Beruflich Dokumente
Kultur Dokumente
4-1
Copyright 2005 Juniper Networks, Inc.
www.juniper.net
Defining VPNs
Historically, VPN is a broad term
Generally defined as a means for transporting a subset of
network traffic over a separate network
Performed through tunneling, separating, or securing
different types of traffic
Secure VPNs
10.1.20.3
Encryption
Payload verification
Authentication
Public
1.1.1.1
10.1.20.4
IP Packet
IPsec VPN
Public
2.2.2.1
Encrypted Packet
Private
10.0.0.254
10.0.0.5
10.0.0.6
IP Packet
Security Concerns
Three major concerns:
Confidentiality
Keep data secure and hidden
Integrity
Ensure that data has not been changed
Authentication
Confirm the data came from the advertised source
ConfidentialityData Encryption
Data encryption details:
Provides data confidentiality
Encrypted and decrypted by using keys
Symmetric (secret) key
Asymmetric (public and private) key
A reversible process
Original data
Receiver
Encrypted data
Key
Key
Encrypted data
Original data
Sender
Receiver
Pub
Pub
Original data
Encrypted data
+ Pub
Priv
2
Encrypted data
Original data
Integrity
Hash functions provide integrity services
One-way hashing algorithmcannot determine original data
from hash value
Fixed-length output (depending on algorithm)
Examples: MD5 and SHA
MD5 provides 128-bit output
SHA provides 160-bit output
7 r3
=3
11 80
77
3
=3
=3
=3
=3
=3
Sender
HASH
Data
Data
HASH
Data
4
Data
HASH
HASH
HASH
10
Source Authentication
Validates datagrams by verifying that they came from
the proper source
Authentication process uses HMAC
Adds a secret preshared key to the hashing process
11
Sender
Data
HASH
Data
Hash key
Data
Hash key
HASH
4
Data
HASH
HASH
HASH
If the hash If
values
the hash
match,
values
the data is good
match,
and the
the
source
data is
is good
valid
12
Automatic exchange:
Uses public connectionshow do you secure the key exchange?
13
Diffie-Hellman Groups
Five sets of very large prime numbers (and a
generator) serve as the modulus for the Diffie-Hellman
algorithm
Juniper Networks supports Groups 1, 2, and 5
Group 1 uses a 768-bit prime
Group 2 uses a 1024-bit prime
Group 5 uses a 1536-bit prime
14
PrivA
PrivB
PubA
PubB
SESSION
KEY
SESSION
KEY
15
IPsec Overview
IPsec is an industry standard for providing IP data
security and integrity services
Works at the IP layer
Supports unicast and multicast traffic
16
17
18
Security Associations
SAs are a set of policies and keys used to protect
information between two peers
An SA is uniquely identified by:
The SPI, which is an internal index number
A destination IP address
A security protocol
19
SA Database
Remote Office
10.0.0.5
10.0.0.6
Trust
10.10.0.1
Untrust
1.1.8.1
Trust
10.0.0.1
Security Database
Name: VPNtoCorporate
Gateway IP address: 2.2.8.1
SPI: Local: 3001, Remote: 3002
Security protocol: ESP
Encryption algorithm: 3DES
Encryption key: xxxxyyyyzzzz
Authentication algorithm: SHA
Authentication key: aaabbbccc
Untrust
2.2.8.1
10.10.0.5
10.10.0.6
Corporate Office
Security Database
Name: VPNtoRemote
Gateway IP address: 1.1.8.1
SPI: Local: 3002, Remote: 3001
Security Protocol: ESP
Encryption algorithm: 3DES
Encryption key: xxxxyyyyzzzz
Authentication algorithm: SHA
Authentication key: aaabbbccc
20
IKE Phases
IKE tunnel establishment:
Phase 1:
Two peers establish a secure, authenticated channel with which to
communicate
DH key exchange algorithm is used to generate a symmetric key
common to the communicating gateways
Main mode: Used when both tunnel peers have static IP addresses
Aggressive mode: Used when one tunnel peer has a
dynamically assigned IP address
Phase 2:
IPsec SAs are negotiated using a phase 1 secure channel
Proxy ID is used to identify which SA is referenced for VPN
Diffie-Hellman key exchange algorithm can be used (again) to
create PFS
Phase 2 mode is called quick mode
21
10.1.10.5
ge-0/0/0: ge-0/0/1:
10.1.10.1 1.1.8.1
Message 1:
Cookie I, SA Proposal List
Corporate
ge-0/0/1:
2.2.8.1
ge-0/0/0:
10.1.210.1
10.1.210.5
Message 2:
Cookie I, Cookie R, SA Proposal Accept
Message 3:
DH Public Value A, Nonce I (Random #)
Message 4:
DH Public Value B, Nonce R (Random #)
Message 5:
Identification I, Hash [ID-I + key]
Encrypted and Authenticated
2009 Juniper Networks, Inc. All rights reserved.
Message 6:
Identification R, Hash [ID-R + key]
22
Remote
10.1.10.5
ge-0/0/1: ge-0/0/0:
10.1.10.1 (dynamic)
ge-0/0/0:
2.2.8.1
ge-0/0/1:
10.1.210.1
10.1.210.5
Message 1:
Cookie I, SA proposal list, DH public value A, nonce I
Message 2:
Cookie I, cookie R, SA proposal accept, DH public
value B, nonce R, identification hash R
Message 3:
Hash [ID-I +key]
Encrypted and authenticated
23
10.1.10.5
ge-0/0/0: ge-0/0/1:
10.1.10.1
1.1.8.1
Corporate
ge-0/0/1:
2.2.8.1
ge-0/0/0:
10.1.210.1
10.1.210.5
Message 1:
Hash using phase 1 information,
message ID, SA proposal list, Nonce I,
[DH Public Key I ], proxy ID
Message 2:
Message 3:
24
10.1.10.5
ge-0/0/1:
10.1.10.1
Header, SA, DH
SA, Proxy ID
ge-0/0/0:
2.2.8.1
ge-0/0/0:
1.1.8.1
Phase 1
Phase 2
ge-0/0/1:
10.1.210.1
10.1.210.5
Header, SA, DH
SA, Proxy ID
IPsec tunnel
Data
2009 Juniper Networks, Inc. All rights reserved.
IPsec VPN
Data
25
26
IPsec protocols:
AH
ESP
27
IPsec Modes
Transport mode
Tunnel mode
IPsec VPN
E
A
LAN
LAN
IP header
IP header
TCP
IPsec
header
Payload
TCP
Payload
IP header
New IP
header
IPsec
header
IP header
TCP
TCP
Payload
Payload
IPsec
trailer
28
IPsec Protocols
IPsec uses two protocols
in transport or tunnel modes:
IPsec Protocols
AH:
RFC 2402
Uses protocol number 51
AH
ESP
ESP:
RFC 2406
Uses protocol number 50
Most often used protocol
in IPsec
1. Integrity
2. Authentication
1. Integrity
2. Authentication
3. Confidentiality
29
Payload
length
SPI
TCP
Data
Sequence
number
IP header
TCP
Data
Authenticated
30
TCP
Data
Sequence
number
IP header
TCP
Data
ESP trailer
ESP Auth
Encrypted
Authenticated
31
Traffic Processing (1 of 2)
Remote
Host A
10.1.10.5
ge-0/0/1
10.1.10.1
10.1. 10.5
10.1.210.5
Prefix
10.1. 210. 5
Interface
ge - 0/0/0
Corporate
ge-0/0/0
1.1.8.1
ge-0/0/0
2.2.8.1
10.1.210.5
Gateway
1 . 1.0.254
10.1. 10.5
10.1.210.5
10. 1. 10.5
10.1.210 . 5
1.1. 8.1
2.2. 8.1
ge-0/0/1
10.1.210.1
Host B
HASH
50
SPI
10.1. 10.5
10.1.210.5
HASH
32
Traffic Processing (2 of 2)
Remote
Host A
10.1.10.5
ge-0/0/1:
10.1.10.1
1.1. 8.1
SPI
3001
HASH
ge-0/0/0:
1.1.8.1
2.2. 8.1
Encap
ESP
50
Encryp
AES
SPI
ge-0/0/0: ge-0/0/1:
2.2.8.1
10.1.210.1
10.1. 10.5
10.1.210.5
Host B
10.1.210.5
HASH
Auth
SHA
HASH
10
10.1. 10.5
10.1.210.5
11
Prefix
10. 1. 210.5
Interface
ge - 0/0/1
12
Corporate
10.1. 10.5
10.1.210.5
Gateway
0 .0. 0.0
From zone Public to zone Private : if SA =10.1.10.5 & DA =10.1.210. 5 & Application = all , then use tunnel
33
10.1.10.5
ge-0/0/1:
10.1.10.1
Header, SA, DH
SA, Proxy ID
Corporate
ge-0/0/0:
2.2.8.1
ge-0/0/0:
1.1.8.1
Phase 1
Phase 2
ge-0/0/1:
10.1.210.1
10.1.210.5
Header, SA, DH
SA, Proxy ID
IPsec tunnel
Data
2009 Juniper Networks, Inc. All rights reserved.
IPsec VPN
Data
34
Route based:
Upon a match, the security policy permits traffic with the
destination address pointing to the secure tunnel interfacest.x
A route to the destination is through the st.x interface, which is
bound to a specific IPsec tunnel
Only one tunnel is generated between two sites
35
36
37
38
39
40
41
}
manual {
}
establish-tunnels [immediately | on-traffic];
Is necessary if the
dynamic key is used
Is necessary if the
manual key is used
42
}
then {
permit {
tunnel {
ipsec-vpn ipsec-tunnel-name;
}
}
}
}
}
Reference to the
IPsec VPN tunnel
43
interfaces {
ge-1/0/1.0;
st0.0;
}
vpn vpn-name {
bind-interface stx.y;
44
Public
Zone
Remote
Edge
Internet
1.1.70.1
ge-1/0/1
PrivatePC
10.1.10.5
C
2.2.2.1
45
Example:
Configuring IKE Phase 1 Parameters
[edit security ike]
user@Edge# show
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 600;
}
policy ike-policy1 {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA
}
gateway ike-phase1-gateway {
ike-policy ike-policy1;
address 1.1.70.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
46
47
ipsec security-associations
Port
500
500
Algorithm
ESP:3des/md5
ESP:3des/md5
SPI
Life:sec/kb
3de5f00d 3178/ unlim
b4c44e62 3178/ unlim
Mode
Main
IKE
phase 1
results
Mon vsys
0
0
IKE
phase 2
results
48
Mode
Main
IKE
phase 1
results
Mon vsys
0
0
IKE
phase 2
results
49
Example:
Creating Route-Based IPsec VPNs Using IKE
1.1.80.0/28
HR
Zone
Public
Zone
Edge
Remote
Internet
ge-1/0/1
1.1.70.1
ge-1/0/0
B
Private PC
10.1.10.5
[edit routing-options]
user@Edge# show
static {
route 0.0.0.0/0 next-hop 1.1.80.1;
}
[edit interfaces]
lab@Edge# show st0
unit 0 {
family inet {
address 1.1.80.2/28;
}
}
C
2.2.2.1
[edit routing-options]
user@Remote# show
static {
route 0.0.0.0/0 next-hop 1.1.80.2;
}
[edit interfaces]
lab@Remote# show st0
unit 0 {
family inet {
address 1.1.80.1/28;
}
}
50
51
Example:
Configuring IKE Phase 1 Parameters
[edit security ike]
user@Edge# show
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 600;
}
policy ike-policy1 {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA
}
gateway ike-phase1-gateway {
ike-policy ike-policy1;
address 1.1.70.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
Identical to the
configuration for
a policy-based
IPsec VPN
52
53
IKE
phase 1
results
ipsec security-associations
Port
500
500
500
500
Algorithm
ESP:3des/md5
ESP:3des/md5
ESP:3des/md5
ESP:3des/md5
SPI
2236e53c
f5965f43
ecf3c3ae
452bc489
Life:sec/kb
3080/ unlim
3080/ unlim
3082/ unlim
3082/ unlim
Mode
Main
Main
Mon vsys
0
0
0
0
IKE
phase 2
results
54
Local
Remote
1.1.80.2/28
The st0
interface is up
Statistics for
the st0
interface
Logical interface st0.0 (Index 67) (SNMP ifIndex 45) (Generation 134)
Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
Security: Zone: Public
Allowed host-inbound traffic : any-service
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
144
VPN packets :
0
Bytes permitted by policy :
14112
Connections established :
0
55
Statistics
for the st0
interface
56
*[Static/5] 00:25:32
> to 1.1.80.1 via st0.0
*[Direct/0] 00:25:15
> via ge-1/0/1.0
*[Local/0] 00:25:16
Local via ge-1/0/1.0
*[Direct/0] 00:25:32
> via st0.0
*[Local/0] 00:25:32
Local via st0.0
Default route
pointing to the
st0 interface
57
security-associations
Initiator cookie Responder cookie
04c17bc8fee7056d 5cfd8286f6415e9b
044f6f7455e6abbb 97428c95adef94aa
Life:sec/kb
3068/ unlim
3068/ unlim
3070/ unlim
3070/ unlim
Mode
Main
Main
IKE
phase 1
results
Mon vsys
0
0
0
0
IKE
phase 2
results
58
Local
Remote
1.1.80.1/28
The st0
interface Is up
Statistics for
the st0
interface
Logical interface st0.0 (Index 67) (SNMP ifIndex 48) (Generation 134)
Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
Security: Zone: Public
Allowed host-inbound traffic : ftp ping telnet
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
144
VPN packets :
0
Bytes permitted by policy :
14112
Connections established :
144
59
Statistics
for the st0
interface
60
*[Static/5] 00:34:48
> to 1.1.80.2 via st0.0
*[Direct/0] 00:34:10
> via ge-1/0/0.0
*[Local/0] 00:34:31
Local via ge-1/0/0.0
*[Direct/0] 00:35:03
> via lo0.0
*[Direct/0] 00:34:48
> via st0.0
*[Local/0] 00:34:48
Local via st0.0
Default route
pointing to the
st0 interface
61
62
63