Technologies Vpn Ipsec & Pki
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Technologies Vpn Ipsec & Pki as PDF for free.
More details
- Words: 712
- Pages: 25
1
Christian Tettamanti, ing. HES
VPN - Virtual Private Network
Christian Tettamanti, ing. HES
Start date : Duration :
2
01.02.2002 1+1 years
Stefano Ventura Christian Tettamanti Pascal Gachet
prof. HES ing. HES ing. HES
Gérald Litzistorf Philippe Logean Nicolas Sadeg
prof. HES ing. HES ing. HES
VPN - Goals Of The Project
Christian Tettamanti, ing. HES
VPN Project urce o S n e p O
Phase I Protocols Phase II Authentication Phase III Deployment
3
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
4
Phase I Protocols
• Phase I – – – – –
Research and study of remote access solutions Secure access on internal private network Interoperability tests Study of VPN protocols (L2TP, PPTP, IPSec) LAN-to-LAN and HOST-to-LAN scenarios
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
5
• Phase I Protocols – PPTP – L2TP – IPSEC • IKE • AH • ESP
point-to-point tunneling protocol layer 2 tunneling protocol IP security protocols Æ authentication Æ integrity Æ confidentiality, integrity
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
6
Phase II Authentication
• Phase II – Research and study of secure authentication mechanisms – Study of Public Key Infrastructure (PKI) – Interoperability tests
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
7
Phase III Deployment
• Phase III – Deployment • LAN-to-LAN between EIG and TCOM • HOST-to-LAN at EIVD
VPN – Open Source Software
Christian Tettamanti, ing. HES
Different solutions based on Open Source
8
• • • • •
Server OS: Firewall: Gateway VPN: PKI Authority: VPN Clients:
Slackware Linux Netfilter/iptables OpenSwan OpenCA Win2K: SSH Sentinel* Linux: OpenSwan
rce u o S n e Op
*Free License for universities
VPN – Scenario 1
Christian Tettamanti, ing. HES
EIG – Proprietary Solutions
VPN GW
VPN GW
internet VPN tunnel internet
10.5.0.0/16
9
EIVD – Open Source Solutions
10.4.1.0/24
VPN – Scenario 2
Christian Tettamanti, ing. HES
EIVD – Open Source Solutions Remote Client VPN GW
internet VPN tunnel internet VPN Client 10.4.2.20
10.4.1.0/24
10
VPN – Scenario 3 EIVD – Open Source Solutions
Christian Tettamanti, ing. HES
EIG – Proprietary Solutions
VPN GW
VPN GW
VPN tunnel
VP N
tu nn el
internet internet
10.5.0.0/16
10.4.1.0/24
VPN Client 10.4.2.20 11
VPN – Remote Client Authentication
Christian Tettamanti, ing. HES
Dynamic IP 193.x.x.x
12
Virtual IP 10.4.2.20
VPN GW
internet IPSec tunnel internet
10.4.1.0/24
• • • •
The The The The
remote client authenticates himself on gw VPN authentication is based on X.509 certificates client acquire a private IP address with DCHP-over-IPSEC remote client is part of the internal private network
VPN – DHCP-over-IPSec • Internet Draft: draft-ietf-ipsec-dhcp-13.txt
Christian Tettamanti, ing. HES
ISAKMP SA: Main Mode Auth.
DHCP Relay
DHCP DISCOVER
10.4.1.0/16 10.4.1.0/16
DHCP SA: Life Time = 20 sec.
10.4.1.0/16 10.4.1.0/16 10.4.2.20 13
DHCP Server
ESP SA: 10.4.2.20 ÅÆ 10.4.0.0/15
DHCP Server
VPN – NAT-Traversal • Internet Drafts:
draft-ietf-ipsec-udp-encaps-03.txt draft-ietf-ipsec-nat-t-03.txt
Christian Tettamanti, ing. HES
intelligent NAT box
ESP and IKE with one client
ESP encapsulated in UDP (port 4500) NAT ESP and IKE with n clients
14
VPN – Encountered Problems • PKI Christian Tettamanti, ing. HES
– Token Integration
• Internet Service Provider (ISP) – Firewalls – Routing
• NAT routers – Intelligent Box – Stupid Box • NAT-Traversal • ESPÆUDP Encapsulation
15
VPN – Gateway VPN Capabilities
Christian Tettamanti, ing. HES
IKE: Encryption algorithm: Integrity function: DF Group: PKI authentication
aes-256bit SHA-2 MODP 1536 (group 5) OK
IPSEC – ESP (AH): Encryption algorithm: Integrity function: DF Group:
aes-256bit HMAC-SHA-2 MODP 1536 (group 5)
Other: DHCP over IPSEC NAT-Traversal
16
OK OK
VPN – Final Architecture EIG
PKI OpenCA
EIG VPN area
Christian Tettamanti, ing. HES
NIDS Snort
GW Clavister
FireWall IPtables
EIVD
Internet
PKI USB Key
DC W2K
GW VPN
OpenSwan Protected Area
17
Remote client
EIVD VPN area
18
Christian Tettamanti, ing. HES
Christian Tettamanti, ing. HES
VPN – SSH Sentinell Configuration
19
Christian Tettamanti, ing. HES
VPN – PKI Certificate Configuration
20
Christian Tettamanti, ing. HES
VPN – SA Life & NAT Configuration
21
Christian Tettamanti, ing. HES
VPN – IKE & ESP Configuration
22
Christian Tettamanti, ing. HES
VPN – Connection example
23
VPN – Network Interfaces
Christian Tettamanti, ing. HES
Before VPN Connection
24
After VPN Connection
25
Christian Tettamanti, ing. HES
Christian Tettamanti, ing. HES
VPN - Virtual Private Network
Christian Tettamanti, ing. HES
Start date : Duration :
2
01.02.2002 1+1 years
Stefano Ventura Christian Tettamanti Pascal Gachet
prof. HES ing. HES ing. HES
Gérald Litzistorf Philippe Logean Nicolas Sadeg
prof. HES ing. HES ing. HES
VPN - Goals Of The Project
Christian Tettamanti, ing. HES
VPN Project urce o S n e p O
Phase I Protocols Phase II Authentication Phase III Deployment
3
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
4
Phase I Protocols
• Phase I – – – – –
Research and study of remote access solutions Secure access on internal private network Interoperability tests Study of VPN protocols (L2TP, PPTP, IPSec) LAN-to-LAN and HOST-to-LAN scenarios
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
5
• Phase I Protocols – PPTP – L2TP – IPSEC • IKE • AH • ESP
point-to-point tunneling protocol layer 2 tunneling protocol IP security protocols Æ authentication Æ integrity Æ confidentiality, integrity
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
6
Phase II Authentication
• Phase II – Research and study of secure authentication mechanisms – Study of Public Key Infrastructure (PKI) – Interoperability tests
Christian Tettamanti, ing. HES
VPN - Goals Of The Project
7
Phase III Deployment
• Phase III – Deployment • LAN-to-LAN between EIG and TCOM • HOST-to-LAN at EIVD
VPN – Open Source Software
Christian Tettamanti, ing. HES
Different solutions based on Open Source
8
• • • • •
Server OS: Firewall: Gateway VPN: PKI Authority: VPN Clients:
Slackware Linux Netfilter/iptables OpenSwan OpenCA Win2K: SSH Sentinel* Linux: OpenSwan
rce u o S n e Op
*Free License for universities
VPN – Scenario 1
Christian Tettamanti, ing. HES
EIG – Proprietary Solutions
VPN GW
VPN GW
internet VPN tunnel internet
10.5.0.0/16
9
EIVD – Open Source Solutions
10.4.1.0/24
VPN – Scenario 2
Christian Tettamanti, ing. HES
EIVD – Open Source Solutions Remote Client VPN GW
internet VPN tunnel internet VPN Client 10.4.2.20
10.4.1.0/24
10
VPN – Scenario 3 EIVD – Open Source Solutions
Christian Tettamanti, ing. HES
EIG – Proprietary Solutions
VPN GW
VPN GW
VPN tunnel
VP N
tu nn el
internet internet
10.5.0.0/16
10.4.1.0/24
VPN Client 10.4.2.20 11
VPN – Remote Client Authentication
Christian Tettamanti, ing. HES
Dynamic IP 193.x.x.x
12
Virtual IP 10.4.2.20
VPN GW
internet IPSec tunnel internet
10.4.1.0/24
• • • •
The The The The
remote client authenticates himself on gw VPN authentication is based on X.509 certificates client acquire a private IP address with DCHP-over-IPSEC remote client is part of the internal private network
VPN – DHCP-over-IPSec • Internet Draft: draft-ietf-ipsec-dhcp-13.txt
Christian Tettamanti, ing. HES
ISAKMP SA: Main Mode Auth.
DHCP Relay
DHCP DISCOVER
10.4.1.0/16 10.4.1.0/16
DHCP SA: Life Time = 20 sec.
10.4.1.0/16 10.4.1.0/16 10.4.2.20 13
DHCP Server
ESP SA: 10.4.2.20 ÅÆ 10.4.0.0/15
DHCP Server
VPN – NAT-Traversal • Internet Drafts:
draft-ietf-ipsec-udp-encaps-03.txt draft-ietf-ipsec-nat-t-03.txt
Christian Tettamanti, ing. HES
intelligent NAT box
ESP and IKE with one client
ESP encapsulated in UDP (port 4500) NAT ESP and IKE with n clients
14
VPN – Encountered Problems • PKI Christian Tettamanti, ing. HES
– Token Integration
• Internet Service Provider (ISP) – Firewalls – Routing
• NAT routers – Intelligent Box – Stupid Box • NAT-Traversal • ESPÆUDP Encapsulation
15
VPN – Gateway VPN Capabilities
Christian Tettamanti, ing. HES
IKE: Encryption algorithm: Integrity function: DF Group: PKI authentication
aes-256bit SHA-2 MODP 1536 (group 5) OK
IPSEC – ESP (AH): Encryption algorithm: Integrity function: DF Group:
aes-256bit HMAC-SHA-2 MODP 1536 (group 5)
Other: DHCP over IPSEC NAT-Traversal
16
OK OK
VPN – Final Architecture EIG
PKI OpenCA
EIG VPN area
Christian Tettamanti, ing. HES
NIDS Snort
GW Clavister
FireWall IPtables
EIVD
Internet
PKI USB Key
DC W2K
GW VPN
OpenSwan Protected Area
17
Remote client
EIVD VPN area
18
Christian Tettamanti, ing. HES
Christian Tettamanti, ing. HES
VPN – SSH Sentinell Configuration
19
Christian Tettamanti, ing. HES
VPN – PKI Certificate Configuration
20
Christian Tettamanti, ing. HES
VPN – SA Life & NAT Configuration
21
Christian Tettamanti, ing. HES
VPN – IKE & ESP Configuration
22
Christian Tettamanti, ing. HES
VPN – Connection example
23
VPN – Network Interfaces
Christian Tettamanti, ing. HES
Before VPN Connection
24
After VPN Connection
25
Christian Tettamanti, ing. HES
Related Documents
Technologies Vpn Ipsec & Pki
May 2020 14
Vpn-ipsec-seri_2005-2006
July 2020 3
Teldat Vpn Server & Greenbow Ipsec Vpn Configuration
November 2019 14
Pki
April 2020 35
