2. VPN - Virtual Private Network
Start date : 01.02.2002
Duration : 1+1 years
Christian Tettamanti, ing. HES
Stefano Ventura prof. HES
Christian Tettamanti ing. HES
Pascal Gachet ing. HES
Gérald Litzistorf prof. HES
Philippe Logean ing. HES
Nicolas Sadeg ing. HES
2
3. VPN - Goals Of The Project
VPN Project
Christian Tettamanti, ing. HES
rce
O penSou
Phase I
Protocols
Phase II
Authentication
Phase III
Deployment
3
4. VPN - Goals Of The Project
Phase I
Protocols
Christian Tettamanti, ing. HES
• Phase I
– Research and study of remote access solutions
– Secure access on internal private network
– Interoperability tests
– Study of VPN protocols (L2TP, PPTP, IPSec)
– LAN-to-LAN and HOST-to-LAN scenarios
4
5. VPN - Goals Of The Project
• Phase I
Protocols
Christian Tettamanti, ing. HES
– PPTP point-to-point tunneling protocol
– L2TP layer 2 tunneling protocol
– IPSEC IP security protocols
• IKE authentication
• AH integrity
• ESP confidentiality, integrity
5
6. VPN - Goals Of The Project
Phase II
Authentication
Christian Tettamanti, ing. HES
• Phase II
– Research and study of secure authentication
mechanisms
– Study of Public Key Infrastructure (PKI)
– Interoperability tests
6
7. VPN - Goals Of The Project
Phase III
Deployment
Christian Tettamanti, ing. HES
• Phase III
– Deployment
• LAN-to-LAN between EIG and TCOM
• HOST-to-LAN at EIVD
7
8. VPN – Open Source Software
Different solutions based on Open Source
Christian Tettamanti, ing. HES
• Server OS: Slackware Linux
• Firewall: Netfilter/iptables enSour
ce
Op
• Gateway VPN: OpenSwan
• PKI Authority: OpenCA
• VPN Clients: Win2K: SSH Sentinel*
Linux: OpenSwan
8
*Free License for universities
9. VPN – Scenario 1
EIG – Proprietary Solutions EIVD – Open Source Solutions
Christian Tettamanti, ing. HES
VPN GW VPN GW
internet
VPN tunnel
internet
10.5.0.0/16 10.4.1.0/24
9
10. VPN – Scenario 2
EIVD – Open Source Solutions
Christian Tettamanti, ing. HES
Remote Client
VPN GW
internet
VPN tunnel
internet
VPN Client
10.4.2.20
10.4.1.0/24
10
11. VPN – Scenario 3
EIG – Proprietary Solutions EIVD – Open Source Solutions
Christian Tettamanti, ing. HES
VPN GW VPN GW
VPN tunnel
internet
internet
el
nn
tu
N
VP
10.5.0.0/16 10.4.1.0/24
VPN Client
10.4.2.20
11
12. VPN – Remote Client Authentication
Dynamic IP
193.x.x.x
Virtual IP VPN GW
Christian Tettamanti, ing. HES
10.4.2.20
internettunnel
IPSec
internet
10.4.1.0/24
• The remote client authenticates himself on gw VPN
• The authentication is based on X.509 certificates
• The client acquire a private IP address with DCHP-over-IPSEC
• The remote client is part of the internal private network
12
13. VPN – DHCP-over-IPSec
• Internet Draft: draft-ietf-ipsec-dhcp-13.txt
ISAKMP SA: Main Mode Auth.
Christian Tettamanti, ing. HES
DHCP
Relay
DHCP
10.4.1.0/16
10.4.1.0/16 Server
DHCP DISCOVER DHCP SA: Life Time = 20 sec.
DHCP
10.4.1.0/16
10.4.1.0/16 Server
10.4.2.20
ESP SA: 10.4.2.20 10.4.0.0/15
13
14. VPN – NAT-Traversal
• Internet Drafts: draft-ietf-ipsec-udp-encaps-03.txt
draft-ietf-ipsec-nat-t-03.txt
intelligent NAT box
Christian Tettamanti, ing. HES
ESP and IKE with one client
ESP encapsulated in UDP (port 4500)
NAT
ESP and IKE with n clients
14
15. VPN – Encountered Problems
• PKI
– Token Integration
Christian Tettamanti, ing. HES
• Internet Service Provider (ISP)
– Firewalls
– Routing
• NAT routers
– Intelligent Box
– Stupid Box
• NAT-Traversal
• ESP UDP Encapsulation
15
16. VPN – Gateway VPN Capabilities
IKE:
Encryption algorithm: aes-256bit
Integrity function: SHA-2
Christian Tettamanti, ing. HES
DF Group: MODP 1536 (group 5)
PKI authentication OK
IPSEC – ESP (AH):
Encryption algorithm: aes-256bit
Integrity function: HMAC-SHA-2
DF Group: MODP 1536 (group 5)
Other:
DHCP over IPSEC OK
NAT-Traversal OK
16
17. VPN – Final Architecture
EIG
NIDS Snort
PKI OpenCA
Christian Tettamanti, ing. HES
EIG VPN area
GW Clavister
FireWall IPtables DC W2K
Internet EIVD
GW VPN
PKI USB Key OpenSwan
Protected Area
Remote client EIVD VPN area
17