View
233
Download
1
Category
Preview:
Citation preview
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
1/20
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
2/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 2
a. Diffie-Hellman (D-H)
b. Certificate Authority (CA)
12) VPN security of Hardware device
13) Conclusion
Abstract
Virtual Private Network is a communication network by which a user can tunneled
through another network by using the global Internet or by Intranet with strong security
features. Today it has become as important issue because by using VPN, it is easy to
access LAN from the remote location. Its hard to monitor a companys LAN or WAN
from its office premesis only. For any reason a network administrator needs to go
outside. In this situation VPN can help us a lot. Everyone can use VPN for his own LAN
or WAN. But telecommunication companies, private banks, Internet Service Providers(ISPs) use VPN very widely. For example, a bank may have MAN or WAN which is
situated in large geographic area also it uses latest network devices, security devices
and other latest networking terminology. In addition, a bank can setup their own VPN
services by themselves or they can take the service form the service providers. ALAP
communication is the service providers who give the VPN and other facilities. In our
term paper we will discuss how the IPSec VPN has established between Islami Bank
and ALAP communication.
Introduction A Virtual Private Network (VPN) is a communications network tunneled through another network, and
dedicated for a specific network. One common application is secure communications through the public
Internet, but a VPN need not have explicit security features, such as authentication or content encryption.
VPNs, for example, can be used to separate the traffic of different user communities over an underlying
network with strong security features. Islami Bank Bangladesh Limited has over 100 branches across
Bangladesh. Inside Dhaka it has 33 branches. The main branch is situated in Dilkusha, Motijheel. In this main
branch the 9th floor is the server section which they called as Data Center. The Data Center is not
connected to their branch offices by their own network. Instead of that, the Islami Bank has taken the high
speed dedicated line (2Mbps) from the service provider ALAP communication. In contrast, the branches
outside Dhaka are connected with the Digital Data Network (DDN) service from the Bangladesh Telephone
and Telegraph Board (BTTB). BTTB also provides them high speed dedicated line. The Islami Bank has also
established their VPN connection from the ALAP communication. ALAP has provides two types of VPN, the
CPE based IPSec VPN and Network based IPSec VPN. Security is an important issue in the networking
sector. In CPE based VPN this issue is very much important because here a secured tunnel is built between
two nodes by the global Internet. But in Network based VPN, the security is much less important than CPE
VPN. The banks deal with confidential data of its client which is highly restricted and extreme security is
needed in the transaction of money. Therefore, user authentication, message integrity, data encryption is
needed for this kind of communication. Also, a VPN can simplify a network, reduce operational costs, provide
global networking opportunities, and telecommuter supports. Categories of Networks A private
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
3/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 3
network is designed for use inside an organization. It allows access to shared resources and the same time,
provides privacy. There are two terms which is commonly used in networking - Intranet and Extranet.
Intranet:
An Intranet is a private network (LAN) that uses the internet model. However, access to the network is limite
to the users inside the organization. The network uses application programs defined for the global internet,
such as HTTP and may have Web servers, Print servers, File servers and so on. Extranet:
An extranet is the same as an intranet with one major difference: some resources may be accessed by
specific groups of users outside the organization under the control of the network administrator. For example
an organization may allow authorized customers access to product specification, availability, and online
ordering. To achieve privacy, an organization can use one of three strategies: private networks, hybrid
networks, and virtual private networks. Achieving Privacy Private Network
An organization that needs privacy when routing information inside the organization can use a private
network as discussed previously. A small organization with one single side can use an isolated LAN. People
inside the organization can send data to one another that totally remain inside the organization, secure from
outsiders. A large organization with several sides can create a private internet. The LANs at different sides
can be connected to each other by using routers or by leased lines. In other word, an internet can be made
out of private LANs and private and WANs.
[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/Sqej3ESCpBI/AAAAAAAAA-Q/73x6RVs7Otw/s1600-h/0.JPG]
Figure1. Private Network _p162 (Source:http://www.htcwizardweb.net/node/2113) Figure shows such a
situation for an organization where all the branch offices are connected to their Head Office. The LANs are
connected to each other by routers and leased lines. So, access to the network is limited to the users inside
an organization. In this situation, the organization has created a private internet that is totally isolated from
the global internet. For end-to-end communication between stations at different sites, the organization can
use internet model. However, there is no need for the organization to apply for IP address. With the internet
authorities it can use private IP addresses. The organization can use any IP class and assign network and
host addresses internally. Because the internet is private, duplication of addresses by another organization i
the global internet is not a problem. Hybrid Networks Today, most organization needs to have privac
in organization data exchange, but, at the same time, they need to be connected to the global internet for dat
exchange with other organization. One solution is the use of a hybrid network.
********************************
http://4.bp.blogspot.com/_Hrww1lJ6hGQ/Sqej3ESCpBI/AAAAAAAAA-Q/73x6RVs7Otw/s1600-h/0.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
4/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 4
[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejsZsqPcI/AAAAAAAAA-I/WfVaYKNDZZQ/s1600-h/2.JPG]
Figure.2: Hybrid Network _h37378 (Source:http:// www.cs.ucsd.edu/~mihir/papers/hmac.html) A hybrid
network allows an organization to have its own private internet and, at the same time, access to the global
internet. Intraorganization data are routed through the private internet interorganization data routed through
global Internet. Virtual Private Networks (VPN)
Both private and hybrid network have a major drawback cost. Private wide area networks (WAN) are
expensive. To connect several sites, an organization several leased lines, this means a high monthly fee. On
solution is to use the global internet for both private and public communication. A technology called virtual
private network allows organizations to use the global internet for both purposes. VPN creates a network whic
is private but virtual. It is private because it guarantees privacy inside an organization. It is virtual because it
doesnt use real private WANs the network is physically public but virtually private.
************************
[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqejfwM6iYI/AAAAAAAAA-A/YCughvR5qDg/s1600-h/3.JPG]
**************************
Figure.3 Virtual Private Networks-VPN-1-7 (Source:http://howstuffworks.com/w/index.php?
title=Layer_2_Tunnelingid=20) Types of VPN VPNs fall into three basic categories Remote-Access VPN
Intranet VPN Extranet VPN Remote Access VPN:
Remote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN connection used by a
company that has employees who need to connect to the private network from various remote locations.
Typically, a corporation Image courtesy Cisco Systems, Inc. Examples of the three types of VPN That wishes
to set up a large remote-access VPN will outsource to an enterprise service provider (ESP).
http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqejfwM6iYI/AAAAAAAAA-A/YCughvR5qDg/s1600-h/3.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejsZsqPcI/AAAAAAAAA-I/WfVaYKNDZZQ/s1600-h/2.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
5/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 5
[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejUld5QSI/AAAAAAAAA94/EkNHEtNwhjw/s1600-h/4.JPG]
Figure.4 Types of VPN-vpN-10002 (source: http://www.cisco.com/vpn/types.html) The ESP sets up a networ
access server (NAS) and provides the remote users with desktop client software for their computers. The
telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access
the corporate network. A good example of a company that needs a remote-access VPN would be a large firm
with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections
between a company's private network and remote users through a third-party service provider. Site-to-Sit
VPN:
Through the use of dedicated equipment and large-scale encryption, a Company can connect multiple fixed
sites over a public network such as the Internet. Site-to-site VPNs can be one of two types: Intranet-based
If a company has one or more remote locations that they wish to join in a single private network, they can
create an intranet VPN to connect LAN to LAN.
Extranet-based - When a company has a close relationship with another company (for example, a partner,
supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the
various companies to work in a shared environment. Why do we use VPN? The Internet is an integral
part of business communications today. Corporations use it as an inexpensive extension of their local or WAN
networks. A LAN connection to an ISP enables far-reaching communication for e-commerce, mobile users,
sales personnel, and global business partners. The Internet is cheap, easily enabled, stable, resilient, and
omnipresent. But it is not secure, at least not in its native state. That is where VPN comes to rescue. This
clever concept can provide the security that you need with a verity of features. VPNs can provide security
through point-to-point encryption of data, data integrity by ensuring that the data packets have not been
altered, and authentication to ensure that the packets are coming from the right source. VPN enable an
efficient and cost-effective method for secure communication across internets public infrastructure. VPN
provides:
Extend geographic connectivity Improve security Reduce operational costs versus traditional WAN
Reduce transit time and transportation costs for remote users Simplify network topology Provide global
networking opportunities Provide telecommuter support The Benefits most often cited for deploying VPNs
include the following:
Cost Savings:
Elimination of expensive dedicated WAN circuits or banks of dedicated modems can provide significant cost
savings. Third party Internet Service Providers (ISPs) provide Internet connectivity from anywhere at any tim
Coupling ISP connectivity with the use of broadband technologies, such as DSL and cable, not only cuts the
cost of connectivity but can also deliver High-Speed circuits. Security: The cost savings from the use of
http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejUld5QSI/AAAAAAAAA94/EkNHEtNwhjw/s1600-h/4.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
6/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 6
public infrastructures could not be recognized if not for the security provided by VPNs. Encryption and
authentication protocols keep corporate information private on public networks. Scalability: With VPN
technologies, new users can be easily added to the network. Corporate network availability can be scaled
quickly with minimal cost. A single VPN implementation can provide secure communications for a variety of
applications on diverse operating system. We can connect different LAN at the same location and from
different location by using Router. But why we are using VPN? When we use our private LAN or WAN it mean
we are using our own network topology which may or may not be connected to the Internet. So to access our
own LAN, the LAN should be physically connected to each other. But it is not possible to access the LAN or
LAN from the same location. A network administrator cant stay a fixed position for 24hours a day. He needs t
move. To resolve this problem the network administrator can use VPN by which he can access his LAN or
WAN through remote location by using Internet. This can saves our time, money etc. the main facility is that w
can access our LAN from anywhere through Internet. Here, we dont need additional physical device which ca
reduce or cost. A well-designed VPN can greatly benefit a company. Network Topology of Islami Bank
ALAP Communication is a service provider who provides telecommunication infrastructure for providing secu
data. ALAP Communication holds exclusive licenses for the use of spectrum in the 3.5 GHz band, and has
deployed Non Line of Sight (NLOS) and Obstructed Line of Sight (OLOS) broadband wire and wireless
networking equipment for use in this band. ALAP now stands ready to profit from this investment by providing
Voice, VPN and Data services to a wide variety of customers, including both end users and network providers
ALAP Communication gives 2Mbps dedicated high speed bandwidth for the data transmission to the Islami
Bank Bangladesh Limited. Here, we have discussed that how Islami Bank uses VPN from the service
providers. Explanations
All the services are done by the Data Center which is situated in the main branch office of Islami Bank
Bangladesh Limited. The Data Center is the server room which is in the 9th floor of the main branch. The
data center is connected with ALAP Communication backbone which is around 2Mbps high speed dedicated
line. The ALAP communication gives their services inside Dhaka city in 33 different branches of Islami Bank.
All the routers of different branches are connected with 128 KB/s line with ALAP. After that it goes through
Cisco router > Cisco PIX firewall > Catalyst switch > Workstations. The Data Center servers can control the
whole process. They can access their local router at any time. They the check account and do any kind of
transaction to their local office. Similarly, the local office can also do the same if it has the permission form th
main office. Islami Banks data storage system is not centralized. They use decentralized system to store
their data. For example, when the branches of Dhaka make any transaction, that document doesnt come to
the main Data Center server that information is saved on that local server under that specific local router.
After a suitable time the main server of Dhaka retrieve that information from those local servers. The Data
Center use banking and database software for their transaction. The Data server can communicate to
their branch offices by ALAP Communications backbone because ALAP provides a high speed dedicated
service to them. Whatever the transaction happened in the main and branch offices are fully automated.
There is no kind of manual transaction. If there is any kind of interrupt or any other problems then manual
transaction can happened. A person is needed to control the server and to monitor the status of the traffic.
But the practical scenario is not that much easy. An authorized person needs to access the network from
outside the Islami Banks office. VPN can be a solution for this kind of problem. The network admin of Islam
Bank uses VPN services from the ALAP communication. In VPN security is a very important factor, because a
the data which they pass are strictly restricted and highly confidential. So, security is an important issue for
VPN communication. VPN Infrastructure of ALAP Communications All data traversing to the ALAP
communications network is encrypted by default with 128-bit encryption scheme. On top of their network traff
encryption they provide End-To-End secure data communication through their state of the art VPN solution.
ALAPs VPN solutions can enable anyones employees, customers, business partners, and suppliers to
collaborate securely and cost effectively. They integrate VPN hardware and software with the management
and support our need for a complete, end-to-end solution. ALAPs VPN Criteria State of the art Hardware
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
7/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 7
(ASIC) based Firewall and VPN. 10 concurrent IPSec VPN tunnel and the choice of 10, 20, 50 or Unlimited
node configurations (IPSec VPN ensures data security to our corporate clients). Complete Anti-Virus,
Internet Content Filtering and Rapid Email Attachment Blocking all-in-one solution. Enterprise-class firewal
protection with ICSA-certified, stateful packet inspection technology. ALAPs VPN Solution Companies
establish centralized control over branch offices with point-of-sale (POS) locations. Provide the remote
robust security and performance needed for business continuance. Enable secure, high-speed
communications between multiple locations.
[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejLWzaFGI/AAAAAAAAA9w/hcsIN9yzOCI/s1600-h/4.5.JPG]
ALAPs CPE-based IP VPNWith the use of latest technology, ALAPs CPE-based IP VPN solution allows us to
create an efficient and integrated platform to streamline business communications. Data are encrypted
securely from our premises to the distant end as our business might demand.
[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqejAE28t2I/AAAAAAAAA9o/TOSlpBd23Ns/s1600-h/5.JPG]
Figure.5 CPE based IP VPN (source:http://www.alapcom.com/security/vpn/cpevpn.jpeg)
ALAPs CPE-based IP VPN offers Support for Intranets, Extranets, and Remote access network applications
Integrated VPN devices with support for VPN, firewall, and routing capabilities. Premise-to-premise
encryption. Explanations In CPE based IP VPN, ALAP communication offers its supports for Intranets,
Extranets, and Remote access network applications. In IP based VPN the network is connected by the Interne
cloud. This means, the network media is the Internet cloud. There are customers premises network on the
both side of the Internet Protocol (IP) network. The CPE can be connected to the IP network via any kind of
DSL, Broadband or dial-up-modem. CPE IP VPN is suitable for the telecommuter or the network administrato
of a company who needs to change his position rapidly. For example, a situation can occur where a network
administrator can be called for any kind of help while he is outside of his office. In this situation, a CPE IP VPN
can be a solution. By this that network administrator can access his office or any kind of outside LAN or WAN
through the Internet. Internet is helpful in this situation because it is cheap no additional hardware is require
for this kind of communication. Only there are the connection of Internet, a person can access remote LAN o
WAN through Internet. ALAPs Network-based IP VPN IP Service switches at network access points are used
encrypt data, taking full responsibility for management and maintenance of the system.
http://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejLWzaFGI/AAAAAAAAA9w/hcsIN9yzOCI/s1600-h/4.5.JPGhttp://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqejAE28t2I/AAAAAAAAA9o/TOSlpBd23Ns/s1600-h/5.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
8/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 8
[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPG]
Figure.6 Network based IP VPN source:http://www.alapcom.com/security/vpn/networkvpn.jpeg) ALAPs
Network-based IP VPN offers Support for Intranets, Extranets and Remote access network applications.
Integrated network-based firewalls. Network-edge to network-edge encryption. Hybrid networking
capabilities to support the migration or integration of ALAPs IP-based networks with third partys Frame Rela
and ATM services. Explanation:
The network based IP VPN of ALAP communication supports Intranets, Extranets, and Remote access netwo
applications. In addition the network based VPN is integrated with network based firewalls. It also provides
network-edge to network-edge encryption. In network based VPN the internal backbone of the network is the
ALAP communications network itself. This means there are customers premises network on the both side of
the ALAP communications network. The CPE can be connected to the IP network via any kind of DSL,
Broadband, dial-up-modem or wireless modem. The different LAN segment is connected to each other by
router. For the security purpose each of the routers is connected with hardware firewalls. In contrast, there
are difference between the CPE IP VPN and the Network Based IP VPN. In Network Based IP VPN the core
network or the transmission network is the intranet instead of the global Internet. This means, a user cant
access the LAN or WAN on different segment through the Internet. If the user uses the Internet then it
becomes the CPE IP VPN. But in Network based IP VPN the network is connected through the default LAN or
WAN by itself. The advantage of this kind of system is that no global network connection doesnt require. But
the main disadvantage is that, a network administrator cant access any segment of the remote network from
outside the office. Overview of VPN Technologies IP Sec Internet Protocol Security (IP Sec) provides
enhanced security features such as better encryption algorithms and more comprehensive authentication.
IPSec is a layer3 protocol. IP Sec has two encryption modes: tunnel and transport. When two devices offer
each other for VPN tunneling then its tunnel mode. And when only the client side request the opposite side fo
VPN tunneling then its transport tunneling. Tunnel encrypts the header and the payload of each packet while
transport only encrypts the payload. Only systems that are IP Sec compliant can take advantage of this
protocol. Also, all devices must use a common key and the firewalls of each network must have very similar
security policies set up. IP Sec can encrypt data between various devices, such as: Router to router
Firewall to router PC to router PC to server
[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeirvKEvcI/AAAAAAAAA9Y/ZEFf8yHPq04/s1600-h/7.JPG]
Figure.7 VPN tunneling-10038 (source: http://www.dlink.com /vpn/technology.jpg) To guarantee privacy an
other security measures for an organization, VPN can use IP Sec in the tunnel mode. In this mode, each IP
datagram destined for private use in the organization is encapsulated in another datagram. SSL Transport
Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that
provide secure communication on the Internet for such things as web browsing, e-mail, Internet Faxing, Instan
Messaging and other data transfers. There are slight difference between SSL and TLS, but they are
substantially the same.
http://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPGhttp://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeirvKEvcI/AAAAAAAAA9Y/ZEFf8yHPq04/s1600-h/7.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
9/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 9
[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeieyJ7uDI/AAAAAAAAA9Q/G04uCfz8inI/s1600-h/8.JPG]
Figure.8 SSL-vpn-1-7 (source: http://www.cites.uiuc.edu/vpn/technology.htm)
Cryptographic Protocol:
A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that
performs a security-related function and applies cryptographic methods. A protocol describes how the
algorithms should be used. A sufficiently detailed protocol includes details about data structures and
representations, at which point it can be used to implement multiple, interoperable versions of a program.
Cryptographic protocols are widely used for secure application-level data transport. For example, Transport
Layer Security (TLS) is a cryptographic protocol that is used to secure web (HTTP) connections. L2TP In
computer networking, the Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual
private networks (VPNs).
[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiLgmeAYI/AAAAAAAAA9I/6138pDpRZxw/s1600-h/9.JPG]
Figure.9 Layer 2 Tunneling Protocol9-90-3 (source: http://www.citecho.com /vpn/technology.html.)
L2TP acts like a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two
peers over an existing network (usually the Internet). L2TP is in fact a layer 5 protocol session layer, and use
the registered UDP port 1701. The entire L2TP packet, including payload and L2TP header, is sent within a
UDP datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP doe
not provide confidentiality or strong authentication by itself. IPSec is often used to secure L2TP packets by
providing confidentiality, authentication and integrity. The combination of these two protocols is generallyknown as L2TP/IPsec (discussed below). The two endpoints of an L2TP tunnel are called the LAC (L2TP
Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LN
is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers
is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To
facilitate this an L2TP session (or call) is established within the tunnel for each higher-level protocol such as
PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is
possible to set up multiple virtual networks across a single tunnel. MTU should be considered when
implementing L2TP. The packets exchanged within an L2TP tunnel are categorised as either control packet
or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets.
http://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiLgmeAYI/AAAAAAAAA9I/6138pDpRZxw/s1600-h/9.JPGhttp://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeieyJ7uDI/AAAAAAAAA9Q/G04uCfz8inI/s1600-h/8.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
10/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 10
Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP
tunnel. VPN over IPSec
Planning an IPSec VPN IPSec supports High-Level Data Link Control (HDLC), ATM, Point-to-Point protocol
(PPP), and Frame Relay serial encapsulation. IPSec also works with Generic Routing Encapsulation (GRE
and IP in IP (IPinIP) encapsulation Layer3 tunneling protocols, IPSec doesnt support the data-link switching
(DSL) standard, source-route bridging (SRB), or other layer3 tunneling protocols. IPSec doesnt support
multipoint tunneling. IPSec works strictly with unicast IP datagrams only. It doesnt work with multicast or
broadcast IP datagrams. IPSec provides packet expansion that can cause fragmentation and reassembly
IPSec packets. When using NAT, be sure that NAT occurs before IPSec encapsulation so that IPSec has
global addresses to work with. Major Protocols in IPSec IP Security Protocols (IPSec) o Authentication
Header (AH) o Encapsulating Security Payload (ESP) Message Encryption Data Encryption Standard
(DES) Triple DES (3DES) Message Integrity (HASH) Functions o Hash-based Message Authentication
Code (HMAC) o Message Digest 5 (MD5) o Secure Hash Algorithm -1 (SHA-1) Peer Authentication
Rivest, Shamir and Adelman (RSA) Digital Signatures RSA Encrypted Nonces Key Management o Diffie-
Hellman (D-H) o Certificate Authority (CA) Security Association Internet Kay Exchange (IKE) Internet
Security Associations and Key Management Protocol(ISAKMP) Explanation of the IPSec ProtocolsThe
IPSec Protocol The protocols that IPSec uses to provide traffic security are Authentication Header (AH) an
Encapsulating Security Payload (ESP). These two protocols are considered purely IPSec protocols and were
developed strictly for IPSec. Each protocol is described in its own RFC, which was identified in Table 2-7. We
can use AH and ESP independently on an IPSec connection, or we can combine their use. IKE and IPSec
negotiate encryption and authentication services between pairs. This negotiation process culminates in
establishing Security Associations (SAs) between security pairs. IKE SAs are bidirectional, but IPSec SAs are
unidirectional and must be established by each member of the VPN pair to establish bidirectional traffic. Ther
must be an identical SA on each pair to establish secure communications between pairs. The information
associated with each SA is stored in a Security Association Database, and each SA is assigned a Security
Parameters Index (SPI) number that, when combined with the destination IP address and the security protoco
(AH or ESP), uniquely identifies the SA. The key to IPSec is the establishment of these SAs. SAs are
negotiated once at the beginning of an IPSec session and periodically throughout a session when certain
conditions are met. To avoid having to negotiate security for each packet, there had to be a way to
communicate the use of an already agreed upon SA between security pairs. That is where the AH and ESP
protocols come into use. These two protocols are simply a means of identifying which prenegotiated security
features to use for a packet going from one peer to another. Both of these protocols add an extra header to
the IP datagram between the Layer 3 (IP) and Layer 4 (usually TCP or UDP) protocol headers. A key elemen
contained in each protocol's header is the SPI, giving the destination peer the information it needs to
authenticate and decrypt the packet. Authentication Header The Authentication Header (AH) protocol is
defined in RFCs 1826 and 2402 and provides for data integrity, data origin authentication, and an optional
antireplay service. AH does not provide encryption, which means that the packets are sent as clear text AH is
slightly quicker than ESP, so we might choose to use AH when we need to be certain of the source and
integrity of the packet but confidentiality is not a concern. Devices configured to use AH insert an extra
header into the IP datagrams of "interesting traffic," between the IP header and the Layer 4 header. Becaus
a processing cost is associated with IPSec, VPNs can be configured to choose which traffic to secure and
IPSec and non-IPSec traffic can coexist between security pairs. We might choose to secure e-mail traffic but
not web traffic, for example. The process of inserting the AH header is shown in Figure 2-5.
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
11/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 1
[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiBbH52FI/AAAAAAAAA9A/JYAxl6zAZjo/s1600-h/10.JPG]
Figure.10 (source: CCSP Cisco Secure VPN) Encapsulating Security Payload The other IPSec protocol
the Encapsulating Security Payload (ESP) protocol. This protocol provides confidentiality by enabling
encryption of the original packet. Additionally, ESP provides data origin authentication, integrity, antireplayservice, and some limited traffic flow confidentiality. This is the protocol to use when we require confidentiality
in your IPSec communications. ESP acts differently than does AH. As its name implies, ESP encapsulates a
or portions of the original IP datagram by surrounding it with both a header and a trailer. Figure 2-6 shows th
encapsulation process.
[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeh1YuHdCI/AAAAAAAAA84/opZQe5Yxmdk/s1600-h/11.JPG]
Figure.11 (source: CCSP Cisco Secure VPN) AH and ESP Modes of Operation We previously discussed
about the AH and ESP protocols using several examples that showed sliding the IP header of an IP datagram
to the left, inserting either an AH or ESP header, and then appending the upper-layer portion of the datagram
to that. This is a classic description of one of the modes of operation for IPSec, namely the Transport mode.
The other mode of operation for IPSec is the Tunnel mode. These two modes provide a further level of
authentication or encryption support to IPSec. Transport Mode Transport mode is primarily used for end
http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeh1YuHdCI/AAAAAAAAA84/opZQe5Yxmdk/s1600-h/11.JPGhttp://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiBbH52FI/AAAAAAAAA9A/JYAxl6zAZjo/s1600-h/10.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
12/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 12
to-end connections between hosts or devices acting as hosts. Tunnel mode is used for everything else. An
IPSec gateway might act as a host when being accessed by an administrator for configuration or other
management operations. Figure 2-8 shows how the Transport mode affects AH IPSec connections. The
Layer 3 and Layer 4 headers are pried apart, and the AH is added between them. Authentication protects all
but mutable fields in the original IP header.
[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehnSOQKfI/AAAAAAAAA8w/nKNShePZoX0/s1600-h/12.JPG]
Figure.12 (source: CCSP Cisco Secure VPN) Figure 2-9 shows ESP Transport mode. Again, the IP header i
shifted to the left, and the ESP header is inserted. The ESP trailer and ICV are then appended to the end of
the datagram. If encryption is desired (riot available with AH), only the original data and the new ESP trailer
are encrypted. Authentication extends from the ESP header through the ESP trailer. Even though the
original header has been essentially left intact in both situations, the AH Transport mode does not support
NAT because changing the source IP address in the IP header causes authentication to fail. If we need to us
NAT with AH Transport mode, we must ensure that NAT happens before IPSec. Notice that this problem
does not exist with ESP Transport mode. The IP header remains outside of the authentication and encryption
areas for ESP Transport mode datagrams.
[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehgUgwyII/AAAAAAAAA8o/um1SXJTAIaw/s1600-h/13.JPG]
Figure.13 (source: CCSP Cisco Secure VPN) Tunnel Mode IPSec tunnel mode is used between gateways
such as Routers, Firewalls, and Concentrators. It is also typically used when a host connects to one of these
gateways to gain access to networks controlled by that gateway, as would be the case with most remote
access users dialing in to a router or concentrator. In Tunnel mode, instead of shifting the original IP headerto the left and then inserting the IPSec header, the original IP header is copied and shifted to the left to form
the new IP header. The IPSec header is then placed between the original and the copy of the IP header. The
original datagram is left intact and is wholly secured by authentication or encryption algorithms. Figure 2-10
shows the AH Tunnel mode. Once again, notice that the new IP header is under the auspices of the
authentication algorithm and that it does not support NAT.
http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehnSOQKfI/AAAAAAAAA8w/nKNShePZoX0/s1600-h/12.JPGhttp://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehgUgwyII/AAAAAAAAA8o/um1SXJTAIaw/s1600-h/13.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
13/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 13
[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehUr73mbI/AAAAAAAAA8g/KiXTOpz8SXg/s1600-h/14.JPG]
Figure.14 (source: CCSP Cisco Secure VPN) In Figure 2-11, we can see a depiction of the ESP Tunnel
mode. The entire original datagram can be encrypted and/or authenticated with this method. If we select to
use both ESP authentication and encryption, encryption is performed first. This allows authentication to be
done with assurance that the sender does not alter the datagram before transmission, and the receiver can
authenticate the datagram before decrypting the package.
[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqehCChHOdI/AAAAAAAAA8Y/nEiiUTlaLhg/s1600-h/15.JPG]
Figure.15 (source: CCSP Cisco Secure VPN) ESP supports NAT in either Tunnel or Transport mode, and
only ESP supports encryption. If we need encryption, we must use ESP. If we also want authentication with
ESP, we must select ESP HMAC service. HMAC uses the MDS and SHA-I keyed hashing algorithms. Security
Associations Depending on the IPSec protocol we choose to use, we can ensure data integrity and source
authenticity, provides encryption, or does both. Once we decide the service we need, the peers then begin a
negotiation process to select a matching set of algorithms for authentication, encryption, and/or hashing as
well as a matching SA lifetime. This negotiation process is done by comparing requested services from the
source peer with a table of acceptable services maintained on the destination peer. Once the negotiation
process has been completed, it would be convenient not to have to do it again for a while. The IETF named
this security service relationship between two or more entities to establish secure communications the Securi
Association (SA). When traffic needs to flow bidirectionally across a VPN, IKE establishes a bidirectional SA
and then IPSec establishes two more unidirectional SAs, each having their own lifetime. Get into the habit of
identifying these SAs as either IKE SAs or IPSec SAs because they each have their own configuration
attributes and they are each maintained separately. IKE SAs are used when IPSec tries to establish a
connnection. IPSec SAs are used with every secure packet. SAs are only good for one direction of data
across an IPSec connection. Because SAs are simplex, establishing conversations between peers requires
two IPSec SAs, one going and one coming, for each peer and two underlying IKE SAs. IPSec SAs are also
protocol specific. If we are going to be using both AH and ESP between security pairs, we need separate SAs
for each. Each SA is assigned a unique random number called a Security Parameters Index (SPI). This
number, the destination IP address of a packet, and the IPSec protocol used create a unique triplet that
identifies a security association. When a system wants to send IPSec traffic to a peer, it checks to see if an S
already exists for that peer using the desired security services. If it finds an existing SA, it places the SPI of th
SA into the IPSec header and sends the packet. The destination peer takes the SPI, combines it with the
http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehUr73mbI/AAAAAAAAA8g/KiXTOpz8SXg/s1600-h/14.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqehCChHOdI/AAAAAAAAA8Y/nEiiUTlaLhg/s1600-h/15.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
14/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 14
IPSec protocol and the destination IP address, and locates the existing SA in the Security Association
Database it maintains for incoming traffic on that interface. Once it finds the SA, the destination peer knows
how to unwrap the data for use. Existing Protocols Used in the IPSec Process IPSec makes use of
numerous existing encryption, authentication, and key exchange standards. This approach maintains IPSec a
a standards-based application, making it more universally acceptable in the IP community. Many of these
standard protocols are described in the following sections. Message Encryption Available when using th
ESP IPSec protocol, message encryption enables us to send highly sensitive information across the public
networks without fear of having those data easily compromised. The two encryption standards are Data
Encryption Standard (DES) and its more robust cousin, the Triple Data Encryption Standard (3DES or Triple
DES). Data Encryption Standard The standard encryption method used by many VPN deployments is th
Data Encryption Standard (DES) method of encryption. DES applies a 56-bit key to every 64 bits of data. DE
provides over 72,000,000,000,000,000 (72 quadrillion) possible encryption keys. Developed by IBM in 1977
and adopted by the U.S. Department of Defense, DES was once considered such a strong encryption
technique that it was barred from export from the continental United States. It was considered unbreakable at
the time of its adoption, but faster computers have rendered DES breakable within a relatively short period o
time, so DES is no longer in favor in high-security applications. Cipher Block Chaining (CBC) is one of
several methods of implementing DES. CBC requires an initialization vector (IV) to start encryption. IPSec
ensures that both VPN peers have the same IV or shared secret key. The shared secret key is input into the
DES encryption algorithm, and clear text is then supplied in 64-bit blocks. The clear text is converted to ciphe
text and is passed to ESP for transmission to the waiting peer, where the process is reversed using the same
shared secret key to reproduce the clear text message. Triple DES One version of the Data Encryption
Standard is Triple DES (JDES) so named because it performs three encryption operations on the data. It
performs an encryption process, a decryption process, and then another encryption process, each with a
different 56-bit key. This triple process produces an aggregate 168-bit key, providing strong encryption.
Message Integrity Message integrity is accomplished by using a Hashing algorithm to compute a
condensed representation of a message or data file. These condensed representations are called message
digests (MDs) and are of a fixed length that depends on the Hashing algorithm used. All part of this message
digest is transmitted with the data to the destination host, which executes the same hashing algorithm to
create its own message digest. The source and destination message digests are then compared. Any
deviation means that the message has been altered since the original message digest was created. A match
means that we can be fairly certain that the data have not been altered during transit When using the IPSe
AH protocol, the message digest is created using the immutable fields from the entire IP datagram, replacing
mutable fields with 0s or predictable values to maintain proper alignment The computed MD is then placed in
the Authentication Data (or ICV) field of the AH. The destination device then copies the MD from the AH and
zeroes out the Authentication Data field to recalculate its own MD. With the IPSec ESP protocol, the process
is similar. The message digest is created using the immutable data in the portion of the IP datagram from the
beginning of the ESP header to the end of the ESP trailer. The computed MD is then placed into the ICV field
at the end of the datagram. With ESP, the destination host does not need to zero out the ICV field because it
sits outside of the scope of the hashing routine. Refer to Figures 2-9 and 2-11 for the structure of the ESP
datagram. Hash-Keyed Message Authentication Code RFC 2104 describes the HMAC algorithm,
because it was developed to work with existing hashing algorithms like MDS and SHA-l. Many security
processes involved in sharing data involve the use of secret keys and a mechanism called Message
Authentication Codes (MACs). One party creates the MAC using the secret key and transmits the MAC to its
peer partner. The peer partner creates its own MAC using the same secret key and compares the two MACs
MDS and SHA-1 share a similar concept, except that they do not use secret keys. That is where HMAC
comes in. HMAC was developed to add a secret key into the calculation of the message digests produced by
standard hashing algorithms. The secret key added to the formula is the same length as the resulting
message digest for the hashing algorithm used. Message Digest 5-HMAC Variant Message Digest 5
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
15/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 15
(MDS) was developed by Ronald Rivest of the Massachusetts Institute of Technology and RSA Data Security
Incorporated. MDS takes any message or data file and creates a 128-bit condensed representation (messag
digest) of the data. The HMAC variant uses a 128-bit secret key to produce a 128-bit MD. AH and ESP-
HMAC only use the left-most 96 bits, placing them into the authentication field. The destination peer then
calculates a complete 128-bit message digest but then only uses the left-most 96 bits to compare with the
value stored in the authentication field. MD5 creates a shorter message digest than does SHA-l and is
considered less secure but offers better performance. MD5 without HMAC has some known weaknesses that
make it a poor choice for high-security applications. HMAC-MD5 has not yet been successfully attacked.
Secure Hash Algorithm-1 The Secure Hash Algorithm was developed by the National Institute of
Standards and Technology (NIST) and was first documented in the Federal Information Processing Standard
(FIPS) Publication 180. The current version is SHA-l, as described in FIPS 180-1 and RFC 2404. SHA-l
produces a 160-bit message digest, and the HMAC-SHA-l variant uses a 160-bit secret key. The receiving
peer re-creates the entire 160-bit message digest using the same 160-bit secret key but then only compares
the leading 96 bits against the MD fragment in the authentication field. The 160-bit SHA-l message digest i
more secure than the 128-bit MDS message digest. There is a price to pay in performance for the extra
security, but if we need to use the most secure form of message integrity, we should select the HMAC-SHA-l
algorithm. Peer Authentication One of the processes that IKE performs is the authentication of peers.
This is done during IKE Phase 1 using a keyed hashing algorithm with one of three possible key types: Pre
shared RSA Digital Signatures RSA encrypted Nonces Pre-shared Keys The process of sharing pre-
shared keys is manual. Administrators at each end of the IPSec VPN agree on the key to use and then
manually enter the key into the end device, either host or gateway. This method is fairly secure, but it does
not scale well to large applications. RSA Digital Signatures Ronald Rivest, Adi Shamir, and Leonard
Adelman developed the RSA public-key cryptosystem in 1977. Ronald Rivest also developed the MDS
hashing algorithm. A Certificate Authority (CA) provides RSA digital certificates upon registration with that CA
These digital certificates allow stronger security than do pre-shared keys. Once the initial configuration has
been completed, peers using RSA digital certificates can authenticate with one another without operator
intervention. When an RSA digital certificate is requested, a public and a private key are generated. The
host uses the private key to create a digital signature. The host sends this digital signature along with its
digital certificate to its IPSec peer partner. The peer uses the public key from the digital certificate to validate
the digital signature received from the peer. RSA Encrypted Nonces A twist in the way digital signatures ar
used is the process of using RSA encrypted nonces for peer authentication. A nonce is a pseudorandom
number. This process requires registration with a CA to obtain RSA digital certificates. Peers do not share
public keys in this form of authentication. They do not exchange digital certificates. The process of sharing
keys is manual and must be done during the initial setup. RSA encrypted nonces permit repudiation of the
communication, where either peer can plausibly deny that it took part in the communication. Key
Management Key management can be a huge problem when working with IPSec VPNs. It seems like there
are keys lurking everywhere. In reality, only five permanent keys are used for every IPSec peer relationship.
These keys are described as follows: Two are private keys that are owned by each peer and are never
shared. These keys are used to sign messages. Two are public keys that are owned by each peer and are
made available to anyone. These keys are used to verify signatures. The fifth key is the shared secret key
Both peer members use this key for encryption and hashing functions. This is the key created by the Diffie-
Hellman protocol. That does not seem like many keys. In fact, the private and public keys are used for
multiple IPSec connections on a given peer. In a small organization, these keys could all probably be manage
manually. The problem arises when trying to scale the processes to support hundreds or thousands of VPN
sessions. Diffie-Hellman Protocol In 1976, Whitfield Diffie and Martin Hellman developed the first public
key cryptographic technique. The Diffie-Hellman (D-H) key agreement protocol allows two peers to exchange
secret key without having any prior secrets. This protocol is an example of an asymmetrical key exchange
process in which peers exchange different public keys to generate identical private keys. This protocol is ove
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
16/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 16
20 years old and has withstood the test of time. The Diffie-Hellman protocol is used in IPSec VPNs, but we
have to look hard to find it. It is used in the process of establishing the secure channel between peers that
IPSec rides on. The trail is as follows: IPSec uses the Internet Security Association and Key Management
Protocol (ISAKMP) to provide a framework for authentication and key exchange. ISAKMP uses the IKE
Protocol to securely negotiate and provide authenticated keying material for security associations. IKE use
a protocol called OAKLEY, which describes a series of key exchanges and details the service provided by
each. OAKLEY uses Diffie-Hellman to establish a shared secret key between peers. Symmetric key
encryption processes then use the shared secret key for encryption or authentication of the connection.
Peers that use symmetric key encryption protocols must share the same secret key. Diffie-Hellman provides
an elegant solution for providing each peer with a shared secret key without having to keep track of the keys
used. Diffie-Hellman is such a clean process that you might wonder why we need symmetric key encryption
processes. The answer is that asymmetric key encryption processes are much too slow for the bulk encryptio
required in high-speed VPN circuits. That is why the Diffie-Hellman protocol has been relegated to creating th
shared secret key used by symmetric key encryption protocols. IPSec peers use the Diffie-Hellman Protocol t
generate the shared secret key that is used by AH or ESP to create authentication data or to encrypt an IP
datagram. The receiving peer uses the D-H shared secret key to authenticate the datagram and decrypt the
payload. No discussion of Diffie-Hellman would be complete without showing the mechanisms involved in
creating the shared secret key. Table 2-8 shows the Diffie-Hellman process of creating the key between two
IPSec peers called Able and Baker. Notice that the shared secret key never travels over the network between
the peers.
[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeg2YfrQZI/AAAAAAAAA8Q/s3E57B-Hn0A/s1600-h/16.JPG]
Figure.16 CCSP Cisco Secure VPN Certificate Authorities Another method of handling keys that does not
take a lot of administrative support is to use Certificate Authorities (CAs) as a trusted entity for issuing and
revoking digital certificates and for providing a means to verify the authenticity of those certificates. CAs are
usually third-party agents such as VeriSign or Entrust, but for cost savings, we could also set up our own CA
using Widows 2000 Certificate Services. The following list describes how CAs work: A client that wants to
use digital certificates creates a pair of keys, one public and one private. Next, the client prepares an
unsigned certificate (X.509) that contains, among other things, the client's ID and the public key that was just
created. This unsigned certificate is then sent to a CA using some secure method. The CA computes a has
http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeg2YfrQZI/AAAAAAAAA8Q/s3E57B-Hn0A/s1600-h/16.JPG8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
17/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 17
code of the unsigned certificate. The CA then takes that hash and encrypts it using the CA's private key. This
encrypted hash is the digital signature, and the CA attaches it to the certificate and returns the signed
certificate to the client. This certificate is called an Identity Certificate and is stored on the client device until i
expires or is deleted. The CA also sends the client its own digital certificate, which becomes the root certifica
for the client. The client now has a signed digital certificate that it can send to any other peer partner. If the
peer partner wants to authenticate the certificate, it decrypts the signature using the CA's public key. It is
important to note that a CA only sends a client's certificate to that client itself. If the client wants to establish
IPSec VPNs with another client, it trades digital certificates with that client, thereby sharing public keys.
When a client wants to encrypt data to send to a peer, it uses the peer's public key from the digital certificate
The peer then decrypts the package with its private key. When a client wants to digitally sign a package, it
uses its own private key to create a "signed" hash of the package. The receiving peer then uses the client's
public key to create a comparison hash of the package. When the two hash values match, the signature has
been verified. Another function of a CA is to periodically generate a list of certificates that have expired or
have been explicitly voided. The CA makes these Certificate Revocation Lists (CRLs) available to its
customers. When a client receives a digital certificate, it checks the CRL to find out if the certificate is still
valid. Authenticating IPSec Peers and Forming Security Associations The protocol that brings all the
previously mentioned protocols together is the Internet Key Exchange (IKE) Protocol. IKE operates in two
separate phases when establishing IPSec VPNs. In IKE Phase 1, it is IKE's responsibility to authenticate the
IPSec peers, negotiate an IKE security association between peers, and initiate a secure tunnel for IPSec usin
the Internet Security Association and Key Management Protocol (ISAKMP). In IKE Phase 2, the peers use
the authenticated, secure tunnel from Phase 1 to negotiate the set of security parameters for the IPSec
tunnel. Once the peers have agreed on a set of security parameters, the IPSec tunnel is created and stays in
existence until the Security Associations (SAs) (either IKE or IPSec) are terminated or until the SA lifetimes
expire. Combining Protocols into Transform Sets We need to identify the five parameters that IKE uses in
Phase 1 to authenticate peers and establish the secure tunnel. Those five parameters and their default
settings for the VPN 3000 Concentrator Series are as follows: Encryption algorithm-56-bit DES (default) or
the stronger 1 68-bit 3DES. Hash algorithm-MDS (default) or the stronger SHA-I. Authentication method-
Preshared keys, RSA encrypted nonces, or the most secure, RSA digital signatures (also the default). Key
exchange method-768-bit Diffie-Hellman Group 1 (default) or the stronger 1024- bit Diffie-Hellman Group 2.
IKE SA lifetime-The default is 86,400 seconds or 1 day. Shorter durations are more secure but come at a
processing expense. Whatever parameters we choose for IKE Phase 1 must be identical on the prospectiv
peer, or the connection is not established. Once we have these configured, the only other values we need to
supply to establish the IPSec tunnel in IKE Phase 2 are as follows: IPSec protocol-AH or ESP Hash
algorithm-MDS or SHA-I (These are always HMAC assisted for IKE Phase 2.) Encryption algorithm if using
ESP-DES or 3DES VPN Security Hardware Devices One of the VPN hardware devices for VPN
communication is Cisco 3000 Concentrators and its supporting software. Since that time, Cisco has enhance
the product line by adding a topped concentrator and a hardware client, and has made improvements to the
software client. Major Advantages of Cisco VPN 3000 Series Concentrators The Cisco VPN 3000 Series
Concentrators are extremely versatile, delivering high performance, security, and fault tolerance. The
centralized management tool is standards-based and enables real-time statistics gathering and reporting.
These devices allow corporations to reduce communications expenses by permitting clients to connect to
corporate assets through local ISP connections to the Internet rather than through long-distance or 800
number connections to access servers. VPNs provide the productivity-enhancing ability to access corporate
network assets while reducing expenses. Dial-up connections using modems are prevalent throughout man
corporate communities, especially on laptop systems. For some types of users, however, broadband VPN
services provide speed and always-on connectivity that permit corporations to extend their office LANs into
small office/home office (SOHO) environments. The popularity of cable modems and DSL modems has made
broadband services commonplace for the home office user. Connecting these high-speed networks to the
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
18/20
8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
19/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 19
Retrieved 10:14, April 9, 2008, from http://howstuffworks.com/w/index.php?title=Layer_2_Tunnelingid=20
IPsec. (2008, April 12). In CiscoNetworkingAcademy. Retrieved 10:15, April 9, 2008, From
http://www.cisco.com/w/IPsec_05054949 Hash function. (2008, April 2). In Wikipedia, The Free Encyclopedi
Retrieved 10:17, April 9, 2008, from http://en.wikipedia.org/w/index.php?
title=Hash_function&oldid=202754090 Diffie-Hellman key exchange. (2008, March 27). In Wikipedia, The Fre
Encyclopedia. Retrieved 10:18,April 9, 2008, from http://en.wikipedia.org/w/index.php?title=Diffie-
Hellman_key_exchange/ RSA. (2008, April 7). In Wikipedia, The Free Encyclopedia. Retrieved 10:18, Apri
9, 2008, from http://en.wikipedia.org/w/index.php?title=RSA&oldid=204075139 VPN Security (2008, April 7).
In Unirvesity of Illinois. Retrieved 10:18, April 10, 2008, from http://www.cites.uiuc.edu/vpn/security.html.
VPN Tunneling.(2008, April 7). In HTC Networking Solution. Retrieved 10:18, April 10, 2008, from
http://www.htcwizardweb.net/node/2113 HMAC.(2008, April 7). In IPSEC Working Group. Retrieved 09:18, Ap
10, 2008, from http:// www.cs.ucsd.edu/~mihir/papers/hmac.html Triple DES (3DES). (2008, April 10). In
Wikipedia, The Free Encyclopedia. Retrieved 09:53, April 10, 2008, from
http://en.wikipedia.org/w/index.php?title=Triple_DES&oldid=204805257 MD5. (2008, April 11). In Wikipedia,
The Free Encyclopedia. Retrieved 09:56, April 10, 2008, from http://en.wikipedia.org/w/index.php?
title=MD5&oldid=204928132
[http://feeds.feedburner.com/JournalOrThesisPaper] Subscribe in a reader
[http://feeds.feedburner.com/JournalOrThesisPaper]
[http://fusion.google.com/add?feedurl=http://feeds.feedburner.com/JournalOrThesisPaper]
[http://www.histats.com/]
http://www.histats.com/http://feeds.feedburner.com/JournalOrThesisPaperhttp://feeds.feedburner.com/JournalOrThesisPaperhttp://fusion.google.com/add?feedurl=http://feeds.feedburner.com/JournalOrThesisPaper8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper
20/20
1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER
Posted 9th September 2009 by MD Ashrafur Rahim
Labels:AH,ESP,Extranet,Hash-based Message Authentication Code (HMAC),Intranet,L2TP,Triple DESVPN IPSec tunnel,vpn SSL
Enter your comment...
Comment as:Google Accou
Publish
Preview
2 View comments
gohost September 22, 2011 at 12:06 AM
VPN is virtual private network connect to any places. Most of the the business people and large organizationto implement this VPS connections. It's cost is very low. and high security. website hosting
web hosting
Reply
Bell Brown August 2, 2013 at 11:45 PM
Simply put, a virtual private network or VPN is a network which is constructed by using public wires to
connect nodes. It is a way of using the Internet to provide remote users with secure access to their network
Data is scrambled as its sent through the Internet ensuring privacy.
Dedicated VPN
Reply
http://alljournal.blogspot.com/search/label/L2TPhttp://www.blogger.com/profile/13514786765030545522http://alljournal.blogspot.com/search/label/Intranethttp://alljournal.blogspot.com/search/label/VPN%20IPSec%20tunnelhttp://www.blogger.com/profile/15473312649299752455http://alljournal.blogspot.com/search/label/AHhttp://www.webhostings.in/http://alljournal.blogspot.com/search/label/vpn%20SSLhttp://alljournal.blogspot.com/search/label/Extranethttp://alljournal.blogspot.com/search/label/Triple%20DEShttp://www.vpnshazam.com/http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html?showComment=1316675170167#c1228857337700714171http://alljournal.blogspot.com/search/label/Hash-based%20Message%20Authentication%20Code%20(HMAC)http://alljournal.blogspot.com/search/label/ESPhttp://www.webhostings.in/http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html?showComment=1375512354641#c186867465132652777Recommended