AI88
SSYR8RZZY;
BSQC ; $) )8I$-/0'*0/ - 0))4-*/**'@AI88TXWY8SQQU;
View publication stats