IPsec VPN Network Design and Implementation

University of Benghazi
Faculty of Information Technology

Computer Networks & Communications Department
IPsec VPN Network Design and Implementation
A Project submitted in partial ful illment of the requirements for the degree of
.Bachelor of Science (B.Sc.) in Computer Networks & Communications
By
Faraj Amraja Mohmmed Amraja (3644)
Ayman Othman (3639)
Supervisor
Mr. Hatem Salem ِAl-Sheibani
Spring 2021-2022
‫ﺟـــﺎﻣــﻌـﺔ ﺑـــﻨــﻐـــﺎزي‬
‫ﻛــﻠـﯿﺔ ﺗـﻘـــﻨـﯿـﺔ اﻟﻤـﻌــﻠـﻮﻣــﺎت‬
‫ﻗﺴﻢ ﺷﺒﻜﺎت و اﺗﺼﺎﻻت اﻟﺤﺎﺳﻮب‬
‫ﺗﺼﻤ ﻢ و ﺗﻨﻔ ﺬ ﺷ ﻜﺔ ‪IPsec VPN‬‬

‫ّ‬
‫ﻗــﺪم ﻣـﺸ ــﺮوع اﻟﺘ ـﺨـ ج ﻫــﺬا ﻛﺠــﺰء ﻣـﻦ ﻣﺘ ـﻄـﻠـ ﺎت اﻟﺤ ـﺼـﻮل ﻋـﻠـﻰ درﺟﺔ اﻟ ـﻜـﺎﻟــﻮر ــﻮس ﻓــﻲ ﺗـﺨ ـ ّـﺼﺺ‬
‫ﺷـ ـﻜـﺎت و اﺗـﺼـﺎﻻت اﻟﺤــﺎﺳــﻮب‬
‫ّ‬
‫ﻣﻘﺪم ﻣﻦ ﻗ ﻞ‬
‫)‪(3644‬‬ ‫ﻓ ج اﻣﺮاﺟﻊ ﻣﺤﻤﺪ اﻣﺮاﺟﻊ‬

‫)‪(3639‬‬ ‫أ ﻤﻦ ﻋﺜﻤﺎن‬
‫ﺗﺤﺖ إ اف‬
‫أ‪ .‬ﺣﺎﺗﻢ ﺳﺎﻟﻢ اﻟﺸ ﺎ‬
‫ر ﻴﻊ ‪2022-2021‬‬
Copyrights ©2022.
All rights reserved, no part of this project work may be reproduced

in any form, or by any means, without the permission in writing from the
author(s) and the department of Computer Networks & Communications,
Faculty of IT, University of Benghazi.
Certificate
The project entitled:
IPsec VPN Network Design and

Implementation
Which is being submitted by
Ayman Othman (3639)
In the partial fulfillment of requirement for the award of the B.Sc.

degree in Computer Networks & Communications, has been carried out
under my supervision and accepted for presentation &
examination.
Supervisor:
Mr. Hatem Salem
Date: / / 2022
1st Supervisor
I
Certificate
The project entitled:
IPsec VPN Network Design and

Implementation
Which is being submitted by
Ayman Othman (3639)
In the partial fulfillment of requirements for the award of the B.Sc.

degree in Computer Networks & Communications, has been examined by
us and all our recommendations during the discussion/examination have
been carried out. The project report has been accepted in the summer
semester of the academic year 2021/2022.
1st Examiner (The Supervisor) 2nd Examiner

Signature: Signature:
Name: Mr. Hatem Salem Name:
Date: / / 2022 Date: / / 2022
3rd Examiner
Signature:
Name:
Date: / / 2022
II
‫بسم الله الرحمن الرحيم‬
‫}يَ ْرفَعِ اللَّهُ الَّذِينَ آ َمنُوا ِمن ُك ْم َوالَّذِينَ أُوتُوا ْال ِع ْل َم دَ َر َجا ٍ‬
‫ت ۚ َواللَّهُ بِ َما تَ ْع َملُونَ َخ ِبير{‬
‫صدق الله العظيم‬
‫ربي ال يطيب الليل إال بشكرك وال يطيب النهار إال بطاعتك وال تطيب اللحظات إال‬
‫بذكرك وال تطيب اآلخرة إال بعفوك وال تطيب الجنة إال برؤيتك‬
‫إلى من بلغ الرسالة وأدى األمانة ‪ ..‬ونصح األمة ‪ ..‬إلى نبي الرحمة ونور العالمين‬
‫"سيدنا محمد صلى الله عليه وسلم"‬
‫بعد رحلة بحث و جهد و اجتهاد تكللت بإنجاز هذا المشروع المتواضع نحمد الله‬
‫عز‬
‫وجل على نعمه التي منّا بها علينا فهو العلي القدير‪ ,‬كما ال يسعنا إال أن نخص‬
‫بأسمى عبارات الشكر و التقدير المشرف أستاذ "خليل خالد المقصبي" لما قدمه من‬
‫جهد ونصح و معرفة خالل العمل على هذا المشروع‪ ,‬كما نتقدم بجزيل الشكرلكل‬
‫من أسهم في تقديم يد العون إلنجاز مرحلة بكالوريوس و نخص بالذكر أستاذتنا‬
‫الكرام من كلية تقنية المعلومات ‪ -‬قسم الشبكات و اتصاالت الحاسوب‪ ,‬الذين‬
‫أشرفواعلى إتمام مرحلتنا الدراسية‪.‬‬
‫إلى من كللهم الله بالهيبة والوقار ‪ ..‬إلى من علمونا العطاء بدون انتظار ‪ ...‬إلى من‬
‫نحمل أساميهم بكل افتخار ‪ ..‬أرجو من الله أن يمد في أعماركم لتروا ثمارا قد حان‬
‫قطافها بعد طول انتظار وستبقى كلماتكم نجوم نهتدي بها اليوم وفي الغد وإلى األبد‪.‬‬
‫"أباءنا و أمهاتنا األعزاء"‬
‫‪III‬‬
Abbreviations and Notations
AES Advanced Encryption Standard

AH Authentication Header
BGP Border Gateway Protocol
BR-1 Branch-1
BR-2 Branch-2
DES Data Encryption Standard
DNS Domain Name System
DOS Denial-of-Service
DSL Digital Subscriber Line
ESP Encapsulating Security Payload
GNS Graphical Network System
GRE Generic Routing Encapsulation
IANA Internet Assigned Numbers Authority
IETF The Internet Engineering Task Force
IKE Internet Key Exchange
IOS Internet Operating System
IP Internet Protocol
IPSec Internet Protocol Security
ISAKMP Internet Security Association and Key Management Protocol
ISP Internet Service Provider
L2 Layer 2
L2TP Layer 2 Tunnel Protoco
L3 Layer 3
LAN Local Area Network
MD-5 Message-Digest
MITM Man in The Middle
MPLS Multiprotocol Label Switching
OSI Open Systems Interconnection
OSPF Open Shortest Path First
Ping Packet Internet Network Group
PPTP Point-to-Point Tunnel Protoco
PSTN Public Switched Telephone Network
RFC Request for Comments
RSA Rivest–Shamir–Adleman
SA Security Association
SHA Secure Hashing Algorithm
SP Service Provider
SPI Security Parameter Index
SSL Secure Sockets Layer
TCP Transmission Control Protocol
TCP Transmission Control Protocol
IV
Abbreviations and Notations
TCP / IP Transmission Control Protocol/Internet Protocol

TLS Transport Layer Security
UDP User Datagram Protocol
URL Uniform Resource Locator
VPN Virtual Private Network
VRF Virtual Routing and Forwarding
WAN Wide-Area Network
V
Table of Content
Title Page
Supervisor's Approval .............................................................................. I
Examiner 's Approval ..............................................................................II
Dedication ............................................................................................... III
Abbreviations and Notations ................................................................ IV
Contents Index ....................................................................................... VI
Figures Index ............................................................................................ X
Abstract .................................................................................................. XII
Chapter 1: Introduction ........................................................................... 1

1.1 Introdution .......................................................................................................... 2
1.2 Background ......................................................................................................... 2
1.3 Problem Nature .................................................................................................. 2
1.4 Project Aim and Objectives ............................................................................... 3
1.5 Project Structure ................................................................................................ 3
1.6 Project Scope ...................................................................................................... 4
1.7 Resources............................................................................................................. 4
1.8 Project Time Line ............................................................................................... 4
1.9 Deliverable .......................................................................................................... 4
1.10 Summary .....................................................................................................................5
Chapter 2: Network Security ................................................................... 6

2.1 Introduction ........................................................................................................ 7
2.2 Security of Information ..................................................................................... 7
2.3 Importance of Information Security ................................................................ 8
2.4 The Security Trinity ........................................................................................... 9
2.4.1 Prevention ................................................................................................................10
2.4.2 Detection .................................................................................................................10
2.4.3 Response ..................................................................................................................10
2.5 Security Model ................................................................................................. 10
VI
Table of Content
2.5.1 Security by Obscurity ..............................................................................................10

2.5.2 The Perimeter Defense ............................................................................................11
2.5.3 The Defense Depth ..................................................................................................11
2.6 Basic Terminology ........................................................................................... 12
2.6.1 Threats .....................................................................................................................12
2.6.2 Vulnerability ...........................................................................................................12
2.6.3 Physical Vulnerabilities...........................................................................................13
2.6.4 Human Vulnerabilities.............................................................................................13
2.6.5 Countermeasures .....................................................................................................13
2.6.6 Availability..............................................................................................................13
2.6.7 Authentication .........................................................................................................14
2.6.8 Access Control ( Authorization ) ............................................................................15
2.6.9 Accountability .........................................................................................................15
2.6.10 Encryption and Decryption ...................................................................................16
2.6.11 Integrity .................................................................................................................16
2.6.12 Confidentiality.......................................................................................................16
2.6.13 Non-repudiation ....................................................................................................17
2.7 Challenges in Security ..................................................................................... 17
2.8 Attacks ............................................................................................................... 17
2.9 Most Common Attacks .................................................................................... 18
2.9.1 Spoofs......................................................................................................................18
2.9.2 IP Address Spoofing................................................................................................18
2.9.3 Man in the Middle Attack .......................................................................................18
2.9.4 Denial of Service .....................................................................................................19
2.10 Summary ......................................................................................................... 20
Chapter 3: Virtual Private Network ..................................................... 21

3.1 Introduction ..................................................................................................... 22
3.2 Business on the Internet .................................................................................. 22
3.3 Defining the VPN ............................................................................................. 23
3.4 Virtual Circuit or Tunnel ................................................................................ 24
3.5 Method of Creating VPN Channels ................................................................ 24
3.6 Types of VPNs................................................................................................... 26
3.6.1 Layer 2 VPN (Data-link Layer)...............................................................................26
3.6.2 Layer 3 VPN (Network Layer) ........................................................................ 27
VII
Table of Content
3.7 Categories of VPNs .......................................................................................... 27

3.7.1 Remote Access VPN................................................................................................27
3.7.2 Site-to-Site VPN ............................................................................................ 29
3.8 VPN Protocols .................................................................................................. 30
3.8.1 Point-to-Point Tunneling Protocol ...........................................................................30
3.8.2 Layer 2 Tunneling Protocol ............................................................................ 30
3.8.3 Internet Protocol Security........................................................................................30
3.8.4 Secure Sockets Layer and Transport Layer Security ......................................... 31
3.9 Advantages of VPN .......................................................................................... 31
3.10 Disadvantages of VPN ................................................................................... 31
3.11 Summary ......................................................................................................... 32
Chapter 4:IP Security ............................................................................. 33

4.1 Introduction ...................................................................................................... 34
4.2 IP-Sec Overview ............................................................................................... 34
4.3 History ............................................................................................................... 35
4.4 Structure ........................................................................................................... 35
4.5 Security Association ......................................................................................... 36
4.6 IPSec Security Protocols .................................................................................. 37
4.7 IPSec Transport Mode ..................................................................................... 37
4.8 IPSec Tunnel Mode ......................................................................................... 38
4.9 Encapsulating Security Payload ..................................................................... 39
4.9.1 IP Packet Protected by ESP in Transport Mode ......................................................40
4.9.2 IP Packet Protected by ESP in Tunnel Mode ..........................................................41
4.10 Authentication Header................................................................................... 42
4.10.1 IP Packet Protected by ESP in Transport Mode ....................................................42
4.10.2 IP Packet Protected by AH in Tunnel Mode .........................................................43
4.11 IPSec Function................................................................................................ 44
4.11.1 Encryption .............................................................................................................44
4.11.2 Authentication .......................................................................................................44
4.11.3 Integrity .................................................................................................................45
4.12 Summary ......................................................................................................... 45
Chapter 5: Implementation of VPN and Data Analysis...................... 46

5.1 Introduction ...................................................................................................... 47
VIII
Table of Content
5.2 The Requirements ............................................................................................ 47

5.2.1 Software...................................................................................................................47
5.2.2 The Simulation Tool ................................................................................................48
5.3 The GRE Tunnel Topology ............................................................................. 49
5.3.1 Network Topology...................................................................................................49
5.3.2 GRE Tunnel Configuration .....................................................................................50
5.3.3 GRE Tunnel Topology Traffic Analysis .................................................................51
5.4 The IP-Sec VPN Topology ............................................................................... 52
5.4.1 Network Topology...................................................................................................52
5.4.2 IPSec VPN Configuration .......................................................................................53
5.4.3 IPSec VPN Topology Traffic Analysis ...................................................................54
5.5 Explain Traffic Analysis .................................................................................. 55
5.6 Summary ........................................................................................................... 55
Chapter 6: Conclusion and Future Work ............................................ 56

6.1 Conclusion ......................................................................................................... 57
6.2 Future work ...................................................................................................... 57
References ................................................................................................ 58
IX
List of Figures
Title Page
1.1 Project Time Line ............................................................................... 4
2.1 Information Security .......................................................................... 7
2.2 Security Trinity ................................................................................... 9
2.3 Threats ............................................................................................... 12
2.4 Authentication Methods ................................................................... 14
2.5 AAA .................................................................................................... 15
2.6 Encryption and Decryption.............................................................. 16
2.7 MIM.................................................................................................... 19
3.1 VPN Tunnel ....................................................................................... 24
3.2 Layer 2 VPN ...................................................................................... 26
3.3 Layer 3 VPN ...................................................................................... 27
3.4 Remote Access VPN .......................................................................... 28
3.5 Site-to-Site VPN ................................................................................ 29
4.1 IPSec Document Roadmap ..................................................................... 36
4.2 IP Packet in IPSec Transport Mode ........................................................ 38
4.3 IP Packet in IPSec Tunnel Mode............................................................. 39
4.4 IP Packet Protected by ESP.................................................................... 40
4.5 IP Packet Protected by ESP in Transport Mode ....................................... 41
4.6 IP Packet Protected by ESP in Tunnel Mode ........................................... 41
4.7 IP Packet Protected by AH ..................................................................... 42
4.8 IP Packet Protected by AH in Transport Mode ........................................ 43
4.9 IP Packet Protected by AH in Tunnel Mode ............................................ 43
X
List of Figures
5.1 The Icon of GNS3 .............................................................................. 47
5.2 The Icon of WireShark ..................................................................... 48
5.3 IOS Image for 7200 ........................................................................... 48
5.4 IOS Image Installation ..................................................................... 49
5.5 GRE Tunnel Topology ..................................................................... 49
5.6 Create Interface Tunnel ................................................................... 50
5.7 Br-1's Routing Table ........................................................................ 50
5.8 ISP's Routing Table .......................................................................... 51
5.9 Start Capture..................................................................................... 51
5.10 Ping Command ................................................................................ 51
5.11 Data Analysis ................................................................................... 52
5.12 Packet Analysis ............................................................................... 52
5.13 IPSec VPN Topology ...................................................................... 52
5.14 Keys Configuratios ......................................................................... 53
5.15 Transform-Set Configurations ...................................................... 53
5.16 ACL Configurations on Br-1 ......................................................... 53
5.17 ACL Configurations on Br-2 ........................................................ 53
5.18 Start Capture................................................................................... 54
5.19 Ping Command ................................................................................ 54
5.20 Data Analysis ................................................................................... 54
5.21 Packet Analysis ............................................................................... 55
XI
Abstract
After the digital transformation and the technological revolution, most organizations
and government agencies have become dependent on information technology in their
daily business and in finalizing transactions. Which made information technology
dominate industry, commerce and transactions . With the increase in the importance of
information technology, the security risks of transferring sensitive data between
different organizations and company branches have increased.
Data security has become the trend for scientific research and the engineers to find
modern technology to provide security solutions and to reduce the risks of attacks aimed
at accessing the system and obtaining information.
The company, which has branches spread over large areas and wants to exchange data
with each other over the Internet, is threatened by the possibility of its data being
attacked. Even IPSec VPN was used, which provides strong protection for data passing
through the network. IPSec VPN encrypts data before sending over the network, it hides
the original source ip and destination ip and relies on gateways ip during data
transmission over the network and uses many methods and algorithms to provide
protection that will be addressed in the upcoming chapters.
Keywords: IPsec , VPN , Security and Data .
XII
Chapter I
Introduction
Chapter 1 Introduction
1.1 Introduction
This chapter explains a little overview of the project, project problem and solution
.Also , it provides the project's aim and objectives and its structure .
1.2 Background
Many studies aim to develop and create protection systems and protocols to secure data,
given the size of the problems that it may cause if sensitive data is exposed to sabotage,
theft or change of the source or destination.
Institutions and government agencies that exchange sensitive information over the
Internet have become interested in securing this data when sending, to provide a high
level of protection, they are using the IPSec suite, which mode would have been used:
 Tunnel mode .
 Transport mode .
After choosing which mode to use, you specify the protocol used:
 Encapsulating Security Payload .

 Authentication headers .
Then determine the algorithms that are used to provide protection, all of these choices
depend on the concepts of this options and the network scenario.
1.3 Problem Nature
When designing a network that needs to connect the branches of a company with each
other, you reach the stage of choosing the best WAN techonologies to use for the
connection.
Among the points that are taken into consideration to determine the best technology:
- the speed .
- Documentation.
2
- Protection and data security.
- the cost .
In this project we will take care of the point of protection and data security, by
connecting branches with each other using IPSec VPN.
1.4 Project and Object

The aim of this project is to study the concepts of IPSec VPN, its implementation with
traffic analysis to confirm protection and comparison with other VPN methods.
This goal can be achieved by achieving the following objectives :
1 To study data security .
2 To study VPN with some of its concepts .
3 To study IPSec suite with some of its concepts
4 To perform a protection comparison between IPSec and GRE.
1.5 Project Structure
Chapter Two (Data Security) : introduces overview of data security .
Chapter Three (Virtual Private Network ) : introduces VPN suite with some of its
concepts .
Chapter Four (IP Security ) : introduces IPSec suite with some of its concepts .
Chapter Five (Implementation of VPN and Data analysis ) : introduces

implementation part and data analysis .
Chapter Six ( Conclusion and Future work ) : summarizes the project and the results
. it presents the future work .
3
1.6 Project Scope
The scope of the project will focus on data protection, especially through the IPSec
suite.
1.7 Resources
 Supervisor's instruction .
 Previous literature and studies in this area .
 Network Security course in university .
 Access to online resources .
8.1 Project Time Line
Figure 1.1: Project Time Line
1.9 Deliverable
 Project report book .

 Electronic copy of project report book .
4
Chapter II
Data Security
Chapter II Network Security
2.1 – Introduction
In this chapter, we started with an overview of Security of Information and its

importance . It also provides its models , the most important terminology in the world
of security and the most important challenges facing . Finally, it shows the most famous
attacks .
2.2 – Security of Information
The world now lives in the shadow of the technological revolution, data preservation
for every aspect has become an important point. information has become an important
asset for organizations, it must be preserved from any danger that threatens it .[1]
The data will be secure if the following points are available:[1]
I) Confidentiality .
II) Integrity .
III) Availability .
IV) Authentication .
V) Figure 2.1 : Information Security [1]
7
Before the technical revolution, data was stored in physical files, data is protected by
restricting access to the place where these files are placed, where specific employees
are allowed to access this place . They are authorized to access files and make changes
to files .[1]
With the technical revolution, data is stored electronically, instead of the traditional
method, while providing the previously mentioned points to protect data security, with
changing the place and how of storage, but the security requirements are still the same
. Security is more difficult to implement than it used to be . [1]
Another major change that has had an impact on security is the emergence of distributed
systems, networks, and companies' use of various communications to exchange data
between people and companies. The need to secure the data passing through networks
has become greater to preserve it from any attack. [1]
The primary goal of information security is to protect data . It means protecting access
to it, not protecting computers and network devices . [3]
2.3 - Importance of Information Security
It may seem illogical to talk about "the importance of information security". But it is
important that the organization determine why it wants security and how to achieve it .
Network security is important for several reasons, including:
-To protect company assets : The importance of network security is to protect the
company's assets. "The company's assets are the company's private information."
Protecting information and its availability is one of the primary goals of network
security. [4]
- To gain a competitive advantage : the interest and development in network security

on a regular basis increases the competitiveness of the organization, and also increases
the attraction of more customers to the organization " For example, customers tend
more to banks that provide greater protection systems " .[4]
- To comply with regulatory requirements and fiduciary responsivities : data protection

and security are the responsibilities of engineers specialized in network security, among
8
the responsibilities to ensure that the organization continues to function properly.

originations that depend in their work on information technology should continuously
develop policies and procedures, not only to protect assets, but also to protect the
originations from legal issues .Government agencies often set regulations that require
originations to protect the security and privacy of customer data .[4]
When designing a network protection system, it must be taken into account that
designing the system is an expensive matter, in terms of: training engineers in the
systems and maintaining them, protection devices and programs are expensive, and
paying for the increased overhead (resulting from intrusion detection systems, firewalls
and filters ) caused by security systems may affect the performance of the entire
network. Security systems may be expensive, but cheaper than the costs that may be
caused by exposing the network to security problems .[4]
2.4 The Security Trinity

To build a reliable protection system, it must be based on three basic rules "security
trinity", prevention, detection and response are the basics of network security systems.
Figure 2.2 : Security Trinity [4]
9
2.4.1 Prevention
To provide the required level of security for a network, protection steps must be
implemented to prevent the exploitation of vulnerabilities . Network engineers, when
developing the system, must emphasize the plan to achieve "security trinity".
Preventing a security breach is less costly and more efficient than detecting and
responding to a breach. It should be remembered that it is impossible for network
engineers to put a security system capable of securing the network completely . But
engineers must apply all preventive procedures and policies to maintain the integrity of
the network .[4]
2.4.2 Detection
After completing the implementation of the preventive policies and procedures.

Procedures should be added to detect problems, in case the Preventive Procedures can
be compromised. Detecting problems faster enables you to eliminate problems better
.[4]
2.4.3 Response
Engineers periodically develop a response plan to provide appropriate solutions to

various security breaches.[4]
2.5 Security Model

Security engineers uses three models to protect the network, depending on the scenario
used in the network, one model or a combination of models may be used . The three
models are :[4]
2.5.1 Security by Obscurity
This model depends on hiding the network to protect it, meaning this model depends
on the idea that if no one knows the existence of the network or systems, they will not
be exposed to attacks . But this model faces the problem of not being able to hide the
01
existence of a network or system for a long period, and once the existence of a network
or system is known, this model will be invalid . [4]
2.5.2 The Perimeter Defense
This model takes the idea of a castle surrounded by a moat for protection. This model
works to strengthen and develop the surrounding systems and border routers, and
firewalls are widely used to protect the internal network from unreliable external
networks, as this model will rely on peripheral systems and firewalls to protect the
network from any external intruders. [4]
However, this model has several major disadvantages, such as:[4]
1. This model does not protect internal systems from internal attacks, despite the
wide spread of internal attacks.
2. Despite the interest of this model in peripheral protection systems and firewalls,
the occurrence of any failure in it makes the network or internal system open to
external risks.
2.5.3 The Defense Depth
This model is the most powerful security models. It uses the concept of the deep defense
model to protect, by making each system protect itself, in addition to protecting the
surrounding systems. This system is considered more secure in addition to being more
difficult to set up .[4]
This model is characterized by making the network less vulnerable to internal attacks,
in the event of a weakness in one of the systems will not affect the rest of the systems
that all of them rely on self-protection. In the event that one of the systems is breached,
the rest of the systems must discover it and take precautionary measures .[4]
2.6 Basic Terminology
00
There are many terms used in the world of network security that you must know before
entering this science:
2.6.1 Threats
It is any process that stops or reduces the quality of service. It may also affect the
confidentiality, integrity or availability of data. There are also some problems that may
be caused by the environment or human error. There are several other types of threats,
all types of threats may lead to the collapse of the network or the system. [3]
Figure 2.3 : Thearts [5]
2.6.2 Vulnerability
They are weaknesses in the network or system that can be exploited by an attacker. It
usually comes from three sources :
01
I) Poor design : Hardware operating systems and programs may contain weaknesses
and are design flaws . It could be a great danger if the attacker discovers it .[4]
II) Poor implementation : When configured incorrectly and accurately, it may result
in weaknesses. Usually it is due to the engineer's lack of experience, lack of training
or lack of focus . An example of these threats is not placing restricted access to
sensitive data . [4]
III) Poor management : Weaknesses may result from inadequate procedures and
controls. Procedures must be documented and monitored to function properly.
Responsibilities must be clearly defined. [4]
Vulnerabilities often result from one of these sources, but it has many forms.
2.6.3 Physical Vulnerabilities
From the basics of data protection, provide physical protection for the network and
systems. Servers and hosts must be placed in a secure location inaccessible to only
authorized persons. Routers and other network devices must be placed in a safe place
with restricted access .[4]
2.6.4 Human Vulnerabilities
Some wrong behaviors in humans such as carelessness, laziness and many more may
pose major threats to network and system security. Human vulnerabilities and
associated risks are difficult to address .[4]
2.6.5 Countermeasures
Techniques or methods used to combat attacks and vulnerabilities of the network and
system . [2]
2.6.6 Availability
is a measure used to measure the availability of data, meaning the availability of data
for use by people or an organizations . Maintaining the availability of data for the
01
longest possible period is important . When data is lost, the work of organizations or
people associated with the use of information technology stops . In order to achieve
high availability, you must understand the obstacles and risks that may cause data
unavailability, and how to overcome them . [1]
2.6.7 Authentication
means verifying that the person or user who wants to obtain the service or perform a
certain action is authorized to do the thing . In which the user needs to provide an
identity for verification . [3]
Figure 2.4 : Authentication methods [5]
In the authentication process, the user submits something to verify the identity,
something that could be:
I) Something you know : This type is the most commonly used, often used in
authentication of this type username and password. This approach depends on the
user knowing the password. But this approach has the disadvantage that it is not
very secure, as the process of spoofing it is very easy .[3]
II) Something you have : This type requires the user to complete the authentication
process to have something like:[3]
 Key .
 Badge .
 Token card .
 Device .
01
This approach is based that the authorized person is the one who owns or holds the
object used for verification .But the disadvantage of this system is that the thing used
for verification can be lost or stolen .[3]
III) Something you are : In this type depends on special characteristics in the user,
it refers to this type of biometric authentication. It can be used to scan the iris of the
eye or fingerprint and other characteristics. This type is difficult to deceive .[3]
2.6.8 Access Control ( Authorization )
This term refers to the permissions that the user will obtain within the network and the
system. The user will obtain the permissions upon completion of the authentication
process. The powers differ from one user to another according to their career Level in
the organization .[4]
2.6.9 Accountability
It is tracking the user's activity within the network in accessing resources or the system,
modifying it on the data, and knowing the time spent on each of them. This is important
in the event of an error to find out who was the cause .[4]
The three processes of authentication, authorization and accounting are complementary

to each other and are known as AAA .[3]
Figure 2.5 : AAA [6]
01
2.6.10 Encryption and Decryption
Encryption is the process of converting a readable text into an unreadable text to

maintain the confidentiality and privacy of the text during transmission and storage.
Decryption is the reverse process of encryption, the process of converting unreadable
text (pre-encoded) into readable text . Every process relies on algorithms to do its work
. The original text is called plaintext and the text after encryption is called ciphertext .
[1]
Figure 2.6 : Encryption and Decryption [7]
2.6.11 Integrity
One of the fundamentals of data security, used to verify and prevent unauthorized
changes to data , If the content of the message is changed when the sender sends it and
before the receiver receives it, the message is said to have lost its integrity. It is also
used to ensure data compatibility .[1]
2.6.12 Confidentiality
It is also called privacy and means protecting data from unauthorized access. Restricted
access is used to prevent unauthorized access , The data is also encrypted so that an
unauthorized person cannot benefit from the data .[1]
01
2.6.13 Non-repudiation
It is used to prevent people or organizations from denying the sending or receiving of

data of various kinds. This process is considered very important from the legal side and
the commercial side. In the event of transaction problems, none of the parties involved
in the process can deny that they are part of the transaction .[4]
2.7 Challenges in security

Network and data security is both a fascinating and complex process. Some of the
challenges facing the security process : [1]
I) The process of securing data and networks is not that simple process. It may seem
simple and straightforward, given that most terminologies are called by one name,
such as: availability, authentication, authorization and others. But the mechanics of
achieving them are very complex .
II) After designing or developing a protection algorithm, security engineers must
research possible attacks on the algorithm's security features. Attackers usually
make successful attacks by looking at the algorithm in a completely different way,
enabling them to attack it from an unexpected weakness.
III) When designing a different security algorithm, the place to be used must be
specified. In terms of physical (for example, determining its location in the network
according to the security mechanism), in terms of logic (determining which layer it
operates in TCP / IP) .
IV) Protection mechanisms often use more than one algorithm or protocol, and usually
require users to possess confidential information (for example, a key for
encryption), which results in several problems on how to create and protect that
information. It also causes its dependence on some protocols that may result in
difficulties in developing mechanisms .
2.8 Attacks
The process of attacking a network or system with a detected vulnerability. There are
two types of attacks :
07
 Passive attacks : The goal of this type of attack is to eavesdrop on the sender
and receiver , knowing the content of the messages that are exchanged between
the two parties, without making a change .[1]
 Active attack : The goal of this type of attack is to modify data or create false
data. This type is divided into : masquerade , replay , modification of message
and denial of service (DoS) . [1]
2.9 Most common attacks :

With the many types of attacks, we will present the most common attacks :
2.9.1 Spoofs
It is an umbrella for many attacks. In general, it is any attack during which the identity
of a person or organization is impersonated to obtain information or access to a network
and system .[4]
2.9.2 IP Address Spoofing
Each device in TCP / IP networks has a unique IP address at the network level and
cannot be duplicated within the network. IP address spoofing takes advantage of
networks that use IP addresses for the authentication process, for IP spoofing and use.
For example, a firewall policy has been set that enables a limited number of IPs to go
out to the Internet. If the attacker knows the IPs, he will be able to spoof it and go out
to the Internet . [4]
2.9.3 Man in the Middle Attack
The attacker enters between the client program and the server program in the network,
where he can access and intercept the data sent by the client from password , credit card
numbers and other sensitive data. Usually an attacker can achieve a MIM attack by
using DNS or hyperlink spoofing .[4]
08
One of the methods used to achieve a MIM attack is to use a URL similar to an existing
URL. For example, using a fake www.amazon.com address, which is similar to the
original address of Amazon. When the victim wants to enter the Amazon website, he
mistakenly finds himself inside the fake website .[4]
The fake site will has web pages similar to the original site. The fake site acts as a
mediator between the customer and the original site so that the customer or the original
site does not feel any difference. But the fake site will be revealed to get the customer's
information .[4]
Figure 2.7: MIM [5]
2.9.4 Denial of Service
DoS attack is not used to access data, but is used to stop the service of the network or
the system, where both become unavailable to the client. Unlike other attacks, DoS
attack does not require much experience and intelligence, as it is usually used by new
attackers .[1]
There are several examples of DoS attacks, including :[1]
I) Ping of Death .
II) SYN flooding .
III) Spamming .
09
2.10 – Summary
This chapter provided an introduction to the world of data and network security . it
outlined basic terminology and most common attacks
11
Chapter III
Virtual Private
Network
Chapter III Virtual Private Network
3.1 - Introduction
In this chapter, we started with an overview of virtual private network and its
Defining . It also provides its tunneling , type , categories and overview of VPN
protocols . Finally, it shows the most advantages and disadvantages of VPN .
3.2 - Business on the Internet

Information has become a huge part of the business for this time. Where the focus
became more on its creation, dissemination and analysis . This interest is due to its
importance as it represents a source of commercial competition and revenue. Also, the
exchange of this data is not within the company between employees only, but it is
exchanged between business partners, the company and its customers .[8]
Focus on digital devices and networks due to the increasing demand for information.
The method of exchanging, obtaining and analyzing digital information through
websites and technical means is much easier than what it was in the traditional method
. Devices and networks have become the basis of the business world .[8]
LAN (Local Area Network) has proven its benefits for a long time in the corporate
environment, but now the goal has become to obtain data from several sources, and
most of these sources are outside the company's network . Engineers are also looking
for safe and less costly ways to connect company branches and exchange information.
As well as connecting the internal network to the Internet. [8]
The Internet enables companies to improve the ways they communicate with their
partners and branches, but the risk of data security and cost remain among the obstacles
that companies will face in this direction . [8]
The process of linking companies and their branches and communicating with
companies via the Internet requires the provision of some protection and security
related to the following points :[9]
22
I) Providing protection for local networks and their devices from attacks and
unauthorized actions from the Internet.
II) Provide protection for information exchanged over the Internet.
To achieve the protection of data exchanged over the Internet, the following points must
be provided: [9]
I) authentication of all parties involved in the exchange of information over the

Internet.
II) Protecting the confidentiality of data during its transfer in the network by encrypting
it.
III) Ensure the integrity of the data and that it is not exposed to attacks and
modifications while it is moving in the Internet .
IV) Protect data from duplication, removal and delay .
V) Preventing the denial of sending or receiving data from one of the parties .
In most cases, these functions are complementary to each other, to provide the highest
degree of protection by combining symmetric and asymmetric encryption systems . [9]
For the purpose of integrated protection, security engineers are using VPN to connect
companies and branches with each other.[9]
3.3 - Defining the VPN

There are many definitions of VPN technology in circulation, each of these definitions
are tailored to meet the requirements of the business and the focus of the vendors. There
are two definitions according to the references used:
 According to the first reference, VPN is a network of virtual circuits used to

transmit private traffic. As virtual circuits are communications that have been
set up between the two parties (the sender and receiver) on the network, where
each session is allocated a path and a bandwidth. A VPN connection is between
two or more LAN networks, or between one or more remote users with a local
network .[8]
VPN was defined according to the second reference as a physical path that was created
on a public network temporarily, that is, it expresses the taffic transmission through the
22
VPN . This definition is comprehensive for the technology without regard to the Open
System Interconnection (OSI) layers in which the technology operates . There are two
types of VPN technology, the first works in the data-link layer, while the second works
in the network layer, they will be discussed later .[10]
3.4 - Virtual Circuit or Tunnel
Technically speaking, when we create virtual circuits between the parties involved in a
VPN service over the Internet , You cannot create virtual circuits depending on the
mechanisms of one type, but you must rely on a set of protocols within TCP/IP to create
these circuits . [8]
Where the VPN via the Internet creates these circuits by encapsulating the traffic
passing in the network through the parties involved in the VPN within an IP packet to
be sent over the Internet, so that it is allowed to be transmitted on a medium that
supports IP. In order not to fall into the problem that a medium does not support a
specific mechanism used . The paths in which the encapsulated packets are carried are
called tunnels, not virtual circuits . Tunnels provide efficient and secure communication
between the parties involved in the VPN . [8]
Figure 3.1 : VPN Tunnel [6]
3.5 - Method of Creating VPN Channels
Hosts connected to each other via a VPN connection using a protected tunnel. The path
can be protected to the end or to some point within the path, so there are different ways
22
to create a secure channel. In terms of security, the protection of the entire path between
connection points in a VPN is better because it fully protects the data passing through
the network along the path. But this type has the disadvantage of consuming all network
devices within the path, as it requires the installation of VPN and configure tools for
devices .[9]
Therefore, if the local network is guaranteed in terms of security, it is better to establish

the VPN connection on the firewall or on the router located at the edge of the network
rather than the connection inside the network . In the event that the passing data needs
protection even within the local network, in this case the computer used must be one of
the VPN connection points with a protected connection and is considered an end point
for the connection. When a remote employee wants to access the local network, their
computer will act as the end point of the VPN connection. Servers and personal
computers do not participate in the creation of a VPN connection in which the protected
tunnel operates only within the public network and does not work within the local
network (such as a VPN connection over the Internet). Routers at the edge of the local
network and/or ISP often act as the end point for this type of VPN connection .[9]
One of the important reasons for creating a secure VPN connection is the large number
of intruders inside Internet networks, which are more dangerous than telephone
channels and dedicated communication lines . VPN is characterized by scalability and
control. For personal computers and servers within local networks, the protected VPN
connection is transparent to them, meaning that these personal devices or servers do not
require any change at the level of settings and programs .[9]
The VPN connection is established by physical network devices, the protected tunnel
is configured between two devices the first device is named tunnel's initiator and the
other device is tunnel's terminator. The first tunnel's initiator device encapsulates the
passing traffic into a new packet containing basic information, addresses, and
information about the sender and receiver. The tunnel's terminator reverses the process
of the tunnel's initiator, removes the headers that have been added and routes packets
based on basic information from the source to the recipient .[9]
The encapsulation process alone does not protect the data through the protected tunnel
in the VPN connection. But in addition to the encapsulation process, there are some
other processes that make the data secure. Where the integrity of the data is ensured by
22
the use of the encryption process and the sources of the message are confirmed by the
digital signature . Since there are many different methods of encryption and data
protection, tunnel's initiator and tunnel's terminator must agree on the types used. So
that the tunnel's terminator can decrypt and verify the authenticity of the digital
signature. The tunnel's initiator and tunnel's terminator must have a secret key that is
exchanged between themselves, so that they can establish a secure tunnel connection
for the VPN connection. These keys are used to verify that the parties involved in the
VPN connection are authorized.[9]
3.6 - Types of VPNs
There are two types of VPN according to the layers of the OSI model in which it
operates:
3.6.1 Layer 2 VPN (Data-link Layer) :
It is a VPN mode implemented on OSI mode Layer 2, in a Service Provider (SP) or

Internet Service Provider (ISP) architecture, the traffic of a layer 2 VPN network is
routed based on a layer 3/IP network . At the other end (the receiver) it is returned to
layer 2 . [10]
Mostly layer 2 VPN based MPLS labels send traffic to layer 3 or ISP cloud's edge
routers while sending data from sender to receiver. ISP routers choose the best path for
data to pass from sender to receiver , it is sent as L3 or IP packet . If both parties (the
sender and receiver) are using a layer 2 VPN, the ISP will return the data to the layer
mode of both parties . [10]
Figure 3.2 : Layer 2 VPN [7]
26
3.6.2 Layer 3 VPN (Network Layer) :
It is a VPN mode implemented on OSI mode Layer 3 , this routing mode is based on
the default layer 3 routing and forwarding techniques of the OSI model. It is also known
as virtual routing and forwarding techniques . [10]
The Border Gateway Protocol (BGP) is often used in the sending and receiving of a
layer 3 VPN. Layer 3 VPN uses Virtual Routing and Forwarding (VRF) to separate and
manage each user's private data. Layer 3 VPN technology is created by a combination
of IP and MPLS based technologies . [10]
Figure 3.3 : Layer 3 VPN [7]
3.7 - Categories of VPNs
VPN categories are divided into two categories :
3.7.1 Remote Access VPN
This category of VPN enables mobile employees and fixed locations to have access to
a central location. For example, you have an employee who travels from one country
to another or works from home, who wants to access the devices inside the company.
If the employee has an internet connection and the company’s network that contains
the devices has an internet connection . In this case, it is possible to establish a
connection between the employee from the place in which he is located to the
company's network . [10]
22
The following figure shows examples of Remote Access VPN connections, these
connections were created over the Internet . There is an employee who works from
home, establishing a VPN connection with the company through a DSL device that
connects to the company via the Internet, this employee works in city A . In City B,
there is another employee inside the hotel who works to establish a dial-up connection
with the ISP . [10]
Figure 3.4 : Remote Access VPN [10]
The VPN connection is from the employee, and it may reach the server inside the
network, and it may terminate at the router . Considering in the previous figure that the
VPN connection of an employee located in city A terminates at the router of the
network, the router supports the VPN protocols that the employee uses to establish the
connection . But an employee in City B who is using a mobile phone connects to the
ISP via public switch telephone network (PSTN) to establish a VPN connection with
the server inside the corporate network. Relying on the router to establish a VPN
connection, may put some restrictions on the work of the employee in accessing one
device or a group of devices within the network . While establishing a VPN connection
with the server inside the network, the employee will be able to control the server
settings and access the rest of the network devices through the server . Firewalls can
also be used to establish a VPN connection. [10]
22
3.7.2 Site-to-Site VPN
As indicated by the name of this category is that it is used to connect two or more
websites to each other via a VPN connection. It is often used to connect the branches
of a company in different geographical areas with each other and with the main branch
of the company via the Internet. The different company can also establish a VPN
connection between each other.[10]
The following figure shows a Site-to-Site VPN, there is a gateway that performs the
functions of a VPN. The VPN connection in the case of Site-to-Site can be established
by physical devices, it can be established by VPN-supported routers, firewalls, or a
separate VPN system such as the gateway in the figure.[10]
In scenarios like the one in the figure, you will find that employees easily access the
gateways responsible for establishing the connection. So Site-to-Site VPN removes
responsibility for configuring all clients, as well as making the authentication and
encryption process responsible for the gateway .[10]
Figure 3.5 : Site-to-Site VPN [10]
22
3.8 - VPN Protocols

In the section a simple introduction will be given to a set of protocols used to create a
secure VPN connection :
3.8.1 Point-to-Point Tunneling Protocol
Point-to-Point Tunneling Protocol, or as it is widely known as PPTP, is a protocol

responsible for securing data that is transmitted between a remote user and the server
on a VPN connection within an IP network (such as the Internet).
In this protocol two types of packets are used :[10]
I) Control Packets : This type is used for connection control, for example used for
signaling and status queries.
II) Data Packets : This type is used to transfer user data, encapsulated by the Generic
Routing Encapsulation protocol(GRE)
3.8.2 Layer 2 Tunneling Protocol
Layer 2 Tunneling Protocol, or as it is widely known as L2TP, is an evolution of the

Layer 2 forwarding protocol (L2F) . L2F was a protocol that was configured only on
cisco devices . It is used to create UDP-encapsulated tunnels between remote access
centers and routers . Engineers worked on developing L2F protocol to get more
advantages . So they combined the advantages of L2F and the best features of PPTP to
create a new protocol with all these advantages under the name L2TP .[10]
3.8.3 Internet Protocol Security
Internet Protocol Security, or as it is widely known as IPSec . It is a set of data security

protocols that provide authentication, encryption, and key management . This protocol
is an extension of the most famous protocol, the IP protocol . In addition to what was
mentioned previously, this protocol also provides data integrity protection and prevents
man in the middle (MITM) attacks. This protocol will be discussed in more detail in
the next chapter .[10]
23
3.8.4 Secure Sockets Layer and Transport Layer Security
Secure Sockets Layer and Transport Layer Security, or as it is widely known by the
names SSL and TLS . Protocols are an addition to the fourth layer (Transport Layer) in
the OSI model . These protocols work to secure communication between clients and
servers. Both protocols are very similar, and they are widely used in browsers for
information exchange .[10]
Both protocols use certificates to achieve authentication between the server and the
client . Information is also exchanged about the type of encryption methods used and
session keys .[10]
SSL and TLS can be used to secure any application running in a TCP/IP network . But
it mainly works with Hypertext Transfer Protocol (HTTP), which is the protocol used
to transfer web pages between a server and a client .[10]
3.9 - Advantages of VPN
In this section, the most important advantages of using a VPN are presented : [8,9,10]
I) Traffic is encrypted and transmitted through the network securely .

II) VPN makes it difficult for attackers to hack data passing through the network .
III) VPN is much cheaper than other types of security .
IV) Ease of use VPN design, which increases the demand for its use.
V) It is characterized by high scalability .
3.10 - Disadvantages of VPN
In this section, the most important disadvantages of using a VPN are presented :[8,9,10]
I) In the event of defects in VPN settings that may result in domain name and IP
address leaks . This makes it easier for the hacker to access the information.
II) The cost of the VPN varies according to the advantages . Therefore, it is necessary
to ensure that the required benefits are obtained against the available budget .
III) VPN features can be used for illegal uses .
23
3.11 - Summary
This chapter provided an introduction to the world of VPN and some related topics . it
outlined basic advantages and most disadvantages of VPN .
22
Chapter IV
IP Security
Chapter IV SDN Components
4.1 – Introduction
This chapter begins with an overview of the history and structure of IPSec. It provides
an explanation of the security association, IPSec'protocols and modes. She also
provided an explanation of the IPSec function.
4.2 – IP-Sec Overview
Previously, IP packets were unsecured and vulnerable to many attacks (among the
above-mentioned attacks are accessing confidential data, modifying data, denying
sending or receiving, changing the source or destination of the message and many other
attacks) during its transmission within the network.[11]
Relying on IP alone, it cannot be guaranteed that packets were received from the
expected sender or that the data was not modified or not seen, there is no guarantee of
these points.[11]
Therefore, IPSec was created for these problems of these points by providing different
layers of protection that provide authentication, encryption, ensure the source and
destination of the message and other strengths of data security.[11]
The most common mistake about IPsec is that it is a single protocol used to solve data
security problems while passing through the network, but the reality is that IP-Sec
contains a set of protocols that are used to provide security that is defined by the IETF.
Which is defined more in detail in RFC2401, defined as : [9]
I) Security Protocols: include the first authentication header (AH) and encapsulation
security payload (ESP) protocols .
II) Key Management : ISAKMP , IKE .
III) Algorithms : are used for encryption and authentication .
With the use of IPSec, a powerful mechanism has been provided to protect IP protocols
and upper layer protocols (such as TCP and UDP ) . [1]
43
4.3 - History
In October of 1993, at Columbia University Matt Blaze of Bell Laboratories presented

a security system at the IP or network layer. It was presented under the title "The
Architecture and Implementation of Network Layer Security in UNIX" . This project
was a turning point in the world of security and communications, as the goal of the
project was to implement security features without making a change to the IP
architecture . Discuss how to implement encapsulation of IP packets in a new IP
datagram, and discuss the advantages of encapsulation and how to integrate
authentication and transparency for protocols running at upper layers . [11]
With the exponential growth and increasing demand for Internet services, many
vulnerabilities have emerged in the TCP/IP protocol suite. The industry has become in
a big confrontation against the vulnerabilities and it needs technology to eliminate this
matter. In 1994, the Internet Architecture Border issued a consensus statement,
"Security in the Internet Architecture" on the need for security over the Internet .[11]
In 1995 networks known today as Standards-based VPNs began with the Automotive
Industry Group, a non-profit association of automobile manufacturers and suppliers,
and created the Automotive Network exchange. The establishment of the project
required a TCP/IP network that contains merchants, service providers, and network
exchange points. This system needed effective and secure communications between the
parts of the system. Standard-based VPNs have become the go-to solution for
organizations to provide security .[11]
4.4 - Structure
IPSec is defined by a set of RFCs, which separate layers of the technology. Some
RFCs are used to describe specific parts of IPSec, and other RFCs use solutions that
they provide as a whole . [11]
In Figure 4.1 an illustration of the five groups that allow the development to develop
the many aspects of IPSec separately for each part. The real understanding of these
makes it easier for you to manage them easily .[11]
43
Figure 4.1 : IPSec Document Roadmap [11]
The five groups : [11]

I) Architecture is a comprehensive description of the entire technical and security
concepts. This is the starting point for understanding the IPSec family of protocols
.
II) authentication header (AH) and encapsulation security payload (ESP) protocols ,
these protocols define packet formats as well as packet structure standards .
III) An encryption algorithm is used to demonstrate the different methods or techniques
used in ESP .
IV) The authentication algorithm is used to describe the different methods or techniques
used in both AH and ESP to achieve authentication .
V) Finally, key management is an explanation of the standards and protocols used in
key management.
4.5 - Security Association
SA is a fundamental of IPSec is a set of communication attributes or characteristics that

are used to provide communication between two or more parties . [1]
43
When IPsec is used to establish the connection and exchange data correctly between
two parties, security algorithms or encryption keys must be associated with a particular
connection. SA is responsible for dialogue to reach agreement on information on how
to protect data and exchange keys .[1]
A device can create more than one SA, which is determined by the Security Parameter
Index is a field in the headers of the AH and ESP protocols . SPI allows the system to
define operations on data according to the SA assigned to it. After the network device
receives an IP packet, it checks the SPI to assign its SA and determine its own set of
operations . [11]
Understanding the basic concept of a SA is very important due to its importance and
the presence of a number of procedures when creating, maintaining, selecting and
deleting SAs .[11]
4.6 IPSec Security Protocols

The main purpose of using IPSec is to provide protection for the IP packets at the IP
layer . AH and ESP are the security protocols in IPSec, before going into the details of
each of them you should look at IPSec modes (Transport mode and Tunnel mode) .
IPSec can be used with any mode. When using transport mode, the payload in the IP
packet is encrypted but the IP header keeps clear text. But in tunnel mode the situation
is different. We will explain in detail in the following sections. .[9 , 1]
4.7 IPSec Transport Mode

In this mode, an IPSec header is added in each of the two protocols ( ِAH and ESP)
between the IP header and the upper layer protocol header [9] .
This mode protects the transport header on both protocols, as the protocols intercept
data from the transport layer and provide it with the configured security .[1]
No change is made to the IP header except for some very simple changes, such as
changing the IP header checksum which is recalculated. IPSec assumes that there is
access to an IP endpoint. So neither the source IP address nor the destination IP address
43
is changed. This mode is used for scenarios where data protection is required and the
IP endpoint is the same as the IPSec endpoint .[9]
This mode is very useful if the data you want to protect passes between two hosts and
not between two sites, this is from an IPSec point of view . The big problem with this
mode is if it is used to link two sites. This is a case that involves managing protection
from one host to all hosts that can be communicated with .[9]
Figure 4.2 : IP Packet in IPSec Transport Mode [9]
4.8 IPSec Tunnel Mode

This mode is the default . With this mode, the original IP packet is fully protected by
IPSec. IPSec encapsulates the original IP packet, encrypts it, adds a new IP header, and
sends it to the other party .[1]
This mode is commonly used between gateways (in the case of routers or firewalls), to
encrypt traffic between secure IPSec gateways .[1]
In this mode as mentioned a packet is encapsulated in a new IP datagram, an IPSec

header is added between the original IP header and the new IP header . Due to the packet
encapsulating process, it is now possible to use this mode between gateways and hide
43
the original IP address of the source and destination and put the IPs of the gateways
instead , in the new IP header .[1]
Figure 4.3 : IP Packet in IPSec Tunnel Mode [1]
4.9 Encapsulating Security Payload

ESP provides various protection services to secure traffic, providing data
confidentiality, integrity, authentication between source and destination and anti-replay
. The extent of confidentiality and integrity of the data is linked in one way or another
to the mode used . In tunnel mode, the inner IP header (the original IP header) is fully
protected while the outer IP header (the new IP header) is unprotected. In transport
mode there is no so-called inner IP header, resulting in limited IP layer protection. The
services provided depend on the options that are selected in SA [11].
ESP provides confidentiality and data integrity. ESP does not impose specific security
algorithms but leaves an open standard for the algorithms used, which are defined
during SA creation. The standard specifies the necessary processing procedures for
common encryption operations, but it does not specify what is used and what is not
used for encryption. If only authentication is required then AH is used .[11]
43
Confidentiality and Authentication are the basic services that ESP provides, but they
are both optional, but for ESP to be implemented it must implement Security or
Authentication or both.In the tests there were attempts to perform a null cipher without
authentication. But the basic concept remained, if encryption and authentication is
required, ESP is used, but if stronger and more extended authentication is required, and
with a cipher, AH is used .[11]
Figure 4.4 : IP Packet Protected by ESP [9]
In the IP header the ESP is set to 50 . The ESP header is added between the IP header
and the upper layer protocol header. The IP header is the original or the use of a new
IP header depends on the mode used .[9]
4.9.1 IP Packet Protected by ESP in Transport Mode
When using ESP with transport mode, we will continue to use the original IP header,
and an ESP header will be added between it and the top layer protocol header (for
example TCP), as shown, an ESP trailer is also added. ESP will encrypt the transport
layer, payload and trailer, this means that the content of a packet is protected as it passes
through WAN networks.. Authentication will be optional in ESP and will provide
authentication but not the entire IP packet, since Authentication will cover from the
34
ESP header to the ESP trailer . The data covered by authentication will be protected in
terms of credibility and integrity. The disadvantage of ESP authentication is that it does
not include the original IP header, unlike AH . Meaning any modification to the IP
header information that you can discover. Instead, the discussion will rely on the keyad-
hash function for authentication . [1]
Figure 4.5 : IP Packet Protected by ESP in Transport Mode [9]
4.9.2 IP Packet Protected by ESP in Tunnel Mode
When using ESP with tunnel mode a new IP header will be added. The ESP header is
placed between the original and the new IP header. The ESP in this mode differs from
the previous one in that the entire original packet with the ESP trailer is encrypted.
Which gives greater ability to deal with traffic analysis . Especially with hiding the
source and destination IP address by applying gateways-to-gateways encryption,
which allows you to hide the source and interface during data traffic in the WAN
network. However, the new IP header is not encrypted. This gives an advantage to
AH in terms of authentication .[1]
Figure 4.6 : IP Packet Protected by ESP in Tunnel Mode [9]
34
4.10 Authentication Header

It provides data integrity protection, end-to-end authentication and re-display
protection, but unlike ESP, it does not provide data confidentiality. So the header for
AH is much easier than for ESP. [1]
As in the previous figure, the AH header contains a set of fields that are used to create
and maintain the SA .[11]
In the IP header, the protocol field will be represented by a value of 51 (AH is defined
as 51 in IANA). This means that the header next to the IP header is AH header .[11]
Figure 4.7 : IP Packet Protected by AH [9]
4.10.1 IP Packet Protected by AH in Transport Mode
The AH header is added after a new IP header and before the TCP header. It provides
full data protection except for the mutable fields in the IP header. The protection is in
terms of reliability and integrity of data . All mutable fields are assigned a value of
zero (0) and then used for the entire packet content with a shared key as input to the
hash process to achieve reliability through . Any change in any information in a
packet causes the authenticity check to give negative results, resulting in an unusable
packet (Unlike ESP, which may happen to modify the IP addresses of the source or
destination because the addresses are outside the verification process of authenticity ).
[1]
34
Figure 4.8 : IP Packet Protected by AH in Transport Mode [9]
4.10.2 IP Packet Protected by AH in Tunnel Mode
The AH header is added after the new header of the IP packet and before the original
header (the original header contains the original source and destination addresses but
the new header may contain other addresses, for example gateways addresses) . [1]
Figure 4.9 : IP Packet Protected by AH in Tunnel Mode [9]
AH inserts the entire packet (except for the mutable fields that are set to a zero) into the
authenticity process, including up to the new IP header. Any change to information
leads to negative results in the authenticity process by the recipient . Compared to AH
34
with transport mode, which provides authentication between hosts, but in AH with
tunnel mode, authentication includes even gateway to gateway, where each gateway
has the shared key used for authentication . [1]
4.11 IPSec Function
IPSec relies on a variety of protocols and methods to achieve its goals, they are
classified according to the goal they achieve :
4.11.1 Encryption
This type is used to achieve data confidentiality and is divided into two types:
- Symmetrical Keys : In this type, the same key is used for encryption and decryption
on both sides. The two parties must share the key before the encryption and decryption
process can begin. This key is called a Shared Secret. Among the most famous protocols
of this type are: DES , 3DES and AES [11] .
- Asymmetrical Keys : Encryption in this type depends on a pair of keys known as

the public key and the private key. There is a mathematical relationship between these
keys. If the data is encrypted with one of the keys, it can only be decrypted by the
second key associated with it. Knowing one of the keys does not mean giving the ability
to know the key associated with it. The private and public name of the keys represent
the role of each key. The public key is given to everyone and used to encrypt data sent
to the owner of the key. The private key is secret and known only to its owner, and they
use it to decrypt messages . Among the most famous protocols of this type are: RSA
and Diffie-Hellman [11] .
4.11.2 Authentication
Used between the two parties to authenticate each other . Authentication is done in
different ways :
- Pre-Shared Key : It is the secret shared between the two parties that is pre-install,
used by both parties in the keyed hash to achieve authentication . [3]
33
- Public Key Cryptography : In this type, it depends on Asymmetric Keys. Each party
generates a random number and then combines it with its ID, then encrypts it with the
public key of the other party, which decrypts using its own key and obtains the ID of
the other party. The authentication depends on each party obtaining the ID of the other
party. This process is highly unreliable, an unauthorized person can find out someone's
ID and then use it to impersonate . [3]
- Digital Signatures : This type is the safest and most famous one based on Asymmetric
Keys. As each party to authenticate with the other party sends an encrypted message
using its own key, the recipient decrypts the message with the public key of the sending
party . This type depends on that the person who encrypted the message with the private
key is the desired person, based on the fact that no one else has the private key .[3]
4.11.3 Integrity
It is used to ensure that the data is correct and that it has not been subjected to
any change during its transmission in the network. It depends on the hash
function . The hash function is a way to save data in a way that is never
reversible. Where the inputs are texts of different lengths and the results are of a
fixed length depending on the algorithm used . To ensure the validity of the data,
the sender extracts the hash value of the message before sending it and combines
the message with the hash value and sends it together. When the other party
receives the message, it extracts a new hash value from the message and
compares it with the received hash value. If it is the same, it means that the
message has not been changed, otherwise the message has been modified. Among
the most famous protocols of this type are: SHA and MD-5 . [3]
4.12 - Summary
This chapter provides information about the packet formmat based on the user
mode and the type of protection that IPSec provides, depending on the protocol
used.
33
Chapter V
Implementation of
VPN and Data
analysis
Chapter V Experiments and Results
5.1 Introduction
This chapter presents everything related to the practical part, from the implementation
requirements to the implementation phase. This simulation is performed using the
GNS3 simulation environment and WireShark . The main purpose of this project is to
perform network traffic analysis at the ISP in the case of relying on GRE tunnel VPN
and in case of relying on IPSec VPN to find the best way to transmit data while
maintaining data security.
5.2 The Requirements
The practical part needs a set of software and other to facilitate the project
implementation process .
5.2.1 Software
 GNS 3 : To implement the comparison between traffic analysis in GRE tunnel

VPN and IPSec you need to use network hardware simulation software. For this
purpose, a graphical network simulator 3 (GNS3) is used. It is a networking
software emulator that enables the combination of real and virtual machines.
Figure 5.1 The Icon of GNS3 [xx]
74
 WireShark : is the widely-used network protocol analyzer. It lets you see

what’s happening on your network at a microscopic level and is the de facto
standard across many commercial and non-profit enterprises, and educational
institutions, we will be explained later on how to use it.
Figure 5.2 The Icon of WireShark[xx]
5.2.2 The Simulation Tool
Cisco Router 7200 : We needed to download the IOS image of the required router. The
IOS image (c7200-jk9s-mz.124-13b.image) for the 7200 series router . All routers that
will be shown in the following network figures are from this series .
Figure 5.3 IOS Image for 7200
74
Figure 5.4 IOS Image Installation
5.3 The GRE Tunnel Topology
In this part, everything related to the GRE Tunnel Protocol will be explained, from
network topology to traffic analysis.
5.3.1 Network Topology
In this topology connectivity will be available between networks 11.0.0/30 and network
12.0.0/30 by using OSPF routing protocol enabled on ISP, Br-1 and Br-2 routers. But
to connect Br-1 and Br-2 LANs (represented by the use of interface loopback ), GRE
tunnel will be used.
Figure 5.5 GRE Tunnel Topology
74
5.3.2 GRE Tunnel Configuration
After implementing the OSPF routing protocol and making 11.0.0/30 and 12.0.0/30
networks connected to each other, an "Interface Tunnel" must be established on two
VPN ends to connect the local networks to each other, the source and interface must be
specified for both ends (the command is executed on both ends of the connection ) .
Figure 5.6 Create Interface Tunnel
When showing the routing table at one end of the VPN, for example on Br-1, you will
notice that it can access 2.2.2.2/32 (represents the local network of Br-2) via the tunnel's
network.
Figure 5.7 Br-1's Routing Table
Also, the ISP does not have access to the local networks owned by both VPN parties
because it is passed through the tunnel.
05
Figure 5.8 ISP's Routing Table
5.3.3 GRE Tunnel Topology Traffic Analysis
At first, activate the traffic capture feature via wireshark .
Figure 5.9 Start Capture
In the second, send some traffic between the two local networks.
Figure 5.10 Ping Command
The data capture results will show that although the ISP does not have access to the local
networks , but the traffic that is passed between the two networks through it can be easily
captured and analyzed since it is passed in clear text.
05
Figure 5.11 Data Analysis
Figure 5.11 Packet Analysis
5.4 The IP-Sec VPN Topology
In this part, everything related to the IPSec VPN will be explained, from network
topology to traffic analysis.
5.4.1 Network Topology
In this topology, connectivity will be available at the entire network level between all
networks (unlike the previous topology).
Figure 5.13 IPSec VPN Topology
05
5.4.2 IPSec VPN Configuration
After implementing the OSPF routing protocol and making all networks connected to
each other, Some configuration needs to be done on two parties agreeing to the
parameters used in IPSec VPN . The first of these configurations is to agree on the
parameters of the used keys and protect them .
Figure 5.14 Keys Configurations
The second step is to configure the transform-set of the parameters to protect the data
being transferred .
Figure 5.15 Transform-Set Configurations
An access control list is used on both ends to select the networks on which IPSec
VPN services will be implemented.
Figure 5.16 ACL Configurations on Br-1
Figure 5.17 ACL Configurations on Br-2
05
5.4.3 IPSec VPN Topology Traffic Analysis
At first, activate the traffic capture feature via wireshark .
Figure 5.18 Start Capture
In the second, send some traffic between the two local networks.
Figure 5.19 Ping Command
The data capture results will show that even though the ISP has access to the local networks,
the information obtained from the capture can not be viewed and analyzed because the
traffic that is passed between the two networks is passed in ciphertext that can only be
decrypted by both parties who Owners of the encryption keys. The original source IP and
destination IP are also hidden behind gateways IP.
Figure 5.20 Data Analysis
07
Figure 5.21 Packet Analysis
5.5 Explain Traffic Analysis
When looking at the results of the traffic analysis obtained using Wireshark . We notice
that by analyzing the GRE tunnel's traffic, it is possible to find the packet's content (for
example : source IP, destination IP , protocol type used and other ) . But when using
IPSec VPN you will not be able to know the packet content due to the encryption used,
you only get source IP and destination IP which are not in the original source and
interface because of using IPSec tunnel mode and the rest of the information will be
encrypted under ESP protocol . This analysis shows the importance of using the IPSec
suite to protect the data sent between the sender and receiver over the Internet .
5.6 Summary
This chapter provides an overview of the project from its purpose and implementation
requirements to steps and results. Through the traffic analysis obtained, the use of IPSec
data protection in VPN technology is important for maintaining confidentiality, data
integrity and reliability of the source and destination .
00
Chapter VI
Conclusion and
Future Work
Chapter VI Conclusion and Future Work
6.1 Conclusion
In this project, we first discuss the security issues facing data security, which have
become the most important trends in the world of technology after technology has
taken over the industry and increased security risks. We discussed security models,
the most important Terminology in the world of data security and the challenges that
engineers may face.
The focus of this project was towards protecting data during its transmission over
Internet networks, by using the IPSec suite. So, the topics related to VPN technology
were defined and talked about its types, categories, protocols and advantages. Then
the focus was on IPSec in particular because it is the basis of the project, so it
discussed its Structure, the protocols that provide different types of protection and
modes that provide different formats for the packet during its transmission within the
network.
For confirmation of the security advantages that IPSec provides in protecting data
during its transmission within the network. In the practical part a topology was created
and a VPN was applied to it . The first time, it was implemented using the GRE Tunnel
protocol, which, although it did not hide the local networks from the ISP, but in contrast
did not provide the required protection for the data, it was accessible to the attacker .
The second time, it was implemented using the IPSec suite, which provided integrated
protection for data during its transfer within the network, even after capturing the data,
the attacker would not be able to take advantage of it .
6.2 Future Work

In this project a comparison was made between IPSec and the GRE Tunnel protocol.
The comparison was according to the protection provided by each of them to the data
that is transferred within the network. The future work of the project is a comparison in
terms of performance, i.e. comparing the delay and impact on the service imposed by
each protocol.
75
References
dsd[1][2][3][4][5][6][7][8][9][10][11]
[1] A. Kahate, “Cryptography-Network-Security-Atul-Kahate.Pdf.” p. 535, 2008.

[2] “Exabeam | Cybersecurity & Compliance With SIEM and XDR.”
https://www.exabeam.com/ (accessed Sep. 01, 2022).
[3] D. Puthal, X. Wu, N. Surya, R. Ranjan, and J. Chen, “SEEN: A selective
encryption method to ensure confidentiality for big sensing data streams,”
IEEE Trans. Big Data, vol. 5, no. 3, pp. 379–392, 2019, doi:
10.1109/TBDATA.2017.2702172.
[4] J. Seitz, Fundamentals of Network Security, vol. 24, no. 1. 2002.
[5] “SecurID Identity and Access Management.” https://www.securid.com/
(accessed Sep. 01, 2022).
[6] “ISP Software | ISP Billing | ISP CRM - Height8.” https://www.height8tech.com/
[7] “Venafi Machine Identity Management | Venafi.” https://www.venafi.com/
[8] T. Changing, B. Environment, T. Internet, and U. I. Technology, Preface PART
I — The Internet and Business CHAPTER 1 — Business on the Internet
CHAPTER 2 — Virtual Private Networks CHAPTER 3 — A Closer Look at
Internet VPNs PART II — Securing an Internet VPN CHAPTER 4 — Security :
Threats and Solutions CHAPTER 5 — Usi. .
[9] P. Wouters, K. Bantoft, and Safari Books Online (Firme), Building and
Integrating Virtual Private Networks with Openswan. 2006.
[10] G. Burnes and G. Stoller, Virtual private networking, vol. 3, no. 1. 1998.
[11] T. Guide, IPSec Virtual Private. .
16

IPsec VPN Network Design and Implementation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPsec VPN Network Design and Implementation

Uploaded by

Copyright:

Available Formats

University of Benghazi

Faculty of Information Technology

IPsec VPN Network Design and Implementation

Faraj Amraja Mohmmed Amraja (3644)

Ayman Othman (3639)

Mr. Hatem Salem ِAl-Sheibani

‫ﺗﺼﻤ ﻢ و ﺗﻨﻔ ﺬ ﺷ ﻜﺔ ‪IPsec VPN‬‬

‫)‪(3644‬‬ ‫ﻓ ج اﻣﺮاﺟﻊ ﻣﺤﻤﺪ اﻣﺮاﺟﻊ‬

‫أ‪ .‬ﺣﺎﺗﻢ ﺳﺎﻟﻢ اﻟﺸ ﺎ‬

All rights reserved, no part of this project work may be reproduced

IPsec VPN Network Design and

Faraj Amraja Mohmmed Amraja (3644)

Ayman Othman (3639)

In the partial fulfillment of requirement for the award of the B.Sc.

Mr. Hatem Salem

IPsec VPN Network Design and

Faraj Amraja Mohmmed Amraja (3644)

Ayman Othman (3639)

In the partial fulfillment of requirements for the award of the B.Sc.

1st Examiner (The Supervisor) 2nd Examiner

‫صدق الله العظيم‬

AES Advanced Encryption Standard

TCP / IP Transmission Control Protocol/Internet Protocol

Supervisor's Approval .............................................................................. I

Examiner 's Approval ..............................................................................II

Dedication ............................................................................................... III

Abbreviations and Notations ................................................................ IV

Contents Index ....................................................................................... VI

Figures Index ............................................................................................ X

Abstract .................................................................................................. XII

Chapter 1: Introduction ........................................................................... 1

Chapter 2: Network Security ................................................................... 6

2.5 Security Model ................................................................................................. 10

2.5.1 Security by Obscurity ..............................................................................................10

Chapter 3: Virtual Private Network ..................................................... 21

3.7 Categories of VPNs .......................................................................................... 27

Chapter 4:IP Security ............................................................................. 33

Chapter 5: Implementation of VPN and Data Analysis...................... 46

5.2 The Requirements ............................................................................................ 47

Chapter 6: Conclusion and Future Work ............................................ 56

1.1 Project Time Line ............................................................................... 4

2.1 Information Security .......................................................................... 7

2.2 Security Trinity ................................................................................... 9

2.3 Threats ............................................................................................... 12

2.4 Authentication Methods ................................................................... 14

2.5 AAA .................................................................................................... 15

2.6 Encryption and Decryption.............................................................. 16

3.1 VPN Tunnel ....................................................................................... 24

3.2 Layer 2 VPN ...................................................................................... 26

3.3 Layer 3 VPN ...................................................................................... 27

3.4 Remote Access VPN .......................................................................... 28

3.5 Site-to-Site VPN ................................................................................ 29

4.1 IPSec Document Roadmap ..................................................................... 36

4.2 IP Packet in IPSec Transport Mode ........................................................ 38

4.3 IP Packet in IPSec Tunnel Mode............................................................. 39

4.4 IP Packet Protected by ESP.................................................................... 40

4.5 IP Packet Protected by ESP in Transport Mode ....................................... 41

4.6 IP Packet Protected by ESP in Tunnel Mode ........................................... 41

4.7 IP Packet Protected by AH ..................................................................... 42

4.8 IP Packet Protected by AH in Transport Mode ........................................ 43

4.9 IP Packet Protected by AH in Tunnel Mode ............................................ 43

5.1 The Icon of GNS3 .............................................................................. 47

5.2 The Icon of WireShark ..................................................................... 48

5.3 IOS Image for 7200 ........................................................................... 48