Presentation on theme: "What is a VPN (Virtual Private Network) ? Internet VPN Device Secure VPN Tunnel Tunnel mode (Encrypted and Encapsulated traffic)Host Host VPN is a secure."— Presentation transcript:
What is a VPN (Virtual Private Network) ? Internet VPN Device Secure VPN Tunnel Tunnel mode (Encrypted and Encapsulated traffic)Host Host VPN is a secure network tunnel created for encrypted data transmission between two or more authenticated parties over a public network.
LAN-to-LAN (Intranet) Internet Branch Office Corporate LAN Secure VPN Tunnel VPN Device VPN Device Encryption Authentication Server Client Intranet LAN-to-LAN VPN can easily meet customer’s need Transmit internal confidential data securely and globally accessible
Client-to-LAN Internet Secure VPN Tunnel VPNDevice Encryption Authentication Server Client Intranet Mobile Workers Home PCs Client-to-LAN VPN minimise the cost Client is protected itself and the intranet boundary
The VPN Protocols and Standards Point-to-Point Tunnelling Protocol (PPTP) – Originated from Microsoft Layer 2 Forwarding (L2F) – Originated from Cisco Layer 2 Tunnelling Protocol (L2TP) – Developed by IETF IP Security Protocol (IPSec) – Developed by IETF Four main protocols involved with VPN technology:
Layer 2- based VPN Solutions Layer 2 Tunnel Protocol (L2TP) developed by IETF A consensus standard from two merging tunnelling protocols (PPTP) and (L2F) Tunnel authentication Extends the PPP connection No cryptographic Keys Support No facility to encrypt user data traffic
IPSec- Based VPN Solutions Open framework defined by the IP Security Architecture (IPSec) Working Group of the IETF IP Authentication Header (AH) – Data authentication, data integrity and replay protection IP Encapsulation Security Payload (ESP) – Data confidentiality, data authentication, data integrity and replay protection Internet Security Association Key Management Protocol (ISAKMP) – Configuration and management of security associations a cryptographic keys
How does it Work? The most simple explanation is that your networking data is wrapped up in header that specifies your machine as the source, and your VPN server as the destination. Your VPN server then removes that header and processes the packet as normal. This gives the appearance that the packet has originated from an internal source.
Encapsulation All network traffic is encapsulated within control headers. TCP : | Source Port | Destination Port | | Sequence Number | | Acknowledgment Number | | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | | Checksum | Urgent Pointer | | your data... next 500 octets | | | If we abbreviate the TCP header as "T", the whole file now looks like this: T.... T.... T.... T.... T.... T.... T....
Encapsulation IP : |Version| IHL |Type of Service| Total Length | | Identification |Flags| Fragment Offset | | Time to Live | Protocol | Header Checksum | | Source Address | | Destination Address | | TCP header, then your data | | | If we represent the IP header by an "I", your file now looks like this: IT.... IT.... IT.... IT.... IT.... IT.... IT....
Encapsulation Ethernet : | Ethernet destination address (first 32 bits) | | Ethernet dest (last 16 bits) |Ethernet source (first 16 bits)| | Ethernet source address (last 32 bits) | | Type code | | IP header, then TCP header, then your data | | |... | | | end of your data | | Ethernet Checksum | If we represent the Ethernet header with "E", and the Ethernet checksum with "C", your file now looks like this: EIT....C EIT....C EIT....C EIT....C EIT....C
Consider 0 00a0 c9db 2bb f808 f f..E b aeea c009 c c80f e4 54a df73 f4eb T..b.s..P. 30 7d78 e98d 0000 fffb 010d 0a }x Drive f6d Computer Servic f45 6d61 696c es Web/ Ser d 0a ver.. Frame 61 (101 on wire, 101 captured) Arrival Time: Jul 3, :22: Time delta from previous packet: seconds Frame Number: 61 Packet Length: 101 bytes Capture Length: 101 bytes Ethernet II Destination: 00:a0:c9:db:2b:b6 (00:a0:c9:db:2b:b6) Source: 00:00:f8:08:f6:66 (DEC_08:f6:66) Type: IP (0x0800) Internet Protocol Version: 4
Installing the Client
Installing the Server
System Requirements A modern Linux distribution (such as Debian, Red Hat, etc.) with a recent kernel (2.2.x recommended, 2.0.x should be ok). Note: ports exist for Solaris, BSD and others but are not supported in this HOWTO at this time. 2. PPP (and the MSCHAPv2/MPPE patch if you want enhanced Microsoft compatible authentication and encryption). 3. PoPToP v1.0.0 (or download the latest release at: PPP (and MSCHAPv2/MPPE) Installation It is only necessary to use PPP if you want Microsoft compatible MSCHAPv2/MPPE authentication and encryption. The reason for this is that the MSCHAPv2/MPPE patch currently supplied ( ) is against PPP If you don't need Microsoft compatible authentication/encryption any 2.3.x PPP source will be fine. (Update: There is now a MSCHAPv2/MPPE patch for ppp ).
PoPToP Installation Follow these instructions to install PoPToP: 1. Grab the latest version of PoPToP (v1.0.0 as of ) (http://www.moretonbay.com/vpn/download_pptp.html) 2. You will need to be root to install and run PoPToP. 3a. If you downloaded the PoPToP v1.0.0 tarball (and stored it in /usr/local/src/) follow these instructions: [cd /usr/local/src/] [tar zxvf pptpd tgz] [cd pptpd-1.0.0] [./configure] [make] [make install] 3b. If you downloaded the PoPToP RPM (pptpd i386.rpm as of ) follow these instructions: [rpm --install pptpd i386.rpm] 4. Note: PoPToP's binaries are located in /usr/local/sbin. PoPToP goes looking for its binaries in that directory! So if they are not there it won't work! Check that there is 'pptpd' and 'pptpctrl' in /usr/local/sbin/ now. 5. If you want to enable debugging follow these steps: Change directory to /etc/ and open up syslog.conf. Add the line: daemon.debug /var/log/pptpd.log Kill off the current syslogd and start a new one: [killall syslogd] [/usr/sbin/syslogd]
Make sure the following files exist and look similar to: /etc/ppp/options debug name servername auth require-chap proxyarp /etc/pptpd.conf speed localip remoteip /etc/ppp/chap-secrets billy servername bob * You are now ready to launch PoPToP. If you want to launch PoPToP now: [/usr/local/sbin/pptpd] Note: If you can't connect for some reason open up /var/log/pptpd.log and search for any error messages. If that doesn't help read the FAQ (below) or as a last resort send a message to the mailing list.