Christian Tettamanti, ing.

HES

1
 VPN - Virtual Private Network

Start date : 01.02.2002

Duration : 1+1 years
Christian Tettamanti, ing. HES

Stefano Ventura prof. HES

Christian Tettamanti ing. HES
Pascal Gachet ing. HES

Gérald Litzistorf prof. HES

Philippe Logean ing. HES
Nicolas Sadeg ing. HES

2
 VPN - Goals Of The Project

VPN Project
Christian Tettamanti, ing. HES

p en So urce
O
Phase I
Protocols

Phase II
Authentication

Phase III
Deployment

3
 VPN - Goals Of The Project

Phase I
Protocols
Christian Tettamanti, ing. HES

• Phase I
– Research and study of remote access solutions
– Secure access on internal private network
– Interoperability tests
– Study of VPN protocols (L2TP, PPTP, IPSec)
– LAN-to-LAN and HOST-to-LAN scenarios

4
 VPN - Goals Of The Project

• Phase I
Protocols
Christian Tettamanti, ing. HES

– PPTP point-to-point tunneling protocol

– L2TP layer 2 tunneling protocol
– IPSEC IP security protocols
• IKE Æ authentication
• AH Æ integrity
• ESP Æ confidentiality, integrity

5
 VPN - Goals Of The Project

Phase II
Authentication
Christian Tettamanti, ing. HES

• Phase II
– Research and study of secure authentication
mechanisms
– Study of Public Key Infrastructure (PKI)
– Interoperability tests

6
 VPN - Goals Of The Project

Phase III
Deployment
Christian Tettamanti, ing. HES

• Phase III
– Deployment
• LAN-to-LAN between EIG and TCOM
• HOST-to-LAN at EIVD

7
 VPN – Open Source Software

Different solutions based on Open Source

Christian Tettamanti, ing. HES

• Server OS: Slackware Linux

• Firewall: Netfilter/iptables en So u rce
Op
• Gateway VPN: OpenSwan
• PKI Authority: OpenCA
• VPN Clients: Win2K: SSH Sentinel*
Linux: OpenSwan

8
*Free License for universities
 VPN – Scenario 1

EIG – Proprietary Solutions EIVD – Open Source Solutions

Christian Tettamanti, ing. HES

VPN GW VPN GW

internet
VPN tunnel
internet

10.5.0.0/16 10.4.1.0/24

9
 VPN – Scenario 2

EIVD – Open Source Solutions

Christian Tettamanti, ing. HES

Remote Client
VPN GW

internet
VPN tunnel
internet

VPN Client
10.4.2.20

10.4.1.0/24

10
 VPN – Scenario 3

EIG – Proprietary Solutions EIVD – Open Source Solutions

Christian Tettamanti, ing. HES

VPN GW VPN GW
VPN tunnel

internet
internet

el
nn
tu
N
VP
10.5.0.0/16 10.4.1.0/24

VPN Client
10.4.2.20
11
 VPN – Remote Client Authentication

Dynamic IP
193.x.x.x
Virtual IP VPN GW
Christian Tettamanti, ing. HES

10.4.2.20
internet
IPSec tunnel
internet

10.4.1.0/24

• The remote client authenticates himself on gw VPN

• The authentication is based on X.509 certificates
• The client acquire a private IP address with DCHP-over-IPSEC
• The remote client is part of the internal private network

12
 VPN – DHCP-over-IPSec
• Internet Draft: draft-ietf-ipsec-dhcp-13.txt

ISAKMP SA: Main Mode Auth.

Christian Tettamanti, ing. HES

DHCP
Relay
DHCP
10.4.1.0/16
10.4.1.0/16 Server

DHCP DISCOVER DHCP SA: Life Time = 20 sec.

DHCP
10.4.1.0/16
10.4.1.0/16 Server

10.4.2.20
ESP SA: 10.4.2.20 ÅÆ 10.4.0.0/15
13
 VPN – NAT-Traversal
• Internet Drafts: draft-ietf-ipsec-udp-encaps-03.txt
draft-ietf-ipsec-nat-t-03.txt
intelligent NAT box
Christian Tettamanti, ing. HES

ESP and IKE with one client

ESP encapsulated in UDP (port 4500)

NAT

ESP and IKE with n clients

14
 VPN – Encountered Problems

• PKI
– Token Integration
Christian Tettamanti, ing. HES

• Internet Service Provider (ISP)

– Firewalls
– Routing

• NAT routers
– Intelligent Box
– Stupid Box
• NAT-Traversal
• ESPÆUDP Encapsulation

15
 VPN – Gateway VPN Capabilities

IKE:
Encryption algorithm: aes-256bit
Integrity function: SHA-2
Christian Tettamanti, ing. HES

DF Group: MODP 1536 (group 5)

PKI authentication OK

IPSEC – ESP (AH):

Encryption algorithm: aes-256bit
Integrity function: HMAC-SHA-2
DF Group: MODP 1536 (group 5)

Other:
DHCP over IPSEC OK
NAT-Traversal OK

16
 VPN – Final Architecture
EIG

NIDS Snort

PKI OpenCA
Christian Tettamanti, ing. HES

EIG VPN area

GW Clavister

FireWall IPtables DC W2K

Internet EIVD

GW VPN
PKI USB Key OpenSwan

Protected Area

Remote client EIVD VPN area

17
 Christian Tettamanti, ing. HES

18
Christian Tettamanti, ing. HES
VPN – SSH Sentinell Configuration

19
Christian Tettamanti, ing. HES
VPN – PKI Certificate Configuration

20
Christian Tettamanti, ing. HES
VPN – SA Life & NAT Configuration

21
Christian Tettamanti, ing. HES
VPN – IKE & ESP Configuration

22
 Christian Tettamanti, ing. HES

23
VPN – Connection example
 VPN – Network Interfaces
Before VPN
Connection
Christian Tettamanti, ing. HES

After VPN
Connection
24
 Christian Tettamanti, ing. HES

25