Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper

8/10/2019 Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper

1/20


2/20

1/6/2015 IPSec VPN : Virtual Private Network | JOURNAL OR THESIS PAPER

http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html 2

a. Diffie-Hellman (D-H)

b. Certificate Authority (CA)

12) VPN security of Hardware device

13) Conclusion

Abstract

Virtual Private Network is a communication network by which a user can tunneled

through another network by using the global Internet or by Intranet with strong security

features. Today it has become as important issue because by using VPN, it is easy to

access LAN from the remote location. Its hard to monitor a companys LAN or WAN

from its office premesis only. For any reason a network administrator needs to go

outside. In this situation VPN can help us a lot. Everyone can use VPN for his own LAN

or WAN. But telecommunication companies, private banks, Internet Service Providers(ISPs) use VPN very widely. For example, a bank may have MAN or WAN which is

situated in large geographic area also it uses latest network devices, security devices

and other latest networking terminology. In addition, a bank can setup their own VPN

services by themselves or they can take the service form the service providers. ALAP

communication is the service providers who give the VPN and other facilities. In our

term paper we will discuss how the IPSec VPN has established between Islami Bank

and ALAP communication.

Introduction A Virtual Private Network (VPN) is a communications network tunneled through another network, and

dedicated for a specific network. One common application is secure communications through the public

Internet, but a VPN need not have explicit security features, such as authentication or content encryption.

VPNs, for example, can be used to separate the traffic of different user communities over an underlying

network with strong security features. Islami Bank Bangladesh Limited has over 100 branches across

Bangladesh. Inside Dhaka it has 33 branches. The main branch is situated in Dilkusha, Motijheel. In this main

branch the 9th floor is the server section which they called as Data Center. The Data Center is not

connected to their branch offices by their own network. Instead of that, the Islami Bank has taken the high

speed dedicated line (2Mbps) from the service provider ALAP communication. In contrast, the branches

outside Dhaka are connected with the Digital Data Network (DDN) service from the Bangladesh Telephone

and Telegraph Board (BTTB). BTTB also provides them high speed dedicated line. The Islami Bank has also

established their VPN connection from the ALAP communication. ALAP has provides two types of VPN, the

CPE based IPSec VPN and Network based IPSec VPN. Security is an important issue in the networking

sector. In CPE based VPN this issue is very much important because here a secured tunnel is built between

two nodes by the global Internet. But in Network based VPN, the security is much less important than CPE

VPN. The banks deal with confidential data of its client which is highly restricted and extreme security is

needed in the transaction of money. Therefore, user authentication, message integrity, data encryption is

needed for this kind of communication. Also, a VPN can simplify a network, reduce operational costs, provide

global networking opportunities, and telecommuter supports. Categories of Networks A private


3/20



network is designed for use inside an organization. It allows access to shared resources and the same time,

provides privacy. There are two terms which is commonly used in networking - Intranet and Extranet.

Intranet:

An Intranet is a private network (LAN) that uses the internet model. However, access to the network is limite

to the users inside the organization. The network uses application programs defined for the global internet,

such as HTTP and may have Web servers, Print servers, File servers and so on. Extranet:

An extranet is the same as an intranet with one major difference: some resources may be accessed by

specific groups of users outside the organization under the control of the network administrator. For example

an organization may allow authorized customers access to product specification, availability, and online

ordering. To achieve privacy, an organization can use one of three strategies: private networks, hybrid

networks, and virtual private networks. Achieving Privacy Private Network

An organization that needs privacy when routing information inside the organization can use a private

network as discussed previously. A small organization with one single side can use an isolated LAN. People

inside the organization can send data to one another that totally remain inside the organization, secure from

outsiders. A large organization with several sides can create a private internet. The LANs at different sides

can be connected to each other by using routers or by leased lines. In other word, an internet can be made

out of private LANs and private and WANs.

[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/Sqej3ESCpBI/AAAAAAAAA-Q/73x6RVs7Otw/s1600-h/0.JPG]

Figure1. Private Network _p162 (Source:http://www.htcwizardweb.net/node/2113) Figure shows such a

situation for an organization where all the branch offices are connected to their Head Office. The LANs are

connected to each other by routers and leased lines. So, access to the network is limited to the users inside

an organization. In this situation, the organization has created a private internet that is totally isolated from

the global internet. For end-to-end communication between stations at different sites, the organization can

use internet model. However, there is no need for the organization to apply for IP address. With the internet

authorities it can use private IP addresses. The organization can use any IP class and assign network and

host addresses internally. Because the internet is private, duplication of addresses by another organization i

the global internet is not a problem. Hybrid Networks Today, most organization needs to have privac

in organization data exchange, but, at the same time, they need to be connected to the global internet for dat

exchange with other organization. One solution is the use of a hybrid network.

********************************
http://4.bp.blogspot.com/_Hrww1lJ6hGQ/Sqej3ESCpBI/AAAAAAAAA-Q/73x6RVs7Otw/s1600-h/0.JPG


4/20



[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejsZsqPcI/AAAAAAAAA-I/WfVaYKNDZZQ/s1600-h/2.JPG]

Figure.2: Hybrid Network _h37378 (Source:http:// www.cs.ucsd.edu/~mihir/papers/hmac.html) A hybrid

network allows an organization to have its own private internet and, at the same time, access to the global

internet. Intraorganization data are routed through the private internet interorganization data routed through

global Internet. Virtual Private Networks (VPN)

Both private and hybrid network have a major drawback cost. Private wide area networks (WAN) are

expensive. To connect several sites, an organization several leased lines, this means a high monthly fee. On

solution is to use the global internet for both private and public communication. A technology called virtual

private network allows organizations to use the global internet for both purposes. VPN creates a network whic

is private but virtual. It is private because it guarantees privacy inside an organization. It is virtual because it

doesnt use real private WANs the network is physically public but virtually private.

************************

[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqejfwM6iYI/AAAAAAAAA-A/YCughvR5qDg/s1600-h/3.JPG]

**************************

Figure.3 Virtual Private Networks-VPN-1-7 (Source:http://howstuffworks.com/w/index.php?

title=Layer_2_Tunnelingid=20) Types of VPN VPNs fall into three basic categories Remote-Access VPN

Intranet VPN Extranet VPN Remote Access VPN:

Remote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN connection used by a

company that has employees who need to connect to the private network from various remote locations.

Typically, a corporation Image courtesy Cisco Systems, Inc. Examples of the three types of VPN That wishes

to set up a large remote-access VPN will outsource to an enterprise service provider (ESP).
http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqejfwM6iYI/AAAAAAAAA-A/YCughvR5qDg/s1600-h/3.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejsZsqPcI/AAAAAAAAA-I/WfVaYKNDZZQ/s1600-h/2.JPG


5/20



[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejUld5QSI/AAAAAAAAA94/EkNHEtNwhjw/s1600-h/4.JPG]

Figure.4 Types of VPN-vpN-10002 (source: http://www.cisco.com/vpn/types.html) The ESP sets up a networ

access server (NAS) and provides the remote users with desktop client software for their computers. The

telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access

the corporate network. A good example of a company that needs a remote-access VPN would be a large firm

with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections

between a company's private network and remote users through a third-party service provider. Site-to-Sit

VPN:

Through the use of dedicated equipment and large-scale encryption, a Company can connect multiple fixed

sites over a public network such as the Internet. Site-to-site VPNs can be one of two types: Intranet-based

If a company has one or more remote locations that they wish to join in a single private network, they can

create an intranet VPN to connect LAN to LAN.

Extranet-based - When a company has a close relationship with another company (for example, a partner,

supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the

various companies to work in a shared environment. Why do we use VPN? The Internet is an integral

part of business communications today. Corporations use it as an inexpensive extension of their local or WAN

networks. A LAN connection to an ISP enables far-reaching communication for e-commerce, mobile users,

sales personnel, and global business partners. The Internet is cheap, easily enabled, stable, resilient, and

omnipresent. But it is not secure, at least not in its native state. That is where VPN comes to rescue. This

clever concept can provide the security that you need with a verity of features. VPNs can provide security

through point-to-point encryption of data, data integrity by ensuring that the data packets have not been

altered, and authentication to ensure that the packets are coming from the right source. VPN enable an

efficient and cost-effective method for secure communication across internets public infrastructure. VPN

provides:

Extend geographic connectivity Improve security Reduce operational costs versus traditional WAN

Reduce transit time and transportation costs for remote users Simplify network topology Provide global

networking opportunities Provide telecommuter support The Benefits most often cited for deploying VPNs

include the following:

Cost Savings:

Elimination of expensive dedicated WAN circuits or banks of dedicated modems can provide significant cost

savings. Third party Internet Service Providers (ISPs) provide Internet connectivity from anywhere at any tim

Coupling ISP connectivity with the use of broadband technologies, such as DSL and cable, not only cuts the

cost of connectivity but can also deliver High-Speed circuits. Security: The cost savings from the use of
http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejUld5QSI/AAAAAAAAA94/EkNHEtNwhjw/s1600-h/4.JPG


6/20



public infrastructures could not be recognized if not for the security provided by VPNs. Encryption and

authentication protocols keep corporate information private on public networks. Scalability: With VPN

technologies, new users can be easily added to the network. Corporate network availability can be scaled

quickly with minimal cost. A single VPN implementation can provide secure communications for a variety of

applications on diverse operating system. We can connect different LAN at the same location and from

different location by using Router. But why we are using VPN? When we use our private LAN or WAN it mean

we are using our own network topology which may or may not be connected to the Internet. So to access our

own LAN, the LAN should be physically connected to each other. But it is not possible to access the LAN or

LAN from the same location. A network administrator cant stay a fixed position for 24hours a day. He needs t

move. To resolve this problem the network administrator can use VPN by which he can access his LAN or

WAN through remote location by using Internet. This can saves our time, money etc. the main facility is that w

can access our LAN from anywhere through Internet. Here, we dont need additional physical device which ca

reduce or cost. A well-designed VPN can greatly benefit a company. Network Topology of Islami Bank

ALAP Communication is a service provider who provides telecommunication infrastructure for providing secu

data. ALAP Communication holds exclusive licenses for the use of spectrum in the 3.5 GHz band, and has

deployed Non Line of Sight (NLOS) and Obstructed Line of Sight (OLOS) broadband wire and wireless

networking equipment for use in this band. ALAP now stands ready to profit from this investment by providing

Voice, VPN and Data services to a wide variety of customers, including both end users and network providers

ALAP Communication gives 2Mbps dedicated high speed bandwidth for the data transmission to the Islami

Bank Bangladesh Limited. Here, we have discussed that how Islami Bank uses VPN from the service

providers. Explanations

All the services are done by the Data Center which is situated in the main branch office of Islami Bank

Bangladesh Limited. The Data Center is the server room which is in the 9th floor of the main branch. The

data center is connected with ALAP Communication backbone which is around 2Mbps high speed dedicated

line. The ALAP communication gives their services inside Dhaka city in 33 different branches of Islami Bank.

All the routers of different branches are connected with 128 KB/s line with ALAP. After that it goes through

Cisco router > Cisco PIX firewall > Catalyst switch > Workstations. The Data Center servers can control the

whole process. They can access their local router at any time. They the check account and do any kind of

transaction to their local office. Similarly, the local office can also do the same if it has the permission form th

main office. Islami Banks data storage system is not centralized. They use decentralized system to store

their data. For example, when the branches of Dhaka make any transaction, that document doesnt come to

the main Data Center server that information is saved on that local server under that specific local router.

After a suitable time the main server of Dhaka retrieve that information from those local servers. The Data

Center use banking and database software for their transaction. The Data server can communicate to

their branch offices by ALAP Communications backbone because ALAP provides a high speed dedicated

service to them. Whatever the transaction happened in the main and branch offices are fully automated.

There is no kind of manual transaction. If there is any kind of interrupt or any other problems then manual

transaction can happened. A person is needed to control the server and to monitor the status of the traffic.

But the practical scenario is not that much easy. An authorized person needs to access the network from

outside the Islami Banks office. VPN can be a solution for this kind of problem. The network admin of Islam

Bank uses VPN services from the ALAP communication. In VPN security is a very important factor, because a

the data which they pass are strictly restricted and highly confidential. So, security is an important issue for

VPN communication. VPN Infrastructure of ALAP Communications All data traversing to the ALAP

communications network is encrypted by default with 128-bit encryption scheme. On top of their network traff

encryption they provide End-To-End secure data communication through their state of the art VPN solution.

ALAPs VPN solutions can enable anyones employees, customers, business partners, and suppliers to

collaborate securely and cost effectively. They integrate VPN hardware and software with the management

and support our need for a complete, end-to-end solution. ALAPs VPN Criteria State of the art Hardware


7/20



(ASIC) based Firewall and VPN. 10 concurrent IPSec VPN tunnel and the choice of 10, 20, 50 or Unlimited

node configurations (IPSec VPN ensures data security to our corporate clients). Complete Anti-Virus,

Internet Content Filtering and Rapid Email Attachment Blocking all-in-one solution. Enterprise-class firewal

protection with ICSA-certified, stateful packet inspection technology. ALAPs VPN Solution Companies

establish centralized control over branch offices with point-of-sale (POS) locations. Provide the remote

robust security and performance needed for business continuance. Enable secure, high-speed

communications between multiple locations.

[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejLWzaFGI/AAAAAAAAA9w/hcsIN9yzOCI/s1600-h/4.5.JPG]

ALAPs CPE-based IP VPNWith the use of latest technology, ALAPs CPE-based IP VPN solution allows us to

create an efficient and integrated platform to streamline business communications. Data are encrypted

securely from our premises to the distant end as our business might demand.

[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqejAE28t2I/AAAAAAAAA9o/TOSlpBd23Ns/s1600-h/5.JPG]

Figure.5 CPE based IP VPN (source:http://www.alapcom.com/security/vpn/cpevpn.jpeg)

ALAPs CPE-based IP VPN offers Support for Intranets, Extranets, and Remote access network applications

Integrated VPN devices with support for VPN, firewall, and routing capabilities. Premise-to-premise

encryption. Explanations In CPE based IP VPN, ALAP communication offers its supports for Intranets,

Extranets, and Remote access network applications. In IP based VPN the network is connected by the Interne

cloud. This means, the network media is the Internet cloud. There are customers premises network on the

both side of the Internet Protocol (IP) network. The CPE can be connected to the IP network via any kind of

DSL, Broadband or dial-up-modem. CPE IP VPN is suitable for the telecommuter or the network administrato

of a company who needs to change his position rapidly. For example, a situation can occur where a network

administrator can be called for any kind of help while he is outside of his office. In this situation, a CPE IP VPN

can be a solution. By this that network administrator can access his office or any kind of outside LAN or WAN

through the Internet. Internet is helpful in this situation because it is cheap no additional hardware is require

for this kind of communication. Only there are the connection of Internet, a person can access remote LAN o

WAN through Internet. ALAPs Network-based IP VPN IP Service switches at network access points are used

encrypt data, taking full responsibility for management and maintenance of the system.
http://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqejLWzaFGI/AAAAAAAAA9w/hcsIN9yzOCI/s1600-h/4.5.JPGhttp://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqejAE28t2I/AAAAAAAAA9o/TOSlpBd23Ns/s1600-h/5.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPG


8/20



[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPG]

Figure.6 Network based IP VPN source:http://www.alapcom.com/security/vpn/networkvpn.jpeg) ALAPs

Network-based IP VPN offers Support for Intranets, Extranets and Remote access network applications.

Integrated network-based firewalls. Network-edge to network-edge encryption. Hybrid networking

capabilities to support the migration or integration of ALAPs IP-based networks with third partys Frame Rela

and ATM services. Explanation:

The network based IP VPN of ALAP communication supports Intranets, Extranets, and Remote access netwo

applications. In addition the network based VPN is integrated with network based firewalls. It also provides

network-edge to network-edge encryption. In network based VPN the internal backbone of the network is the

ALAP communications network itself. This means there are customers premises network on the both side of

the ALAP communications network. The CPE can be connected to the IP network via any kind of DSL,

Broadband, dial-up-modem or wireless modem. The different LAN segment is connected to each other by

router. For the security purpose each of the routers is connected with hardware firewalls. In contrast, there

are difference between the CPE IP VPN and the Network Based IP VPN. In Network Based IP VPN the core

network or the transmission network is the intranet instead of the global Internet. This means, a user cant

access the LAN or WAN on different segment through the Internet. If the user uses the Internet then it

becomes the CPE IP VPN. But in Network based IP VPN the network is connected through the default LAN or

WAN by itself. The advantage of this kind of system is that no global network connection doesnt require. But

the main disadvantage is that, a network administrator cant access any segment of the remote network from

outside the office. Overview of VPN Technologies IP Sec Internet Protocol Security (IP Sec) provides

enhanced security features such as better encryption algorithms and more comprehensive authentication.

IPSec is a layer3 protocol. IP Sec has two encryption modes: tunnel and transport. When two devices offer

each other for VPN tunneling then its tunnel mode. And when only the client side request the opposite side fo

VPN tunneling then its transport tunneling. Tunnel encrypts the header and the payload of each packet while

transport only encrypts the payload. Only systems that are IP Sec compliant can take advantage of this

protocol. Also, all devices must use a common key and the firewalls of each network must have very similar

security policies set up. IP Sec can encrypt data between various devices, such as: Router to router

Firewall to router PC to router PC to server

[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeirvKEvcI/AAAAAAAAA9Y/ZEFf8yHPq04/s1600-h/7.JPG]

Figure.7 VPN tunneling-10038 (source: http://www.dlink.com /vpn/technology.jpg) To guarantee privacy an

other security measures for an organization, VPN can use IP Sec in the tunnel mode. In this mode, each IP

datagram destined for private use in the organization is encapsulated in another datagram. SSL Transport

Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that

provide secure communication on the Internet for such things as web browsing, e-mail, Internet Faxing, Instan

Messaging and other data transfers. There are slight difference between SSL and TLS, but they are

substantially the same.
http://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPGhttp://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeirvKEvcI/AAAAAAAAA9Y/ZEFf8yHPq04/s1600-h/7.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/Sqei1_gMyFI/AAAAAAAAA9g/2zGsoGfov5g/s1600-h/6.JPG


9/20



[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeieyJ7uDI/AAAAAAAAA9Q/G04uCfz8inI/s1600-h/8.JPG]

Figure.8 SSL-vpn-1-7 (source: http://www.cites.uiuc.edu/vpn/technology.htm)

Cryptographic Protocol:

A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that

performs a security-related function and applies cryptographic methods. A protocol describes how the

algorithms should be used. A sufficiently detailed protocol includes details about data structures and

representations, at which point it can be used to implement multiple, interoperable versions of a program.

Cryptographic protocols are widely used for secure application-level data transport. For example, Transport

Layer Security (TLS) is a cryptographic protocol that is used to secure web (HTTP) connections. L2TP In

computer networking, the Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual

private networks (VPNs).

[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiLgmeAYI/AAAAAAAAA9I/6138pDpRZxw/s1600-h/9.JPG]

Figure.9 Layer 2 Tunneling Protocol9-90-3 (source: http://www.citecho.com /vpn/technology.html.)

L2TP acts like a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two

peers over an existing network (usually the Internet). L2TP is in fact a layer 5 protocol session layer, and use

the registered UDP port 1701. The entire L2TP packet, including payload and L2TP header, is sent within a

UDP datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP doe

not provide confidentiality or strong authentication by itself. IPSec is often used to secure L2TP packets by

providing confidentiality, authentication and integrity. The combination of these two protocols is generallyknown as L2TP/IPsec (discussed below). The two endpoints of an L2TP tunnel are called the LAC (L2TP

Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LN

is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers

is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To

facilitate this an L2TP session (or call) is established within the tunnel for each higher-level protocol such as

PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is

possible to set up multiple virtual networks across a single tunnel. MTU should be considered when

implementing L2TP. The packets exchanged within an L2TP tunnel are categorised as either control packet

or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets.
http://2.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiLgmeAYI/AAAAAAAAA9I/6138pDpRZxw/s1600-h/9.JPGhttp://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeieyJ7uDI/AAAAAAAAA9Q/G04uCfz8inI/s1600-h/8.JPG


10/20



Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP

tunnel. VPN over IPSec

Planning an IPSec VPN IPSec supports High-Level Data Link Control (HDLC), ATM, Point-to-Point protocol

(PPP), and Frame Relay serial encapsulation. IPSec also works with Generic Routing Encapsulation (GRE

and IP in IP (IPinIP) encapsulation Layer3 tunneling protocols, IPSec doesnt support the data-link switching

(DSL) standard, source-route bridging (SRB), or other layer3 tunneling protocols. IPSec doesnt support

multipoint tunneling. IPSec works strictly with unicast IP datagrams only. It doesnt work with multicast or

broadcast IP datagrams. IPSec provides packet expansion that can cause fragmentation and reassembly

IPSec packets. When using NAT, be sure that NAT occurs before IPSec encapsulation so that IPSec has

global addresses to work with. Major Protocols in IPSec IP Security Protocols (IPSec) o Authentication

Header (AH) o Encapsulating Security Payload (ESP) Message Encryption Data Encryption Standard

(DES) Triple DES (3DES) Message Integrity (HASH) Functions o Hash-based Message Authentication

Code (HMAC) o Message Digest 5 (MD5) o Secure Hash Algorithm -1 (SHA-1) Peer Authentication

Rivest, Shamir and Adelman (RSA) Digital Signatures RSA Encrypted Nonces Key Management o Diffie-

Hellman (D-H) o Certificate Authority (CA) Security Association Internet Kay Exchange (IKE) Internet

Security Associations and Key Management Protocol(ISAKMP) Explanation of the IPSec ProtocolsThe

IPSec Protocol The protocols that IPSec uses to provide traffic security are Authentication Header (AH) an

Encapsulating Security Payload (ESP). These two protocols are considered purely IPSec protocols and were

developed strictly for IPSec. Each protocol is described in its own RFC, which was identified in Table 2-7. We

can use AH and ESP independently on an IPSec connection, or we can combine their use. IKE and IPSec

negotiate encryption and authentication services between pairs. This negotiation process culminates in

establishing Security Associations (SAs) between security pairs. IKE SAs are bidirectional, but IPSec SAs are

unidirectional and must be established by each member of the VPN pair to establish bidirectional traffic. Ther

must be an identical SA on each pair to establish secure communications between pairs. The information

associated with each SA is stored in a Security Association Database, and each SA is assigned a Security

Parameters Index (SPI) number that, when combined with the destination IP address and the security protoco

(AH or ESP), uniquely identifies the SA. The key to IPSec is the establishment of these SAs. SAs are

negotiated once at the beginning of an IPSec session and periodically throughout a session when certain

conditions are met. To avoid having to negotiate security for each packet, there had to be a way to

communicate the use of an already agreed upon SA between security pairs. That is where the AH and ESP

protocols come into use. These two protocols are simply a means of identifying which prenegotiated security

features to use for a packet going from one peer to another. Both of these protocols add an extra header to

the IP datagram between the Layer 3 (IP) and Layer 4 (usually TCP or UDP) protocol headers. A key elemen

contained in each protocol's header is the SPI, giving the destination peer the information it needs to

authenticate and decrypt the packet. Authentication Header The Authentication Header (AH) protocol is

defined in RFCs 1826 and 2402 and provides for data integrity, data origin authentication, and an optional

antireplay service. AH does not provide encryption, which means that the packets are sent as clear text AH is

slightly quicker than ESP, so we might choose to use AH when we need to be certain of the source and

integrity of the packet but confidentiality is not a concern. Devices configured to use AH insert an extra

header into the IP datagrams of "interesting traffic," between the IP header and the Layer 4 header. Becaus

a processing cost is associated with IPSec, VPNs can be configured to choose which traffic to secure and

IPSec and non-IPSec traffic can coexist between security pairs. We might choose to secure e-mail traffic but

not web traffic, for example. The process of inserting the AH header is shown in Figure 2-5.


11/20



[http://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiBbH52FI/AAAAAAAAA9A/JYAxl6zAZjo/s1600-h/10.JPG]

Figure.10 (source: CCSP Cisco Secure VPN) Encapsulating Security Payload The other IPSec protocol

the Encapsulating Security Payload (ESP) protocol. This protocol provides confidentiality by enabling

encryption of the original packet. Additionally, ESP provides data origin authentication, integrity, antireplayservice, and some limited traffic flow confidentiality. This is the protocol to use when we require confidentiality

in your IPSec communications. ESP acts differently than does AH. As its name implies, ESP encapsulates a

or portions of the original IP datagram by surrounding it with both a header and a trailer. Figure 2-6 shows th

encapsulation process.

[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeh1YuHdCI/AAAAAAAAA84/opZQe5Yxmdk/s1600-h/11.JPG]

Figure.11 (source: CCSP Cisco Secure VPN) AH and ESP Modes of Operation We previously discussed

about the AH and ESP protocols using several examples that showed sliding the IP header of an IP datagram

to the left, inserting either an AH or ESP header, and then appending the upper-layer portion of the datagram

to that. This is a classic description of one of the modes of operation for IPSec, namely the Transport mode.

The other mode of operation for IPSec is the Tunnel mode. These two modes provide a further level of

authentication or encryption support to IPSec. Transport Mode Transport mode is primarily used for end
http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeh1YuHdCI/AAAAAAAAA84/opZQe5Yxmdk/s1600-h/11.JPGhttp://4.bp.blogspot.com/_Hrww1lJ6hGQ/SqeiBbH52FI/AAAAAAAAA9A/JYAxl6zAZjo/s1600-h/10.JPG


12/20



to-end connections between hosts or devices acting as hosts. Tunnel mode is used for everything else. An

IPSec gateway might act as a host when being accessed by an administrator for configuration or other

management operations. Figure 2-8 shows how the Transport mode affects AH IPSec connections. The

Layer 3 and Layer 4 headers are pried apart, and the AH is added between them. Authentication protects all

but mutable fields in the original IP header.

[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehnSOQKfI/AAAAAAAAA8w/nKNShePZoX0/s1600-h/12.JPG]

Figure.12 (source: CCSP Cisco Secure VPN) Figure 2-9 shows ESP Transport mode. Again, the IP header i

shifted to the left, and the ESP header is inserted. The ESP trailer and ICV are then appended to the end of

the datagram. If encryption is desired (riot available with AH), only the original data and the new ESP trailer

are encrypted. Authentication extends from the ESP header through the ESP trailer. Even though the

original header has been essentially left intact in both situations, the AH Transport mode does not support

NAT because changing the source IP address in the IP header causes authentication to fail. If we need to us

NAT with AH Transport mode, we must ensure that NAT happens before IPSec. Notice that this problem

does not exist with ESP Transport mode. The IP header remains outside of the authentication and encryption

areas for ESP Transport mode datagrams.

[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehgUgwyII/AAAAAAAAA8o/um1SXJTAIaw/s1600-h/13.JPG]

Figure.13 (source: CCSP Cisco Secure VPN) Tunnel Mode IPSec tunnel mode is used between gateways

such as Routers, Firewalls, and Concentrators. It is also typically used when a host connects to one of these

gateways to gain access to networks controlled by that gateway, as would be the case with most remote

access users dialing in to a router or concentrator. In Tunnel mode, instead of shifting the original IP headerto the left and then inserting the IPSec header, the original IP header is copied and shifted to the left to form

the new IP header. The IPSec header is then placed between the original and the copy of the IP header. The

original datagram is left intact and is wholly secured by authentication or encryption algorithms. Figure 2-10

shows the AH Tunnel mode. Once again, notice that the new IP header is under the auspices of the

authentication algorithm and that it does not support NAT.
http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehnSOQKfI/AAAAAAAAA8w/nKNShePZoX0/s1600-h/12.JPGhttp://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehgUgwyII/AAAAAAAAA8o/um1SXJTAIaw/s1600-h/13.JPG


13/20



[http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehUr73mbI/AAAAAAAAA8g/KiXTOpz8SXg/s1600-h/14.JPG]

Figure.14 (source: CCSP Cisco Secure VPN) In Figure 2-11, we can see a depiction of the ESP Tunnel

mode. The entire original datagram can be encrypted and/or authenticated with this method. If we select to

use both ESP authentication and encryption, encryption is performed first. This allows authentication to be

done with assurance that the sender does not alter the datagram before transmission, and the receiver can

authenticate the datagram before decrypting the package.

[http://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqehCChHOdI/AAAAAAAAA8Y/nEiiUTlaLhg/s1600-h/15.JPG]

Figure.15 (source: CCSP Cisco Secure VPN) ESP supports NAT in either Tunnel or Transport mode, and

only ESP supports encryption. If we need encryption, we must use ESP. If we also want authentication with

ESP, we must select ESP HMAC service. HMAC uses the MDS and SHA-I keyed hashing algorithms. Security

Associations Depending on the IPSec protocol we choose to use, we can ensure data integrity and source

authenticity, provides encryption, or does both. Once we decide the service we need, the peers then begin a

negotiation process to select a matching set of algorithms for authentication, encryption, and/or hashing as

well as a matching SA lifetime. This negotiation process is done by comparing requested services from the

source peer with a table of acceptable services maintained on the destination peer. Once the negotiation

process has been completed, it would be convenient not to have to do it again for a while. The IETF named

this security service relationship between two or more entities to establish secure communications the Securi

Association (SA). When traffic needs to flow bidirectionally across a VPN, IKE establishes a bidirectional SA

and then IPSec establishes two more unidirectional SAs, each having their own lifetime. Get into the habit of

identifying these SAs as either IKE SAs or IPSec SAs because they each have their own configuration

attributes and they are each maintained separately. IKE SAs are used when IPSec tries to establish a

connnection. IPSec SAs are used with every secure packet. SAs are only good for one direction of data

across an IPSec connection. Because SAs are simplex, establishing conversations between peers requires

two IPSec SAs, one going and one coming, for each peer and two underlying IKE SAs. IPSec SAs are also

protocol specific. If we are going to be using both AH and ESP between security pairs, we need separate SAs

for each. Each SA is assigned a unique random number called a Security Parameters Index (SPI). This

number, the destination IP address of a packet, and the IPSec protocol used create a unique triplet that

identifies a security association. When a system wants to send IPSec traffic to a peer, it checks to see if an S

already exists for that peer using the desired security services. If it finds an existing SA, it places the SPI of th

SA into the IPSec header and sends the packet. The destination peer takes the SPI, combines it with the
http://3.bp.blogspot.com/_Hrww1lJ6hGQ/SqehUr73mbI/AAAAAAAAA8g/KiXTOpz8SXg/s1600-h/14.JPGhttp://1.bp.blogspot.com/_Hrww1lJ6hGQ/SqehCChHOdI/AAAAAAAAA8Y/nEiiUTlaLhg/s1600-h/15.JPG


14/20



IPSec protocol and the destination IP address, and locates the existing SA in the Security Association

Database it maintains for incoming traffic on that interface. Once it finds the SA, the destination peer knows

how to unwrap the data for use. Existing Protocols Used in the IPSec Process IPSec makes use of

numerous existing encryption, authentication, and key exchange standards. This approach maintains IPSec a

a standards-based application, making it more universally acceptable in the IP community. Many of these

standard protocols are described in the following sections. Message Encryption Available when using th

ESP IPSec protocol, message encryption enables us to send highly sensitive information across the public

networks without fear of having those data easily compromised. The two encryption standards are Data

Encryption Standard (DES) and its more robust cousin, the Triple Data Encryption Standard (3DES or Triple

DES). Data Encryption Standard The standard encryption method used by many VPN deployments is th

Data Encryption Standard (DES) method of encryption. DES applies a 56-bit key to every 64 bits of data. DE

provides over 72,000,000,000,000,000 (72 quadrillion) possible encryption keys. Developed by IBM in 1977

and adopted by the U.S. Department of Defense, DES was once considered such a strong encryption

technique that it was barred from export from the continental United States. It was considered unbreakable at

the time of its adoption, but faster computers have rendered DES breakable within a relatively short period o

time, so DES is no longer in favor in high-security applications. Cipher Block Chaining (CBC) is one of

several methods of implementing DES. CBC requires an initialization vector (IV) to start encryption. IPSec

ensures that both VPN peers have the same IV or shared secret key. The shared secret key is input into the

DES encryption algorithm, and clear text is then supplied in 64-bit blocks. The clear text is converted to ciphe

text and is passed to ESP for transmission to the waiting peer, where the process is reversed using the same

shared secret key to reproduce the clear text message. Triple DES One version of the Data Encryption

Standard is Triple DES (JDES) so named because it performs three encryption operations on the data. It

performs an encryption process, a decryption process, and then another encryption process, each with a

different 56-bit key. This triple process produces an aggregate 168-bit key, providing strong encryption.

Message Integrity Message integrity is accomplished by using a Hashing algorithm to compute a

condensed representation of a message or data file. These condensed representations are called message

digests (MDs) and are of a fixed length that depends on the Hashing algorithm used. All part of this message

digest is transmitted with the data to the destination host, which executes the same hashing algorithm to

create its own message digest. The source and destination message digests are then compared. Any

deviation means that the message has been altered since the original message digest was created. A match

means that we can be fairly certain that the data have not been altered during transit When using the IPSe

AH protocol, the message digest is created using the immutable fields from the entire IP datagram, replacing

mutable fields with 0s or predictable values to maintain proper alignment The computed MD is then placed in

the Authentication Data (or ICV) field of the AH. The destination device then copies the MD from the AH and

zeroes out the Authentication Data field to recalculate its own MD. With the IPSec ESP protocol, the process

is similar. The message digest is created using the immutable data in the portion of the IP datagram from the

beginning of the ESP header to the end of the ESP trailer. The computed MD is then placed into the ICV field

at the end of the datagram. With ESP, the destination host does not need to zero out the ICV field because it

sits outside of the scope of the hashing routine. Refer to Figures 2-9 and 2-11 for the structure of the ESP

datagram. Hash-Keyed Message Authentication Code RFC 2104 describes the HMAC algorithm,

because it was developed to work with existing hashing algorithms like MDS and SHA-l. Many security

processes involved in sharing data involve the use of secret keys and a mechanism called Message

Authentication Codes (MACs). One party creates the MAC using the secret key and transmits the MAC to its

peer partner. The peer partner creates its own MAC using the same secret key and compares the two MACs

MDS and SHA-1 share a similar concept, except that they do not use secret keys. That is where HMAC

comes in. HMAC was developed to add a secret key into the calculation of the message digests produced by

standard hashing algorithms. The secret key added to the formula is the same length as the resulting

message digest for the hashing algorithm used. Message Digest 5-HMAC Variant Message Digest 5


15/20



(MDS) was developed by Ronald Rivest of the Massachusetts Institute of Technology and RSA Data Security

Incorporated. MDS takes any message or data file and creates a 128-bit condensed representation (messag

digest) of the data. The HMAC variant uses a 128-bit secret key to produce a 128-bit MD. AH and ESP-

HMAC only use the left-most 96 bits, placing them into the authentication field. The destination peer then

calculates a complete 128-bit message digest but then only uses the left-most 96 bits to compare with the

value stored in the authentication field. MD5 creates a shorter message digest than does SHA-l and is

considered less secure but offers better performance. MD5 without HMAC has some known weaknesses that

make it a poor choice for high-security applications. HMAC-MD5 has not yet been successfully attacked.

Secure Hash Algorithm-1 The Secure Hash Algorithm was developed by the National Institute of

Standards and Technology (NIST) and was first documented in the Federal Information Processing Standard

(FIPS) Publication 180. The current version is SHA-l, as described in FIPS 180-1 and RFC 2404. SHA-l

produces a 160-bit message digest, and the HMAC-SHA-l variant uses a 160-bit secret key. The receiving

peer re-creates the entire 160-bit message digest using the same 160-bit secret key but then only compares

the leading 96 bits against the MD fragment in the authentication field. The 160-bit SHA-l message digest i

more secure than the 128-bit MDS message digest. There is a price to pay in performance for the extra

security, but if we need to use the most secure form of message integrity, we should select the HMAC-SHA-l

algorithm. Peer Authentication One of the processes that IKE performs is the authentication of peers.

This is done during IKE Phase 1 using a keyed hashing algorithm with one of three possible key types: Pre

shared RSA Digital Signatures RSA encrypted Nonces Pre-shared Keys The process of sharing pre-

shared keys is manual. Administrators at each end of the IPSec VPN agree on the key to use and then

manually enter the key into the end device, either host or gateway. This method is fairly secure, but it does

not scale well to large applications. RSA Digital Signatures Ronald Rivest, Adi Shamir, and Leonard

Adelman developed the RSA public-key cryptosystem in 1977. Ronald Rivest also developed the MDS

hashing algorithm. A Certificate Authority (CA) provides RSA digital certificates upon registration with that CA

These digital certificates allow stronger security than do pre-shared keys. Once the initial configuration has

been completed, peers using RSA digital certificates can authenticate with one another without operator

intervention. When an RSA digital certificate is requested, a public and a private key are generated. The

host uses the private key to create a digital signature. The host sends this digital signature along with its

digital certificate to its IPSec peer partner. The peer uses the public key from the digital certificate to validate

the digital signature received from the peer. RSA Encrypted Nonces A twist in the way digital signatures ar

used is the process of using RSA encrypted nonces for peer authentication. A nonce is a pseudorandom

number. This process requires registration with a CA to obtain RSA digital certificates. Peers do not share

public keys in this form of authentication. They do not exchange digital certificates. The process of sharing

keys is manual and must be done during the initial setup. RSA encrypted nonces permit repudiation of the

communication, where either peer can plausibly deny that it took part in the communication. Key

Management Key management can be a huge problem when working with IPSec VPNs. It seems like there

are keys lurking everywhere. In reality, only five permanent keys are used for every IPSec peer relationship.

These keys are described as follows: Two are private keys that are owned by each peer and are never

shared. These keys are used to sign messages. Two are public keys that are owned by each peer and are

made available to anyone. These keys are used to verify signatures. The fifth key is the shared secret key

Both peer members use this key for encryption and hashing functions. This is the key created by the Diffie-

Hellman protocol. That does not seem like many keys. In fact, the private and public keys are used for

multiple IPSec connections on a given peer. In a small organization, these keys could all probably be manage

manually. The problem arises when trying to scale the processes to support hundreds or thousands of VPN

sessions. Diffie-Hellman Protocol In 1976, Whitfield Diffie and Martin Hellman developed the first public

key cryptographic technique. The Diffie-Hellman (D-H) key agreement protocol allows two peers to exchange

secret key without having any prior secrets. This protocol is an example of an asymmetrical key exchange

process in which peers exchange different public keys to generate identical private keys. This protocol is ove


16/20



20 years old and has withstood the test of time. The Diffie-Hellman protocol is used in IPSec VPNs, but we

have to look hard to find it. It is used in the process of establishing the secure channel between peers that

IPSec rides on. The trail is as follows: IPSec uses the Internet Security Association and Key Management

Protocol (ISAKMP) to provide a framework for authentication and key exchange. ISAKMP uses the IKE

Protocol to securely negotiate and provide authenticated keying material for security associations. IKE use

a protocol called OAKLEY, which describes a series of key exchanges and details the service provided by

each. OAKLEY uses Diffie-Hellman to establish a shared secret key between peers. Symmetric key

encryption processes then use the shared secret key for encryption or authentication of the connection.

Peers that use symmetric key encryption protocols must share the same secret key. Diffie-Hellman provides

an elegant solution for providing each peer with a shared secret key without having to keep track of the keys

used. Diffie-Hellman is such a clean process that you might wonder why we need symmetric key encryption

processes. The answer is that asymmetric key encryption processes are much too slow for the bulk encryptio

required in high-speed VPN circuits. That is why the Diffie-Hellman protocol has been relegated to creating th

shared secret key used by symmetric key encryption protocols. IPSec peers use the Diffie-Hellman Protocol t

generate the shared secret key that is used by AH or ESP to create authentication data or to encrypt an IP

datagram. The receiving peer uses the D-H shared secret key to authenticate the datagram and decrypt the

payload. No discussion of Diffie-Hellman would be complete without showing the mechanisms involved in

creating the shared secret key. Table 2-8 shows the Diffie-Hellman process of creating the key between two

IPSec peers called Able and Baker. Notice that the shared secret key never travels over the network between

the peers.

[http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeg2YfrQZI/AAAAAAAAA8Q/s3E57B-Hn0A/s1600-h/16.JPG]

Figure.16 CCSP Cisco Secure VPN Certificate Authorities Another method of handling keys that does not

take a lot of administrative support is to use Certificate Authorities (CAs) as a trusted entity for issuing and

revoking digital certificates and for providing a means to verify the authenticity of those certificates. CAs are

usually third-party agents such as VeriSign or Entrust, but for cost savings, we could also set up our own CA

using Widows 2000 Certificate Services. The following list describes how CAs work: A client that wants to

use digital certificates creates a pair of keys, one public and one private. Next, the client prepares an

unsigned certificate (X.509) that contains, among other things, the client's ID and the public key that was just

created. This unsigned certificate is then sent to a CA using some secure method. The CA computes a has
http://2.bp.blogspot.com/_Hrww1lJ6hGQ/Sqeg2YfrQZI/AAAAAAAAA8Q/s3E57B-Hn0A/s1600-h/16.JPG


17/20



code of the unsigned certificate. The CA then takes that hash and encrypts it using the CA's private key. This

encrypted hash is the digital signature, and the CA attaches it to the certificate and returns the signed

certificate to the client. This certificate is called an Identity Certificate and is stored on the client device until i

expires or is deleted. The CA also sends the client its own digital certificate, which becomes the root certifica

for the client. The client now has a signed digital certificate that it can send to any other peer partner. If the

peer partner wants to authenticate the certificate, it decrypts the signature using the CA's public key. It is

important to note that a CA only sends a client's certificate to that client itself. If the client wants to establish

IPSec VPNs with another client, it trades digital certificates with that client, thereby sharing public keys.

When a client wants to encrypt data to send to a peer, it uses the peer's public key from the digital certificate

The peer then decrypts the package with its private key. When a client wants to digitally sign a package, it

uses its own private key to create a "signed" hash of the package. The receiving peer then uses the client's

public key to create a comparison hash of the package. When the two hash values match, the signature has

been verified. Another function of a CA is to periodically generate a list of certificates that have expired or

have been explicitly voided. The CA makes these Certificate Revocation Lists (CRLs) available to its

customers. When a client receives a digital certificate, it checks the CRL to find out if the certificate is still

valid. Authenticating IPSec Peers and Forming Security Associations The protocol that brings all the

previously mentioned protocols together is the Internet Key Exchange (IKE) Protocol. IKE operates in two

separate phases when establishing IPSec VPNs. In IKE Phase 1, it is IKE's responsibility to authenticate the

IPSec peers, negotiate an IKE security association between peers, and initiate a secure tunnel for IPSec usin

the Internet Security Association and Key Management Protocol (ISAKMP). In IKE Phase 2, the peers use

the authenticated, secure tunnel from Phase 1 to negotiate the set of security parameters for the IPSec

tunnel. Once the peers have agreed on a set of security parameters, the IPSec tunnel is created and stays in

existence until the Security Associations (SAs) (either IKE or IPSec) are terminated or until the SA lifetimes

expire. Combining Protocols into Transform Sets We need to identify the five parameters that IKE uses in

Phase 1 to authenticate peers and establish the secure tunnel. Those five parameters and their default

settings for the VPN 3000 Concentrator Series are as follows: Encryption algorithm-56-bit DES (default) or

the stronger 1 68-bit 3DES. Hash algorithm-MDS (default) or the stronger SHA-I. Authentication method-

Preshared keys, RSA encrypted nonces, or the most secure, RSA digital signatures (also the default). Key

exchange method-768-bit Diffie-Hellman Group 1 (default) or the stronger 1024- bit Diffie-Hellman Group 2.

IKE SA lifetime-The default is 86,400 seconds or 1 day. Shorter durations are more secure but come at a

processing expense. Whatever parameters we choose for IKE Phase 1 must be identical on the prospectiv

peer, or the connection is not established. Once we have these configured, the only other values we need to

supply to establish the IPSec tunnel in IKE Phase 2 are as follows: IPSec protocol-AH or ESP Hash

algorithm-MDS or SHA-I (These are always HMAC assisted for IKE Phase 2.) Encryption algorithm if using

ESP-DES or 3DES VPN Security Hardware Devices One of the VPN hardware devices for VPN

communication is Cisco 3000 Concentrators and its supporting software. Since that time, Cisco has enhance

the product line by adding a topped concentrator and a hardware client, and has made improvements to the

software client. Major Advantages of Cisco VPN 3000 Series Concentrators The Cisco VPN 3000 Series

Concentrators are extremely versatile, delivering high performance, security, and fault tolerance. The

centralized management tool is standards-based and enables real-time statistics gathering and reporting.

These devices allow corporations to reduce communications expenses by permitting clients to connect to

corporate assets through local ISP connections to the Internet rather than through long-distance or 800

number connections to access servers. VPNs provide the productivity-enhancing ability to access corporate

network assets while reducing expenses. Dial-up connections using modems are prevalent throughout man

corporate communities, especially on laptop systems. For some types of users, however, broadband VPN

services provide speed and always-on connectivity that permit corporations to extend their office LANs into

small office/home office (SOHO) environments. The popularity of cable modems and DSL modems has made

broadband services commonplace for the home office user. Connecting these high-speed networks to the


18/20


19/20



Retrieved 10:14, April 9, 2008, from http://howstuffworks.com/w/index.php?title=Layer_2_Tunnelingid=20

IPsec. (2008, April 12). In CiscoNetworkingAcademy. Retrieved 10:15, April 9, 2008, From

http://www.cisco.com/w/IPsec_05054949 Hash function. (2008, April 2). In Wikipedia, The Free Encyclopedi

Retrieved 10:17, April 9, 2008, from http://en.wikipedia.org/w/index.php?

title=Hash_function&oldid=202754090 Diffie-Hellman key exchange. (2008, March 27). In Wikipedia, The Fre

Encyclopedia. Retrieved 10:18,April 9, 2008, from http://en.wikipedia.org/w/index.php?title=Diffie-

Hellman_key_exchange/ RSA. (2008, April 7). In Wikipedia, The Free Encyclopedia. Retrieved 10:18, Apri

9, 2008, from http://en.wikipedia.org/w/index.php?title=RSA&oldid=204075139 VPN Security (2008, April 7).

In Unirvesity of Illinois. Retrieved 10:18, April 10, 2008, from http://www.cites.uiuc.edu/vpn/security.html.

VPN Tunneling.(2008, April 7). In HTC Networking Solution. Retrieved 10:18, April 10, 2008, from

http://www.htcwizardweb.net/node/2113 HMAC.(2008, April 7). In IPSEC Working Group. Retrieved 09:18, Ap

10, 2008, from http:// www.cs.ucsd.edu/~mihir/papers/hmac.html Triple DES (3DES). (2008, April 10). In

Wikipedia, The Free Encyclopedia. Retrieved 09:53, April 10, 2008, from

http://en.wikipedia.org/w/index.php?title=Triple_DES&oldid=204805257 MD5. (2008, April 11). In Wikipedia,

The Free Encyclopedia. Retrieved 09:56, April 10, 2008, from http://en.wikipedia.org/w/index.php?

title=MD5&oldid=204928132

[http://feeds.feedburner.com/JournalOrThesisPaper] Subscribe in a reader

[http://feeds.feedburner.com/JournalOrThesisPaper]

[http://fusion.google.com/add?feedurl=http://feeds.feedburner.com/JournalOrThesisPaper]

[http://www.histats.com/]
http://www.histats.com/http://feeds.feedburner.com/JournalOrThesisPaperhttp://feeds.feedburner.com/JournalOrThesisPaperhttp://fusion.google.com/add?feedurl=http://feeds.feedburner.com/JournalOrThesisPaper


20/20


Posted 9th September 2009 by MD Ashrafur Rahim

Labels:AH,ESP,Extranet,Hash-based Message Authentication Code (HMAC),Intranet,L2TP,Triple DESVPN IPSec tunnel,vpn SSL

Enter your comment...

Comment as:Google Accou

Publish

Preview

2 View comments

gohost September 22, 2011 at 12:06 AM

VPN is virtual private network connect to any places. Most of the the business people and large organizationto implement this VPS connections. It's cost is very low. and high security. website hosting

web hosting

Reply

Bell Brown August 2, 2013 at 11:45 PM

Simply put, a virtual private network or VPN is a network which is constructed by using public wires to

connect nodes. It is a way of using the Internet to provide remote users with secure access to their network

Data is scrambled as its sent through the Internet ensuring privacy.

Dedicated VPN

Reply
http://alljournal.blogspot.com/search/label/L2TPhttp://www.blogger.com/profile/13514786765030545522http://alljournal.blogspot.com/search/label/Intranethttp://alljournal.blogspot.com/search/label/VPN%20IPSec%20tunnelhttp://www.blogger.com/profile/15473312649299752455http://alljournal.blogspot.com/search/label/AHhttp://www.webhostings.in/http://alljournal.blogspot.com/search/label/vpn%20SSLhttp://alljournal.blogspot.com/search/label/Extranethttp://alljournal.blogspot.com/search/label/Triple%20DEShttp://www.vpnshazam.com/http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html?showComment=1316675170167#c1228857337700714171http://alljournal.blogspot.com/search/label/Hash-based%20Message%20Authentication%20Code%20(HMAC)http://alljournal.blogspot.com/search/label/ESPhttp://www.webhostings.in/http://alljournal.blogspot.com/2009/09/ipsec-vpn-virtual-private-network.html?showComment=1375512354641#c186867465132652777

Documents

Ipsec VPN _ Virtual Private Network _ Journal or Thesis Paper