Beruflich Dokumente
Kultur Dokumente
HES
1
VPN - Virtual Private Network
2
VPN - Goals Of The Project
VPN Project
Christian Tettamanti, ing. HES
p en So urce
O
Phase I
Protocols
Phase II
Authentication
Phase III
Deployment
3
VPN - Goals Of The Project
Phase I
Protocols
Christian Tettamanti, ing. HES
• Phase I
– Research and study of remote access solutions
– Secure access on internal private network
– Interoperability tests
– Study of VPN protocols (L2TP, PPTP, IPSec)
– LAN-to-LAN and HOST-to-LAN scenarios
4
VPN - Goals Of The Project
• Phase I
Protocols
Christian Tettamanti, ing. HES
5
VPN - Goals Of The Project
Phase II
Authentication
Christian Tettamanti, ing. HES
• Phase II
– Research and study of secure authentication
mechanisms
– Study of Public Key Infrastructure (PKI)
– Interoperability tests
6
VPN - Goals Of The Project
Phase III
Deployment
Christian Tettamanti, ing. HES
• Phase III
– Deployment
• LAN-to-LAN between EIG and TCOM
• HOST-to-LAN at EIVD
7
VPN – Open Source Software
8
*Free License for universities
VPN – Scenario 1
VPN GW VPN GW
internet
VPN tunnel
internet
10.5.0.0/16 10.4.1.0/24
9
VPN – Scenario 2
Remote Client
VPN GW
internet
VPN tunnel
internet
VPN Client
10.4.2.20
10.4.1.0/24
10
VPN – Scenario 3
VPN GW VPN GW
VPN tunnel
internet
internet
el
nn
tu
N
VP
10.5.0.0/16 10.4.1.0/24
VPN Client
10.4.2.20
11
VPN – Remote Client Authentication
Dynamic IP
193.x.x.x
Virtual IP VPN GW
Christian Tettamanti, ing. HES
10.4.2.20
internet
IPSec tunnel
internet
10.4.1.0/24
12
VPN – DHCP-over-IPSec
• Internet Draft: draft-ietf-ipsec-dhcp-13.txt
DHCP
Relay
DHCP
10.4.1.0/16
10.4.1.0/16 Server
DHCP
10.4.1.0/16
10.4.1.0/16 Server
10.4.2.20
ESP SA: 10.4.2.20 ÅÆ 10.4.0.0/15
13
VPN – NAT-Traversal
• Internet Drafts: draft-ietf-ipsec-udp-encaps-03.txt
draft-ietf-ipsec-nat-t-03.txt
intelligent NAT box
Christian Tettamanti, ing. HES
NAT
14
VPN – Encountered Problems
• PKI
– Token Integration
Christian Tettamanti, ing. HES
• NAT routers
– Intelligent Box
– Stupid Box
• NAT-Traversal
• ESPÆUDP Encapsulation
15
VPN – Gateway VPN Capabilities
IKE:
Encryption algorithm: aes-256bit
Integrity function: SHA-2
Christian Tettamanti, ing. HES
Other:
DHCP over IPSEC OK
NAT-Traversal OK
16
VPN – Final Architecture
EIG
NIDS Snort
PKI OpenCA
Christian Tettamanti, ing. HES
GW Clavister
Internet EIVD
GW VPN
PKI USB Key OpenSwan
Protected Area
18
Christian Tettamanti, ing. HES
VPN – SSH Sentinell Configuration
19
Christian Tettamanti, ing. HES
VPN – PKI Certificate Configuration
20
Christian Tettamanti, ing. HES
VPN – SA Life & NAT Configuration
21
Christian Tettamanti, ing. HES
VPN – IKE & ESP Configuration
22
Christian Tettamanti, ing. HES
23
VPN – Connection example
VPN – Network Interfaces
Before VPN
Connection
Christian Tettamanti, ing. HES
After VPN
Connection
24
Christian Tettamanti, ing. HES
25