Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop 5: IPSec Security Ricky Mok 4 Apr 2014. Preparation Group yourself into groups of 2 people. – You will take turn to be “client” and “server”.

Published byVictoria Hulin Modified over 9 years ago

Similar presentations

Presentation on theme: "Workshop 5: IPSec Security Ricky Mok 4 Apr 2014. Preparation Group yourself into groups of 2 people. – You will take turn to be “client” and “server”."— Presentation transcript:

1 Workshop 5: IPSec Security Ricky Mok 4 Apr 2014

2 Preparation Group yourself into groups of 2 people. – You will take turn to be “client” and “server”. Boot both computers into Windows XP. Download/ Copy a VM image. Import the image into the Virtualbox – File-> Import Appliance Prepare the Wireshark (from Y:) at the client

3 Objectives Get hand-on experience in – setting up a simple L2TP/IPSec VPN server in Linux. – connecting the VPN server with Windows client. Use Wireshark to look into – AH (only) vs ESP – IPSec

4 L2TP/IPSec L2TP (Layer 2 Tunneling Protocol) – For setting up virtual tunnels between two parties – Provide sessions control – Provide no encryption or confidentiality – L2TP headers are placed inside UDP packets  IPSec often works with L2TP to provide authentication and encryption for each IP packets. IPUDPL2TPPayload

5 Steps overview Step 0 – Prepare the VM and Wireshark Step 1 – Setup the server Step 2 – Setup the client in AH mode – Use Wireshark to capture the packets Step 3 – Setup the client in ESP mode – Use Wireshark to capture the packets Step 4 – Cleanup

6 VM Setup After importing the VM, “Start” the VM in the virtualbox Username is “ubuntu” Password is “comp444vpn” Copy your VM’s IP address. – Terminate ->ifconfig eth0

7 Get your VM’s IP address 1 2

8 Setup overview Client establishes a VPN connection with the server.

9 Setting up the server Openswan - IPSec xl2tpd – L2TP A few configuration files control the settings You can find the links on the VM’s desktop

10 Editing the configuration files The following scripts are prepared for you to manage the config files. – edit-ipsec-conf.sh Main IPSec settings – edit-ipsec-secrets.sh Setting the pre-shared key (PSK) – edit-chap-secrets.sh Setting the VPN user/password

11 IPSec setting Double click edit-ipsec-conf.sh to edit “/etc/ipsec.conf” Under “conn L2TP-PSK-noNAT” – This is our main IPSec setting for our VPN server. – “ auth=ah ” allows the server accepting AH-only clients. – “ type=transport ” sets to transport mode. – Replace “158.132.255.60” with your VM’s IP address at the line “ left=158.132.255.60 ”

12 PSK settings Double click edit-ipsec-conf.sh to edit “/etc/ipsec.secrets” This file sets the pre-shared key – Replace the IP address with yours and – 158.132.255.60 %any: PSK "comp444vpnpsk"

13 User access Double click edit-chap-secrets.sh to edit /etc/ppp/chap-secrets “compvpn” is the VPN user name; “vpnpwd” is the VPN password – compvpnl2tpdvpnpwd* You can replace with yours.

14 Your VPN server is ready! There are two files we did not edit. But you can take a look. – /etc/xl2tpd/xl2tpd.conf – /etc/ppp/options.xl2tpd

15 Client IP of the VPN server Pre-shared key VPN Username/password

16 Setting up a new VPN connection Connect To -> Show all connections Create a new connection

17 Setting up VPN in Windows Type a arbitrary name here Put the VPN server’s IP here

18 Setting up VPN in Windows Select L2TP here Enter the PSK here

19 AH-only Choose “No encryption allowed” to force the client to use HA-only mode

20 Connect to the VPN Key in the username and password you set in the chap-secrets. But WAIT!

21 Ready to connect! Start the Wireshark capture in the Linux and Windows client first. Type a capture filter “host ” Then, press “start”

22 Connect! Now, ask your partner to press the connect button. If success, all traffic from the client will now send to the VPN server. The VPN server will redirect them to the Internet. Open a browser, access http://frog.im/tv/b.jpg (server IP 192.254.235.192)http://frog.im/tv/b.jpg

23 Prepare for ESP Mode Disconnect the VPN connection Clear your browser’s cache. Stop and save the Wireshark captures

24 Change to use ESP mode

25 ESP mode Again, start the wireshark capture at both server and client first. Connect and access the same web page. Disconnect the VPN Save packet traces

26 Cleanup Delete the VPN connection in Windows. Copy your packet traces Shutdown and delete the VM. Now, you can switch the role with your partner.

27 Q1 (AH-only mode) 1.Consider the trace you captured at the server. a)How many HTTP GET request(s) (sending to 192.254.235.192) can you observe? b)What is/are the source IP address(es)? c)Select the first HTTP GET and expand the first IP header. 1)What is the protocol number? 2)How is it related to the next header? 3)What is the usage of that header?

28 Q1 d)Can you find another IP header and a TCP header inside the payload? If yes, how are they related to your second HTTP GET packet? (e.g., IP addresses, TCP ports, sequence number and acknowledgement number) e)Open the trace captured at the client, and locate the same HTTP GET. You may find that the packet is identical to the first HTTP GET packet you located in the server packet trace. If there is an MITM attack between the client and the VPN server, how can the VPN server detect whether the packet is modified?

29 Q2 (AH-only mode) In our lab, we are using transport mode (as set in the Openswan). But you may observe an outer-inner IP headers in packets sending between the client and server. Explain why it is still called the “transport” mode.

30 Q3 (ESP mode) a)Consider the trace you captured at the server. 1)How many HTTP GET request(s) (sending to 192.254.235.192) can you observe? 2)What is/are the source IP address(es)? 3)Why that packet is not encrypted? b)Consider the trace you captured at the client. 1)Can you find any HTTP GET to the same server in plaintext?

31 Q4 (ESP mode) a)Look the trace you captured at the server again, and locate the first packet with protocol ISAKMP. 1)What are the usages of the first two ISAKMP packets? 2)How many transform proposal(s) supplied by the client? 3)How many transform proposal(s) supplied by the server? 4)Which encryption algorithm should be used after the SA process?

32 END

Download ppt "Workshop 5: IPSec Security Ricky Mok 4 Apr 2014. Preparation Group yourself into groups of 2 people. – You will take turn to be “client” and “server”."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.

Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.
Remote Networking Architectures

Remote Networking Architectures
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
1 The VPN Menu. 2 The VPN Menu VPN The GD eSeries can be set up either as an OpenVPN server or as a client, and even play both roles at the same time,

1 The VPN Menu. 2 The VPN Menu VPN The GD eSeries can be set up either as an OpenVPN server or as a client, and even play both roles at the same time,
VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.

VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

Similar presentations

Ads by Google