SlideShare ist ein Scribd-Unternehmen logo

IPSEC

Open Source School
Open Source School

VPNs and network security En savoir plus sur www.opensourceschool.fr Ce support est diffusé sous licence Creative Commons (CC BY-SA 3.0 FR) Attribution - Partage dans les Mêmes Conditions 3.0 France

Technologie
1 von 32
Downloaden Sie, um offline zu lesen
IPSEC VPNs and network security
1 La 1ère école 100 % dédiée à l'open source Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique. Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement. Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
2 Les formations du plein emploi !  Formation Continue Open Source School "Executive Education" est un organisme de formation qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.  Pour vos demandes : formations@opensourceschool.fr  Formation Initiale 100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI. Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
3 Nos domaines de formations
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is encapsulation www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction to IPSEC IPSEC is a set of protocols to harden network communication security. A part of the IPv6 spec, but ported to IPv4 Often used for VPNs, however it has other purposes too Unlike most products (eg OpenVPN) it is an IETF standard, allowing interoperability This presentation is about IPSEC implementation in operating systems, there are also software implementations, hardware implementations in dedicated equipment, etc. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G IPSEC Protocols IPSEC is built around several protocols ESP AH IKE NAT-T www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Encapsulation protocols ESP allows : Authentication Integrity (of payload) Confidentiality AH allows : Authentification Int´egrit´e (of whole packet) ESP does not protect the IP header, that makes it suitable for NAT www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Negociation protocols IKE IKE is the main protocol that allows security parameters negociation between hosts NAT-T NAT-T is a helper protocol which encapsulates traffic into a UDP port, allowing it to cross firewalls and NAT devices. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Establishment of an IPSEC session Hosts contact each other using IKE (UDP 500) IKE Phase 1 : hosts authenticate to each other IKE Phase 2 : hosts negotiate the IPSEC parameters IPSEC-protected traffic starts flowing www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Two possible modes Transport mode : only the payload is encapsulated Tunnel mode : the IP header is encapsulated too In tunnel mode, you can rewrite IP headers, allowing VPNs www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G SPD and SAD Security Policy Database SPDs are IPSEC’s routing tables. They decide which traffic is protected Security Association Database SAD are IPSEC’s network status (“netstat“), they contain current sessions www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 1 parameters Mode : main / aggressive Identity : IP, DN, mail... Authentication method : PSK, X509, RSA... Encryption algorithm : 3DES, AES, blowfish... Authentication algorithm : MD5, SHA1, ... Diffie-Hellman key length Lifetime www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 2 parameters Encryption algorithm Authentication algorithm Perfect Forward Secrecy Lifetime Domain : single host, subnet... www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G How sessions are established Hosts contact each other spotaneously or on demand Required sessions are established When they expire, they are automatically renewed www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction All the implementations we will study share certain characteristics : SAD, SPD, routing, encapsulation are managed by the kernel IKE negociation, retries, renewal, are managed by userland daemons Both talk to each other on the standard PF KEY interface, allowing different implementations to coexist On Linux, two kernel implementation exist : a native PF KEY implementation and KLIPS, an historical implementation. Warning Firewalls can process IPSEC traffic, you’ll have to configure yours. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : configuration Configuration is done in ipsec.conf conn net−net l e f t =192.168.0.1 l e f t s u b n e t =10.1.0.0/16 l e f t i d =192.168.0.1 l e f t f i r e w a l l=yes r i g h t =192.168.0.2 r i g h t s u b n e t =10.2.0.0/16 r i g h t i d =192.168.0.2 auto=add Write the PSK in ipsec.secrets . Examples : http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : commands Restart : / etc / i n i t . d/ i p s e c r e s t a r t Status : i p s e c c t l auto −−s t a t u s www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Architecture as usual, SPD/SAD are in-kernel setkey(8) is used to manipulate SPD/SAD racoon(8) is the IKE daemon www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration setkey script #!/ usr / s b i n / s e t k e y −f # # Flush SAD and SPD f l u s h ; s p d f l u s h ; # Create p o l i c i e s f o r racoon spdadd 172.16.1.0/24 172.16.2.0/24 any −P out i p s e c esp / t u n n e l /192.168.1.100 −192.168.2.100/ r e q u i r e ; spdadd 172.16.2.0/24 172.16.1.0/24 any −P i n i p s e c esp / t u n n e l /192.168.2.100 −192.168.1.100/ r e q u i r e ; www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration (2) racoon.conf path p r e s h a r e d k e y ”/ etc / psk . t x t ”; remote 192.168.2.100 { exchange mode main ; p r o p o s a l { e n c r y p t i o n a l g o r i t h m 3 des ; h a s h a l g o r i t h m md5 ; a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y ; dh group modp1024 ; } } s a i n f o a dd r es s 172.16.1.0/24 any a d dr es s 172.16.2.0/24 any { p f s g r o u p modp768 ; e n c r y p t i o n a l g o r i t h m 3 des ; a u t h e n t i c a t i o n a l g o r i t h m hmac md5 ; c o m p r e s s i o n a l g o r i t h m d e f l a t e ; } www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Administration SPD/SAD status s e t k e y −D s e t k e y −DP /etc/init.d/setkey restart /etc/init.d/racoon restart racoon.log www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : configuration /etc/ipsec.conf i k e esp from 1 0 . 1 . 0 . 0 / 1 6 to 10.10.22.0/24 l o c a l 212.85.148.172 peer 195.154.89.70 main auth hmac−sha1 enc aes group modp1024 quick auth hmac−sha1 enc aes group modp1024 psk ” toto ” www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : administration isakmpd -K ipsecctl -f /etc/ipsec.conf ipsecctl -vsa www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 27/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 28/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Troubleshooting Use tcpdump : 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 . . . esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165869 l e n 484 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165870 l e n 468 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165871 l e n 468 esp 41.141.252.214 > 91.216.209.229 s p i 0 x f 1 a f a c e c seq 40877 l e n 132 esp 91.216.209.229 > 41.141.252.214 s p i 0 x0abd6f35 seq 40540 l e n 132 esp 41.141.252.214 > 91.216.209.229 s p i 0 x5f060fde seq 186105 l e n 100 . . . www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 29/29

Empfohlen

GIT pour développeur
GIT pour développeurGIT pour développeur
GIT pour développeurOpen Source School
 
Kerberos : The network authentification protocol
Kerberos : The network authentification protocolKerberos : The network authentification protocol
Kerberos : The network authentification protocolOpen Source School
 
Monitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongMonitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongOpen Source School
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : IntroductionOpen Source School
 
Varnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingVarnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingOpen Source School
 
Redhat enterprise Linux
Redhat enterprise LinuxRedhat enterprise Linux
Redhat enterprise LinuxOpen Source School
 
SSL : Theory and practice
SSL : Theory and practiceSSL : Theory and practice
SSL : Theory and practiceOpen Source School
 
LDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationLDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationOpen Source School
 

Empfohlen

GIT pour développeur
GIT pour développeurGIT pour développeur
GIT pour développeurOpen Source School
 
Kerberos : The network authentification protocol
Kerberos : The network authentification protocolKerberos : The network authentification protocol
Kerberos : The network authentification protocolOpen Source School
 
Monitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongMonitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongOpen Source School
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : IntroductionOpen Source School
 
Varnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingVarnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingOpen Source School
 
Redhat enterprise Linux
Redhat enterprise LinuxRedhat enterprise Linux
Redhat enterprise LinuxOpen Source School
 
SSL : Theory and practice
SSL : Theory and practiceSSL : Theory and practice
SSL : Theory and practiceOpen Source School
 
LDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationLDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationOpen Source School
 
101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystemsAcácio Oliveira
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesAttaporn Ninsuwan
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅ChoiYura
 
101 2.4b use debian package management v2
101 2.4b use debian package management v2101 2.4b use debian package management v2
101 2.4b use debian package management v2Acácio Oliveira
 
101 2.4 use debian package management
101 2.4 use debian package management101 2.4 use debian package management
101 2.4 use debian package managementAcácio Oliveira
 
2.4.1 use debian package management v2
2.4.1 use debian package management v22.4.1 use debian package management v2
2.4.1 use debian package management v2Acácio Oliveira
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memorymicchie
 
Lession1 Linux Preview
Lession1 Linux PreviewLession1 Linux Preview
Lession1 Linux Previewleminhvuong
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetdleminhvuong
 
Security Considerations on Linux Package Management
Security Considerations on Linux Package ManagementSecurity Considerations on Linux Package Management
Security Considerations on Linux Package ManagementTharindu Edirisinghe
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hoodamiable_indian
 
Running Symfony
Running SymfonyRunning Symfony
Running SymfonyWildan Maulana
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 
White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...Perforce
 
<img src="../i/r_14.png" />
<img src="../i/r_14.png" /><img src="../i/r_14.png" />
<img src="../i/r_14.png" />tutorialsruby
 
Tuning 17 march
Tuning 17 marchTuning 17 march
Tuning 17 marchBinan AL Halabi
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxtampham61268
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)n|u - The Open Security Community
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 

Weitere ähnliche Inhalte

Was ist angesagt?

101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystemsAcácio Oliveira
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesAttaporn Ninsuwan
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅ChoiYura
 
101 2.4b use debian package management v2
101 2.4b use debian package management v2101 2.4b use debian package management v2
101 2.4b use debian package management v2Acácio Oliveira
 
101 2.4 use debian package management
101 2.4 use debian package management101 2.4 use debian package management
101 2.4 use debian package managementAcácio Oliveira
 
2.4.1 use debian package management v2
2.4.1 use debian package management v22.4.1 use debian package management v2
2.4.1 use debian package management v2Acácio Oliveira
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memorymicchie
 
Lession1 Linux Preview
Lession1 Linux PreviewLession1 Linux Preview
Lession1 Linux Previewleminhvuong
 
Security Considerations on Linux Package Management
Security Considerations on Linux Package ManagementSecurity Considerations on Linux Package Management
Security Considerations on Linux Package ManagementTharindu Edirisinghe
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 
White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...Perforce
 
<img src="../i/r_14.png" />
<img src="../i/r_14.png" /><img src="../i/r_14.png" />
<img src="../i/r_14.png" />tutorialsruby
 

Was ist angesagt? (19)

101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
 
101 2.4b use debian package management v2
101 2.4b use debian package management v2101 2.4b use debian package management v2
101 2.4b use debian package management v2
 
101 2.4 use debian package management
101 2.4 use debian package management101 2.4 use debian package management
101 2.4 use debian package management
 
2.4.1 use debian package management v2
2.4.1 use debian package management v22.4.1 use debian package management v2
2.4.1 use debian package management v2
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memory
 
Lession1 Linux Preview
Lession1 Linux PreviewLession1 Linux Preview
Lession1 Linux Preview
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetd
 
Security Considerations on Linux Package Management
Security Considerations on Linux Package ManagementSecurity Considerations on Linux Package Management
Security Considerations on Linux Package Management
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hood
 
Running Symfony
Running SymfonyRunning Symfony
Running Symfony
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networking
 
White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...
 
<img src="../i/r_14.png" />
<img src="../i/r_14.png" /><img src="../i/r_14.png" />
<img src="../i/r_14.png" />
 
Tuning 17 march
Tuning 17 marchTuning 17 march
Tuning 17 march
 

Ähnlich wie IPSEC

P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxtampham61268
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)n|u - The Open Security Community
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response TimeBoni Bruno
 
Lecture 5: Software platforms and services
Lecture 5: Software platforms and services Lecture 5: Software platforms and services
Lecture 5: Software platforms and services PayamBarnaghi
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris. IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris. OW2
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction DimitrisFinas1
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log ProcessingAnton Chuvakin
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdfKdpKumar
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18Max Kleiner
 

Ähnlich wie IPSEC (20)

P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptx
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response Time
 
Lecture 5: Software platforms and services
Lecture 5: Software platforms and services Lecture 5: Software platforms and services
Lecture 5: Software platforms and services
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media Server
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris. IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris.
 
ECI OpenFlow 2.0 the Future of SDN
ECI OpenFlow 2.0 the Future of SDN ECI OpenFlow 2.0 the Future of SDN
ECI OpenFlow 2.0 the Future of SDN
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log Processing
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl final
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

IPSEC

  • 2. 1 La 1ère école 100 % dédiée à l'open source Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique. Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement. Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
  • 3. 2 Les formations du plein emploi !  Formation Continue Open Source School "Executive Education" est un organisme de formation qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.  Pour vos demandes : formations@opensourceschool.fr  Formation Initiale 100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI. Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
  • 4. 3 Nos domaines de formations
  • 5. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/29
  • 6. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/29
  • 7. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/29
  • 8. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is encapsulation www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/29
  • 9. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction to IPSEC IPSEC is a set of protocols to harden network communication security. A part of the IPv6 spec, but ported to IPv4 Often used for VPNs, however it has other purposes too Unlike most products (eg OpenVPN) it is an IETF standard, allowing interoperability This presentation is about IPSEC implementation in operating systems, there are also software implementations, hardware implementations in dedicated equipment, etc. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/29
  • 10. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/29
  • 11. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G IPSEC Protocols IPSEC is built around several protocols ESP AH IKE NAT-T www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/29
  • 12. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Encapsulation protocols ESP allows : Authentication Integrity (of payload) Confidentiality AH allows : Authentification Int´egrit´e (of whole packet) ESP does not protect the IP header, that makes it suitable for NAT www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/29
  • 13. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Negociation protocols IKE IKE is the main protocol that allows security parameters negociation between hosts NAT-T NAT-T is a helper protocol which encapsulates traffic into a UDP port, allowing it to cross firewalls and NAT devices. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/29
  • 14. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Establishment of an IPSEC session Hosts contact each other using IKE (UDP 500) IKE Phase 1 : hosts authenticate to each other IKE Phase 2 : hosts negotiate the IPSEC parameters IPSEC-protected traffic starts flowing www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/29
  • 15. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Two possible modes Transport mode : only the payload is encapsulated Tunnel mode : the IP header is encapsulated too In tunnel mode, you can rewrite IP headers, allowing VPNs www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/29
  • 16. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/29
  • 17. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G SPD and SAD Security Policy Database SPDs are IPSEC’s routing tables. They decide which traffic is protected Security Association Database SAD are IPSEC’s network status (“netstat“), they contain current sessions www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/29
  • 18. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 1 parameters Mode : main / aggressive Identity : IP, DN, mail... Authentication method : PSK, X509, RSA... Encryption algorithm : 3DES, AES, blowfish... Authentication algorithm : MD5, SHA1, ... Diffie-Hellman key length Lifetime www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/29
  • 19. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 2 parameters Encryption algorithm Authentication algorithm Perfect Forward Secrecy Lifetime Domain : single host, subnet... www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/29
  • 20. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G How sessions are established Hosts contact each other spotaneously or on demand Required sessions are established When they expire, they are automatically renewed www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/29
  • 21. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/29
  • 22. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction All the implementations we will study share certain characteristics : SAD, SPD, routing, encapsulation are managed by the kernel IKE negociation, retries, renewal, are managed by userland daemons Both talk to each other on the standard PF KEY interface, allowing different implementations to coexist On Linux, two kernel implementation exist : a native PF KEY implementation and KLIPS, an historical implementation. Warning Firewalls can process IPSEC traffic, you’ll have to configure yours. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/29
  • 23. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : configuration Configuration is done in ipsec.conf conn net−net l e f t =192.168.0.1 l e f t s u b n e t =10.1.0.0/16 l e f t i d =192.168.0.1 l e f t f i r e w a l l=yes r i g h t =192.168.0.2 r i g h t s u b n e t =10.2.0.0/16 r i g h t i d =192.168.0.2 auto=add Write the PSK in ipsec.secrets . Examples : http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/29
  • 24. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : commands Restart : / etc / i n i t . d/ i p s e c r e s t a r t Status : i p s e c c t l auto −−s t a t u s www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/29
  • 25. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Architecture as usual, SPD/SAD are in-kernel setkey(8) is used to manipulate SPD/SAD racoon(8) is the IKE daemon www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/29
  • 26. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration setkey script #!/ usr / s b i n / s e t k e y −f # # Flush SAD and SPD f l u s h ; s p d f l u s h ; # Create p o l i c i e s f o r racoon spdadd 172.16.1.0/24 172.16.2.0/24 any −P out i p s e c esp / t u n n e l /192.168.1.100 −192.168.2.100/ r e q u i r e ; spdadd 172.16.2.0/24 172.16.1.0/24 any −P i n i p s e c esp / t u n n e l /192.168.2.100 −192.168.1.100/ r e q u i r e ; www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/29
  • 27. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration (2) racoon.conf path p r e s h a r e d k e y ”/ etc / psk . t x t ”; remote 192.168.2.100 { exchange mode main ; p r o p o s a l { e n c r y p t i o n a l g o r i t h m 3 des ; h a s h a l g o r i t h m md5 ; a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y ; dh group modp1024 ; } } s a i n f o a dd r es s 172.16.1.0/24 any a d dr es s 172.16.2.0/24 any { p f s g r o u p modp768 ; e n c r y p t i o n a l g o r i t h m 3 des ; a u t h e n t i c a t i o n a l g o r i t h m hmac md5 ; c o m p r e s s i o n a l g o r i t h m d e f l a t e ; } www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/29
  • 28. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Administration SPD/SAD status s e t k e y −D s e t k e y −DP /etc/init.d/setkey restart /etc/init.d/racoon restart racoon.log www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/29
  • 29. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : configuration /etc/ipsec.conf i k e esp from 1 0 . 1 . 0 . 0 / 1 6 to 10.10.22.0/24 l o c a l 212.85.148.172 peer 195.154.89.70 main auth hmac−sha1 enc aes group modp1024 quick auth hmac−sha1 enc aes group modp1024 psk ” toto ” www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/29
  • 30. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : administration isakmpd -K ipsecctl -f /etc/ipsec.conf ipsecctl -vsa www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 27/29
  • 31. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 28/29
  • 32. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Troubleshooting Use tcpdump : 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 . . . esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165869 l e n 484 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165870 l e n 468 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165871 l e n 468 esp 41.141.252.214 > 91.216.209.229 s p i 0 x f 1 a f a c e c seq 40877 l e n 132 esp 91.216.209.229 > 41.141.252.214 s p i 0 x0abd6f35 seq 40540 l e n 132 esp 41.141.252.214 > 91.216.209.229 s p i 0 x5f060fde seq 186105 l e n 100 . . . www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 29/29